欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

用OpenSSL命令行生成证书文件

程序员文章站 2022-07-04 13:34:58
...
一 生成服务器端的私钥server.key
 
[root@localhost opensscommand]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..................++++++
..................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
二 生成服务器端证书请求server.csr
 
[root@localhost opensscommand]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:sanxi
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:Family Network
Organizational Unit Name (eg, section) []:Home
Common Name (eg, your name or your server's hostname) []:cakin24
Email Address []:cakin24@qq.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
生成过程中需要输入以下信息:
Country Name: cn 两个字母的国家代号
State or Province Name: sanxi 省份名称
Locality Name: xian 城市名称
Organization Name: Family Network 公司名称
Organizational Unit Name: Home 部门名称
Common Name: cakin24 你的姓名
Email Address: cakin24@qq.com Email地址
 
三 生成客户端的的私钥client.key
[root@localhost opensscommand]# openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
..................................................................................................++++++
.................++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
 
四 生成客户端证书请求client.csr
 
[root@localhost opensscommand]# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:sanxi
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:Family Network
Organizational Unit Name (eg, section) []:Home
Common Name (eg, your name or your server's hostname) []:cakin24
Email Address []:cakin24@qq.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
 
五 生成自签名根证书ca.crt
 
[root@localhost opensscommand]# openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a 2048 bit RSA private key
.................................+++
............+++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:sanxi
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:Family Network
Organizational Unit Name (eg, section) []:Home
Common Name (eg, your name or your server's hostname) []:cakin24
Email Address []:cakin24@qq.com 
 
六 用ca.crt给server.csr,client.csr文件签名
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
 
七 证书使用方法 
client使用的文件有:ca.crt,client.crt,client.key
server使用的文件有:ca.crt,server.crt,server.key
相关标签: OpenSSL 证书