边缘安全
  • 概述
  • DDoS 防护
    • DDoS 防护概述
    • 使用独立 DDoS 防护
    • 配置独立 DDoS 防护策略
      • 调整 DDoS 防护等级
      • 独立 DDoS 攻击流量告警
      • 配置 IP 黑白名单
      • 配置区域封禁
      • 配置端口过滤
      • 配置特征过滤
      • 配置协议封禁
      • 配置连接类攻击防护
      • 相关参考
        • 处置方式
        • 相关概念介绍
  • Web 防护
    • 概述
    • 配置Web防护策略
    • 托管规则
    • CC 攻击防护
    • 带宽滥用防护
    • 自定义规则
    • 自定义速率限制规则
    • 防护例外规则
    • 托管定制规则
    • Web 安全监控告警
    • 相关参考
      • Web 防护请求处理顺序
      • 处置方式
      • 匹配条件
  • Bot 管理
    • 概述
    • Bot 智能分析
    • Bot 基础特征管理
    • 客户端画像分析
    • 主动特征识别
    • 自定义 Bot 规则
    • Bot 管理例外规则
    • 相关参考
      • 处置方式
  • 策略模板
  • IP 和网段分组
  • 源站防护
  • 自定义响应页面
  • 告警通知推送
  • SSL/TLS
    • 概述
    • 部署/更新 SSL 托管证书至 EdgeOne 域名
    • 使用免费证书部署至 EdgeOne 域名
    • 双向认证
    • HTTPS 配置
      • 强制 HTTPS 访问
      • 启用 HSTS
      • SSL/TLS 安全配置
        • 配置 SSL/TLS 安全等级
        • TLS 版本及密码套件说明
      • 开启 OCSP 装订
    • 引用
      • 使用OpenSSL生成自签名证书
      • 证书格式要求
    • 使用无密钥证书
当前内容仅提供英语版本,中文版我们将尽快补充,感谢您的理解。
文档概览/
边缘安全/
SSL/TLS/
引用/
使用OpenSSL生成自签名证书/

使用OpenSSL生成自签名证书

All server and client certificates usually need to be applied for from a certificate authority (CA) to ensure that they can be trusted by different operating systems and browsers. CA typically charges a certain certificate fee. If you currently need an HTTPS certificate just for testing or for internal use in an enterprise, you can also issue a self-signed certificate using OpenSSL. Refer to the following steps:

Step 1: Generating a Root Certificate

1. Create a root certificate private key with the following command, which will generate a 2048-bit private key and save it to a .key file.
openssl genrsa -out root.key 2048
2. Generate a Certificate Signing Request (CSR) file based on the root certificate private key.
openssl req -new -key root.key -out root.csr
During the generation of a CSR file, you need to provide information such as the organization name and common name, which can be filled in based on the actual usage.
3. Run the following command to create a root certificate.
openssl x509 -req -in root.csr -out root.crt -signkey root.key -CAcreateserial -days 3650
You will get a root certificate, root.crt, with a validity period of 10 years. You can use this root certificate to issue the required server and client certificates later.

Step 2: Issuing a Certificate

Taking issuing a server certificate as an example, you can start issuing your own certificates using the root certificate generated in Step 1:
1. Generate a private key for the server certificate.
openssl genrsa -out server.key 2048
2. Generate a CSR file based on the server certificate private key.
openssl req -new -out server.csr -key server.key
During the generation of a CSR file, similar to that for the root certificate, you need to provide information such as the organization name and common name, which can be filled in based on the actual usage.
3. Generate a server public key certificate.
openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA root.crt -CAkey root.key -CAcreateserial -days 3650

Through the above three steps, you will obtain self-signed server certificates, server.crt, and server.key, with a validity period of 10 years. You can repeat these steps to continue generating other required server or client certificates using the same root certificate.