一、自签名证书生成环境

生成工具: openssl(OpenSSL 1.1.1f)

生成系统:ubuntu(Ubuntu 9.3.0-10ubuntu2)

测试工具: curl(curl 7.68.0)

二、准备系统环境：

#进入用户目录
fhh@ubuntu:~$ cd /home/fhh/
fhh@ubuntu:~$ pwd
/home/fhh

#创建相关文件夹keys、demoCA、newcerts
fhh@ubuntu:~$ mkdir -p ./keys/demoCA/newcerts

#安装tree组件用来查看目录
fhh@ubuntu:~$ sudo apt install tree
[sudo] password for fhh: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  tree
0 upgraded, 1 newly installed, 0 to remove and 251 not upgraded.
Need to get 43.0 kB of archives.
After this operation, 115 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 tree amd64 1.8.0-1 [43.0 kB]
Fetched 43.0 kB in 1s (45.2 kB/s)
Selecting previously unselected package tree.
(Reading database ... 183583 files and directories currently installed.)
Preparing to unpack .../tree_1.8.0-1_amd64.deb ...
Unpacking tree (1.8.0-1) ...
Setting up tree (1.8.0-1) ...
Processing triggers for man-db (2.9.1-1) ...

#查看创建的目录结构
fhh@ubuntu:~$ tree
.
├── Desktop
├── Documents
├── Downloads
├── keys
│   └── demoCA
│       └── newcerts
├── Music
├── Pictures
├── Public
├── Templates
└── Videos

11 directories, 0 files

#创建index.txt、serial文件
fhh@ubuntu:~$ touch ./keys/demoCA/index.txt ./keys/demoCA/serial

#查看创建的文件
fhh@ubuntu:~$ tree
.
├── Desktop
├── Documents
├── Downloads
├── keys
│   └── demoCA
│       ├── index.txt
│       ├── newcerts
│       └── serial
├── Music
├── Pictures
├── Public
├── Templates
└── Videos

11 directories, 2 files

#将00写入到文件serial
fhh@ubuntu:~$ echo 00 > ./keys/demoCA/serial

#查看写入的内容
fhh@ubuntu:~$ cat ./keys/demoCA/serial 
00

#修改ssl配置文件openssl.cnf
#查找openssl.con 不同的系统位置不一样
fhh@ubuntu:~$ openssl version -a
OpenSSL 1.1.1f  31 Mar 2020
built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific
#本系统openssl.cnf的目录是 /usr/lib/ssl

#修改openssl.cnf,把match 改为supplied
fhh@ubuntu:~$ vi /usr/lib/ssl/openssl.cnf 
# For the CA policy
[ policy_match ]
countryName		= supplied  #match
stateOrProvinceName	= supplied  #match
organizationName	= supplied  #match

三、CA证书生成：

#进入keys目录
fhh@ubuntu:~/keys$ cd /home/fhh/keys/
fhh@ubuntu:~/keys$ pwd
/home/fhh/keys

#生成CA私钥,密码设置为123456
fhh@ubuntu:~$ openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................+++++
........................................+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

#签发CA根证书，密码123456
fhh@ubuntu:~/keys$ openssl req -sha256 -new -x509 -days 365 -key ca.key -out ca.crt \-subj "/C=CN/ST=Beijing/L=Beijing/O=Beijing CSSCA Technologies Co., Ltd./OU=Government affairs program development department/CN=CSSCA Root Certificate Authority"
Enter pass phrase for ca.key:

四、服务器证书生成:

#进入keys目录
fhh@ubuntu:~/keys$ cd /home/fhh/keys/
fhh@ubuntu:~/keys$ pwd
/home/fhh/keys

#服务器私钥生成
fhh@ubuntu:~/keys$ openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
......................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

#服务器生成请求证书crs生成，注意cat /usr/lib/ssl/openssl.cnf 路径, 密码123456
 openssl req -new \
    -sha256 \
    -key server.key \
    -subj "/C=NA/ST=WINDHOEK/L=WINDHOEK/O=MHAI/OU=MHAI/CN=acs.mhai.gov.na" \
    -reqexts SAN \
    -config <(cat /usr/lib/ssl/openssl.cnf \
        <(printf "[SAN]\nsubjectAltName=DNS:*.acs.mhai.gov.na,DNS:acs.mhai.gov.na")) \
    -out server.csr

fhh@ubuntu:~/keys$  openssl req -new \
>     -sha256 \
>     -key server.key \
>     -subj "/C=NA/ST=WINDHOEK/L=WINDHOEK/O=MHAI/OU=MHAI/CN=acs.mhai.gov.na" \
>     -reqexts SAN \
>     -config <(cat /usr/lib/ssl/openssl.cnf \
>         <(printf "[SAN]\nsubjectAltName=DNS:*.acs.mhai.gov.na,DNS:acs.mhai.gov.na")) \
>     -out server.csr
Enter pass phrase for server.key:

五、CA签发服务器证书

#进入keys目录
fhh@ubuntu:~/keys$ cd /home/fhh/keys/
fhh@ubuntu:~/keys$ pwd
/home/fhh/keys

#CA签发发服务器证书 密码123456
 openssl ca -in server.csr \
        -md sha256 \
        -keyfile ca.key \
    -cert ca.crt \
    -extensions SAN \
    -config <(cat /usr/lib/ssl/openssl.cnf \
        <(printf "[SAN]\nsubjectAltName=DNS:*.acs.mhai.gov.na,DNS:acs.mhai.gov.na")) \
    -out server.crt

fhh@ubuntu:~/keys$ openssl ca -in server.csr \
>         -md sha256 \
>         -keyfile ca.key \
>     -cert ca.crt \
>     -extensions SAN \
>     -config <(cat /usr/lib/ssl/openssl.cnf \
>         <(printf "[SAN]\nsubjectAltName=DNS:*.acs.mhai.gov.na,DNS:acs.mhai.gov.na")) \
>     -out server.crt
Using configuration from /dev/fd/63
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Sep 27 06:46:21 2020 GMT
            Not After : Sep 27 06:46:21 2021 GMT
        Subject:
            countryName               = NA
            stateOrProvinceName       = WINDHOEK
            organizationName          = MHAI
            organizationalUnitName    = MHAI
            commonName                = acs.mhai.gov.na
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:*.acs.mhai.gov.na, DNS:acs.mhai.gov.na
Certificate is to be certified until Sep 27 06:46:21 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

六、生成应用服务器p12证书

#进入keys目录
fhh@ubuntu:~/keys$ cd /home/fhh/keys/
fhh@ubuntu:~/keys$ pwd
/home/fhh/keys

#生成服务器应用p12证书，三次密码都是123456
fhh@ubuntu:~/keys$ openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
Enter pass phrase for server.key:
Enter Export Password:
Verifying - Enter Export Password:

七、SpringBoot配置：

1、把server.pkcs12拷贝到工程source目录下

2、修改application.yml配置文件
server:
  port: 443
  session-timeout: 0 #Session 超时设置,单位分（0或者-1表示永不超时）
  #HTTS相关配置
  ssl:
    key-store: classpath:server.pkcs12
    enabled: true
    key-store-type: PKCS12
    key-store-password: 123456

八、curl测试

#配置hosts,增加acs.mhai.gov.na域名
fhh@ubuntu:~/keys$ sudo vim /etc/hosts

127.0.0.1       localhost
127.0.1.1       ubuntu
10.10.2.200     acs.mhai.gov.na

#测试连接,ca.crt是CA的根证书
fhh@ubuntu:~/keys$ curl -v --cacert ca.crt https://acs.mhai.gov.na
*   Trying 10.10.2.200:443...
* TCP_NODELAY set
* Connected to acs.mhai.gov.na (10.10.2.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ca.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=NA; ST=WINDHOEK; O=MHAI; OU=MHAI; CN=acs.mhai.gov.na
*  start date: Sep 27 06:46:21 2020 GMT
*  expire date: Sep 27 06:46:21 2021 GMT
*  subjectAltName: host "acs.mhai.gov.na" matched cert's "acs.mhai.gov.na"
*  issuer: C=CN; ST=Beijing; L=Beijing; O=Beijing CSSCA Technologies Co., Ltd.; OU=Government affairs program development department; CN=CSSCA Root Certificate Authority
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: acs.mhai.gov.na
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 
< Content-Type: text/plain;charset=UTF-8
< Content-Length: 92
< Date: Sun, 27 Sep 2020 06:57:25 GMT
< 
* Connection #0 to host acs.mhai.gov.na left intact
<div style='margin-top:50px;font-size:50px;text-align:center'>Welcome to the mhai api!</div>fhh@ubuntu:~/keys$

   九、浏览器测试

         1、双击ca.crt证书进入安装证书业面

   2、浏览器访问