自签证书生成记录

cfssl cfssljson

  1mkdir -p ssl/ca
  2cfssl print-defaults config > ssl/ca/ca-config.json
  3cfssl print-defaults csr > ssl/ca/ca-csr.json
  4
  5cat << 'EOF' > ssl/ca/ca-config.json
  6{
  7    "signing": {
  8        "default": {
  9            "expiry": "2540400h"
 10        },
 11        "profiles": {
 12            "server": {
 13                "expiry": "2540400h",
 14                "usages": [
 15                    "signing",
 16                    "key encipherment",
 17                    "server auth"
 18                ]
 19            },
 20            "client": {
 21                "expiry": "2540400h",
 22                "usages": [
 23                    "signing",
 24                    "key encipherment",
 25                    "client auth"
 26                ]
 27            },
 28            "peer": {
 29                "expiry": "2540400h",
 30                "usages": [
 31                    "signing",
 32                    "key encipherment",
 33                    "server auth",
 34                    "client auth"
 35                ]
 36            }
 37        }
 38    }
 39}
 40EOF
 41
 42cfssl gencert -initca ssl/ca/ca-csr.json | cfssljson -bare ssl/ca/ca -
 43
 44mkdir -p ssl/server
 45cfssl print-defaults csr > ssl/server/server.json
 46
 47cat << 'EOF' > ssl/server/server.json
 48{
 49    "CN": "linuxcrypt.top",
 50    "hosts": [
 51        "192.168.1.20",
 52        "192.168.1.58",
 53        "192.168.1.90",
 54        "mqtt.linuxcrypt.top",
 55        "message.linuxcrypt.top",
 56        "linuxcrypt.top",
 57        "www.linuxcrypt.top"
 58    ],
 59    "key": {
 60        "algo": "ecdsa",
 61        "size": 256
 62    },
 63    "names": [
 64        {
 65            "C": "CN",
 66            "ST": "SH",
 67            "L": "Shanghai"
 68        }
 69    ]
 70}
 71EOF
 72
 73cfssl gencert -ca=ssl/ca/ca.pem -ca-key=ssl/ca/ca-key.pem -config=ssl/ca/ca-config.json -profile=server ssl/server/server.json | cfssljson -bare ssl/server/server
 74
 75mkdir -p ssl/client
 76cfssl print-defaults csr > ssl/client/client.json
 77
 78cat << 'EOF' > ssl/client/client.json
 79{
 80    "CN": "client",
 81    "hosts": [],
 82    "key": {
 83        "algo": "ecdsa",
 84        "size": 256
 85    },
 86    "names": [
 87        {
 88            "C": "CN",
 89            "ST": "SH",
 90            "L": "Shanghai"
 91        }
 92    ]
 93}
 94EOF
 95
 96cfssl gencert -ca=ssl/ca/ca.pem -ca-key=ssl/ca/ca-key.pem -config=ssl/ca/ca-config.json -profile=client ssl/client/client.json | cfssljson -bare ssl/client/client
 97
 98mkdir -p ssl/peer
 99cfssl print-defaults csr > ssl/peer/peer.json
100
101cat << 'EOF' > ssl/peer/peer.json
102{
103    "CN": "linuxcrypt.top",
104    "hosts": [
105        "192.168.1.20",
106        "192.168.1.58",
107        "192.168.1.90",
108        "mqtt.linuxcrypt.top",
109        "message.linuxcrypt.top",
110        "linuxcrypt.top",
111        "www.linuxcrypt.top"
112    ],
113    "key": {
114        "algo": "ecdsa",
115        "size": 256
116    },
117    "names": [
118        {
119            "C": "US",
120            "ST": "CA",
121            "L": "San Francisco"
122        }
123    ]
124}
125EOF
126
127cfssl gencert -ca=ssl/ca/ca.pem -ca-key=ssl/ca/ca-key.pem -config=ssl/ca/ca-config.json -profile=peer ssl/peer/peer.json | cfssljson -bare ssl/peer/peer