sudo apt-get update
sudo apt-get install easy-rsa
软件库里easy-rsa的版本是2.0
使用dpkg -L查看安装了哪些文件
$ dpkg -L easy-rsa /. /usr /usr/share /usr/share/man /usr/share/man/man1 /usr/share/man/man1/make-cadir.1.gz /usr/share/easy-rsa /usr/share/easy-rsa/openssl-1.0.0.cnf /usr/share/easy-rsa/build-req-pass /usr/share/easy-rsa/build-key /usr/share/easy-rsa/inherit-inter /usr/share/easy-rsa/sign-req /usr/share/easy-rsa/build-key-pkcs12 /usr/share/easy-rsa/vars /usr/share/easy-rsa/pkitool /usr/share/easy-rsa/openssl-0.9.8.cnf /usr/share/easy-rsa/build-dh /usr/share/easy-rsa/build-key-pass /usr/share/easy-rsa/revoke-full /usr/share/easy-rsa/openssl-0.9.6.cnf /usr/share/easy-rsa/build-ca /usr/share/easy-rsa/build-key-server /usr/share/easy-rsa/clean-all /usr/share/easy-rsa/list-crl /usr/share/easy-rsa/build-inter /usr/share/easy-rsa/build-req /usr/share/easy-rsa/whichopensslcnf /usr/share/doc /usr/share/doc/easy-rsa /usr/share/doc/easy-rsa/README-2.0.gz /usr/share/doc/easy-rsa/README.Debian /usr/share/doc/easy-rsa/copyright /usr/share/doc/easy-rsa/changelog.Debian.gz /usr/bin /usr/bin/make-cadir
使用脚本make-cadir MyCA建立CA目录
脚本主要内容
mkdir -p "$1" chmod 700 "$1" ln -s /usr/share/easy-rsa/* "$1" rm -f "$1"/vars "$1"/*.cnf cp /usr/share/easy-rsa/vars /usr/share/easy-rsa/*.cnf "$1"
创建的MyCA目录的结构
28 Dec 13 11:32 build-ca -> /usr/share/easy-rsa/build-ca 28 Dec 13 11:32 build-dh -> /usr/share/easy-rsa/build-dh 31 Dec 13 11:32 build-inter -> /usr/share/easy-rsa/build-inter 29 Dec 13 11:32 build-key -> /usr/share/easy-rsa/build-key 34 Dec 13 11:32 build-key-pass -> /usr/share/easy-rsa/build-key-pass 36 Dec 13 11:32 build-key-pkcs12 -> /usr/share/easy-rsa/build-key-pkcs12 36 Dec 13 11:32 build-key-server -> /usr/share/easy-rsa/build-key-server 29 Dec 13 11:32 build-req -> /usr/share/easy-rsa/build-req 34 Dec 13 11:32 build-req-pass -> /usr/share/easy-rsa/build-req-pass 29 Dec 13 11:32 clean-all -> /usr/share/easy-rsa/clean-all 33 Dec 13 11:32 inherit-inter -> /usr/share/easy-rsa/inherit-inter 28 Dec 13 11:32 list-crl -> /usr/share/easy-rsa/list-crl 7859 Dec 13 11:32 openssl-0.9.6.cnf 8416 Dec 13 11:32 openssl-0.9.8.cnf 8313 Dec 13 11:32 openssl-1.0.0.cnf 27 Dec 13 11:32 pkitool -> /usr/share/easy-rsa/pkitool 31 Dec 13 11:32 revoke-full -> /usr/share/easy-rsa/revoke-full 28 Dec 13 11:32 sign-req -> /usr/share/easy-rsa/sign-req 2077 Dec 13 11:32 vars 35 Dec 13 11:32 whichopensslcnf -> /usr/share/easy-rsa/whichopensslcnf
cd MyCA进入CA目录
把KEY_SIZE改为4096
其他的如KEY_COUNTRY、KEY_PROVINCE等可以改成适当的值
使用source vars引入环境变量
使用env命令可以看到vars中的变量在环境变量中
KEY_SIZE=4096 KEY_NAME=EasyRSA KEY_CITY=SanFrancisco KEY_PROVINCE=CA KEY_ORG=Fort-Funston ......
执行./clean-all脚本
准备keys目录
执行./build-ca脚本
创建ca的私钥和证书,在keys目录内
提示的直接回车即可
执行./build-key-server server
创建用于服务端的ssl server证书
Common Name即脚本的参数server
默认回车即可
最后输入2次y确认
创建的证书在keys目录keys/server.crt keys/server.csr keys/server.key
build-key-server脚本创建的证书含有Netscape Cert Type扩展
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
执行./build-key client1
创建客户端证书
原文链接:https://www.f2er.com/ubuntu/355482.html