openssl生成ecdsa和rsa证书方法
本文主要讲述使用openssl来生成ecdsa证书和RSA证书。
首先在openssl官网上下载openssl源码,然后进行编译安装。
这个过程本文不进行讲解。默认你的系统中已经安装好了openssl。
但是需要使用下载的源码。
本文中的代码等都是实测可用的。使用平台是linux,版本是ubuntu14.04
下面开始正文。
以下linux命令均在root用户下完成。
1、首先要创建一个CA
创建CA的方法是进去openssl的源码目录下的app/文件夹下。然后输入创建CA命令:
root@mzq-desktop:/home/mzq# cd Desktop/openssl-1.0.1j_mzq1/apps/
root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# sh CA.sh -newca
2、生成RSA密钥
生成rsa密钥使用命令openssl genrsa
root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.........................+++
e is 65537 (0x10001)
3、生成ECDSA密钥
生成ecdsa密钥使用命令openssl ecparam
root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl ecparam -name secp384r1 -genkey -out server-ecc.key
3、生成证书请求
生成证书请求使用命令openssl req
RSA证书请求:
root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dcs
Organizational Unit Name (eg, section) []:dcs
Common Name (e.g. server FQDN or YOUR name) []:mzq
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
ECDSA证书请求:
root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl req -new -key server-ecc.key -out server-ecc.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dcs
Organizational Unit Name (eg, section) []:dcs
Common Name (e.g. server FQDN or YOUR name) []:mzq
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4、签发证书
签发证书使用openssl ca命令
RSA证书:
root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl ca -in server.csr -out server.crt -days 3650
Using configuration from /usr/local/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (AU) and the request (CN)
ECDSA证书:
root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl ca -in server-ecc.csr -out server-ecc.crt -days 3650
Using configuration from /usr/local/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (AU) and the request (CN)
这样,证书就申请成功了。可以对证书进行使用。
上一篇: 昼息不如夜静
下一篇: 中医提醒 引起疼痛是由六个原因引起的