16 Nov 2017
mkdir ~/bin curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 chmod +x ~/bin/{cfssl,cfssljson} export PATH=$PATH:~/bin
mkdir ~/cfssl
cd ~/cfssl
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json
ca-config.json
{ "signing": { "default": { "expiry": "43800h" }, "profiles": { "www": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth" ] } } } }
ca-csr.json
{ "CN": "test.net", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "PH", "L": "MNL", "O": "My Company Name", "ST": "office location", "OU": "Org Unit 1", "OU": "Org Unit 2" } ] }
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
得到三个文件
ca-key.pem
ca.csr
ca.pem - 最重要的文件,可以用它生成任何认证文件
生成默认配置
cfssl print-defaults csr > www.json
修改配置
{
"CN": "example.net",
"hosts": [
"172.16.31.202",
"202.95.237.20"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "PH",
"L": "CA",
"ST": "MNL"
}
]
}
hosts里面是服务器ip,是一个列表
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www www.json | cfssljson -bare www
获得三个文件
www.csr
www-key.pem
www.pem (www.pem和www-key.pem可以直接在nginx里面使用)