zoukankan      html  css  js  c++  java
  • Mac 生成ssl自签证书 和 CA证书

    创建自签证书

    1.执行 openssl

    Last login: Tue Sep 29 19:35:49 on ttys001
    ➜  ~ openssl
    OpenSSL> 
    

    2.执行genrsa -des3 -out server.key 2048 生成server.key私钥文件

    OpenSSL> genrsa -des3 -out server.key 2048
    Generating RSA private key, 2048 bit long modulus
    ...................................................................................+++
    ..........+++
    e is 65537 (0x10001)
    Enter pass phrase for server.key:
    Verifying - Enter pass phrase for server.key:
    

    3.执行 req -new -key server.key -out server.csr 创建证书请求,生成server.csr

    OpenSSL> req -new -key server.key -out server.csr
    Enter pass phrase for server.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) []:beijing
    Organization Name (eg, company) []:huidev
    Organizational Unit Name (eg, section) []:ihuidev
    Common Name (eg, fully qualified host name) []:devhui.org
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    

    [选]4.删除密码 rsa -in server.key -out server_no_password.key 生成一个新的key

    OpenSSL> rsa -in server.key -out server_no_password.key
    Enter pass phrase for server.key:
    writing RSA key
    

    5.生成crt证书 x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt

    OpenSSL> x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt
    Signature ok
    subject=/C=cn/ST=beijing/L=beijing/O=huidev/OU=ihuidev/CN=devhui.org
    Getting Private key
    OpenSSL>
    

    证书:
    执行第四步删除密码的有效证书文件为: server_no_password.key 和 server.crt
    没有执行第四步删除密码的有效证书文件为: server.key 和 server.crt


    创建ca证书

    1. 执行genrsa -out ca.key 2048
    ➜  ~ openssl
    OpenSSL> genrsa -out ca.key 2048
    Generating RSA private key, 2048 bit long modulus
    ................................................................................................................+++
    .......................................+++
    e is 65537 (0x10001)
    
    1. 执行req -new -x509 -days 3650 -key ca.key -out ca.pem
    OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) []:beijing
    Organization Name (eg, company) []:ihuidev
    Organizational Unit Name (eg, section) []:ihuidev
    Common Name (eg, fully qualified host name) []:localhost
    Email Address []:
    OpenSSL>
    
    

    3. 重新生成服务端证书

    1)genrsa -out server.key 2048

    OpenSSL> genrsa -out server.key 2048
    Generating RSA private key, 2048 bit long modulus
    .........................................................+++
    ..............................+++
    e is 65537 (0x10001)
    

    2)req -new -key server.key -out server.csr

    OpenSSL> req -new -key server.key -out server.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) []:beijing
    Organization Name (eg, company) []:ihuidev
    Organizational Unit Name (eg, section) []:ihuidev
    Common Name (eg, fully qualified host name) []:localhost
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    

    3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
    两次域名一定要写一致,我这里全部写的localhost

    OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
    Signature ok
    subject=/C=cn/ST=beijing/L=beijing/O=ihuidev/OU=ihuidev/CN=localhost
    Getting CA Private Key
    OpenSSL>
    

    4. 同理重新生成客户端

    1)
    ecparam -genkey -name secp384r1 -out client.key

    OpenSSL> ecparam -genkey -name secp384r1 -out client.key
    

    2)req -new -key client.key -out client.csr

    OpenSSL> req -new -key client.key -out client.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) []:beijing
    Organization Name (eg, company) []:ihuidev
    Organizational Unit Name (eg, section) []:ihuidev
    Common Name (eg, fully qualified host name) []:localhost
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    

    3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem

    OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
    Signature ok
    subject=/C=cn/ST=beijing/L=beijing/O=ihuidev/OU=ihuidev/CN=localhost
    Getting CA Private Key
    OpenSSL>
    

    客户端:client.key ca.pem client.pem
    服务端:server.key ca.pem server.pem

    © 2017-2020 版权属于 QXQZX &
  • 相关阅读:
    [Java学习] Java包装类、拆箱和装箱详解
    [Java学习] Java多态和动态绑定
    [Java学习] Java继承的概念与实现
    [Java学习] Java super关键字
    [Java代码] Java是自学好还是参加培训班好?
    [Java学习] Java字符串(String)
    [Java学习] Java方法重载
    [.NET源码] EF的增删改查
    C#面向服务WebService从入门到精通
    CoordinatorLayout-带图片伸缩工具栏
  • 原文地址:https://www.cnblogs.com/iQXQZX/p/13751770.html
Copyright © 2011-2022 走看看