@H_301_0@sudo apt-get update @H_301_0@
@H_301_0@sudo apt-get install easy-rsa @H_301_0@
软件库里easy-rsa的版本是2.0 @H_301_0@
@H_301_0@使用dpkg -L查看安装了哪些文件
$ dpkg -L easy-rsa /. /usr /usr/share /usr/share/man /usr/share/man/man1 /usr/share/man/man1/make-cadir.1.gz /usr/share/easy-rsa /usr/share/easy-rsa/openssl-1.0.0.cnf /usr/share/easy-rsa/build-req-pass /usr/share/easy-rsa/build-key /usr/share/easy-rsa/inherit-inter /usr/share/easy-rsa/sign-req /usr/share/easy-rsa/build-key-pkcs12 /usr/share/easy-rsa/vars /usr/share/easy-rsa/pkitool /usr/share/easy-rsa/openssl-0.9.8.cnf /usr/share/easy-rsa/build-dh /usr/share/easy-rsa/build-key-pass /usr/share/easy-rsa/revoke-full /usr/share/easy-rsa/openssl-0.9.6.cnf /usr/share/easy-rsa/build-ca /usr/share/easy-rsa/build-key-server /usr/share/easy-rsa/clean-all /usr/share/easy-rsa/list-crl /usr/share/easy-rsa/build-inter /usr/share/easy-rsa/build-req /usr/share/easy-rsa/whichopensslcnf /usr/share/doc /usr/share/doc/easy-rsa /usr/share/doc/easy-rsa/README-2.0.gz /usr/share/doc/easy-rsa/README.Debian /usr/share/doc/easy-rsa/copyright /usr/share/doc/easy-rsa/changelog.Debian.gz /usr/bin /usr/bin/make-cadir
@H_301_0@使用脚本make-cadir MyCA建立CA目录 @H_301_0@该脚本会建立MyCA目录,建立文件链接并准备相关文件 @H_301_0@脚本主要内容
mkdir -p "$1" chmod 700 "$1" ln -s /usr/share/easy-rsa/* "$1" rm -f "$1"/vars "$1"/*.cnf cp /usr/share/easy-rsa/vars /usr/share/easy-rsa/*.cnf "$1"
@H_301_0@创建的MyCA目录的结构
28 Dec 13 11:32 build-ca -> /usr/share/easy-rsa/build-ca 28 Dec 13 11:32 build-dh -> /usr/share/easy-rsa/build-dh 31 Dec 13 11:32 build-inter -> /usr/share/easy-rsa/build-inter 29 Dec 13 11:32 build-key -> /usr/share/easy-rsa/build-key 34 Dec 13 11:32 build-key-pass -> /usr/share/easy-rsa/build-key-pass 36 Dec 13 11:32 build-key-pkcs12 -> /usr/share/easy-rsa/build-key-pkcs12 36 Dec 13 11:32 build-key-server -> /usr/share/easy-rsa/build-key-server 29 Dec 13 11:32 build-req -> /usr/share/easy-rsa/build-req 34 Dec 13 11:32 build-req-pass -> /usr/share/easy-rsa/build-req-pass 29 Dec 13 11:32 clean-all -> /usr/share/easy-rsa/clean-all 33 Dec 13 11:32 inherit-inter -> /usr/share/easy-rsa/inherit-inter 28 Dec 13 11:32 list-crl -> /usr/share/easy-rsa/list-crl 7859 Dec 13 11:32 openssl-0.9.6.cnf 8416 Dec 13 11:32 openssl-0.9.8.cnf 8313 Dec 13 11:32 openssl-1.0.0.cnf 27 Dec 13 11:32 pkitool -> /usr/share/easy-rsa/pkitool 31 Dec 13 11:32 revoke-full -> /usr/share/easy-rsa/revoke-full 28 Dec 13 11:32 sign-req -> /usr/share/easy-rsa/sign-req 2077 Dec 13 11:32 vars 35 Dec 13 11:32 whichopensslcnf -> /usr/share/easy-rsa/whichopensslcnf
@H_301_0@cd MyCA进入CA目录 @H_301_0@修改配置文件vars @H_301_0@把KEY_SIZE改为4096 @H_301_0@其他的如KEY_COUNTRY、KEY_PROVINCE等可以改成适当的值 @H_301_0@使用source vars引入环境变量 @H_301_0@
@H_301_0@使用env命令可以看到vars中的变量在环境变量中
KEY_SIZE=4096 KEY_NAME=EasyRSA KEY_CITY=SanFrancisco KEY_PROVINCE=CA KEY_ORG=Fort-Funston ......
执行./clean-all脚本 @H_301_0@准备keys目录 @H_301_0@
@H_301_0@执行./build-ca脚本 @H_301_0@创建ca的私钥和证书,在keys目录内 @H_301_0@提示的直接回车即可 @H_301_0@
@H_301_0@执行./build-key-server server @H_301_0@创建用于服务端的ssl server证书 @H_301_0@Common Name即脚本的参数server
@H_301_0@默认回车即可 @H_301_0@最后输入2次y确认 @H_301_0@创建的证书在keys目录keys/server.crt keys/server.csr keys/server.key
@H_301_0@build-key-server脚本创建的证书含有Netscape Cert Type扩展
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
@H_301_0@执行./build-key client1 @H_301_0@创建客户端证书 原文链接:https://www.f2er.com/ubuntu/355482.html
