zoukankan      html  css  js  c++  java
  • SSL证书的生成方法

    在Linux下,我们进行下面的操作前都须确认已安装OpenSSL软件包。

    1.创建根证书密钥文件root.key:

    [root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out root.key 1024
    Generating RSA private key, 1024 bit long modulus
    ...............................................................++++++
    ..........++++++
    e is 65537 (0x10001)
    Enter pass phrase for root.key:    <--输入一个密码
    Verifying - Enter pass phrase for root.key:    <--再次输入密码
    

    2.创建根证书的申请文件root.csr:

    [root@mrlapulga:/etc/pki/CA]#openssl req -new -key root.key -out root.csr
    Enter pass phrase for root.key:    <--输入前面创建的密码
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN    <--输入国家名
    State or Province Name (full name) []:BeiJing    <--输入省份
    Locality Name (eg, city) [Default City]:haidian    <--输入城市名
    Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名
    Organizational Unit Name (eg, section) []:    <--可不输入
    Common Name (eg, your name or your server's hostname) []:    <--可不输入
    Email Address []:mrlapulga@126.com    <--输入邮件地址
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:    <--可不输入
    An optional company name []:    <--可不输入
    

    3.创建一个为期十年的根证书root.crt:

    [root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey private/root.key -in root.csr -out root.crt
    Signature ok
    subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com
    Getting Private key
    Enter pass phrase for private/root.key:    <--输入之前创建的密码
    

    4.创建服务器证书密钥server.key:

    [root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out server.key 1024
    Generating RSA private key, 2014 bit long modulus
    ............+++
    ................................................+++
    e is 65537 (0x10001)
    Enter pass phrase for server.key:    <--输入一个密码
    Verifying - Enter pass phrase for server.key:    <--再次输入密码
    

    5.创建服务器证书的申请文件server.csr:

    [root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/server.key -out server.csr
    Enter pass phrase for private/server.key:    <--输入前面创建的密码
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN    <--输入国家名
    State or Province Name (full name) []:BeiJing    <--输入省份
    Locality Name (eg, city) [Default City]:haidian    <--输入城市名
    Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名
    Organizational Unit Name (eg, section) []:    <--可不输入
    Common Name (eg, your name or your server's hostname) []:    <--可不输入
    Email Address []:mrlapulga@126.com    <--输入邮件地址
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:    <--可不输入
    An optional company name []:    <--可不输入
    

    6.创建一个为期一年的服务器证书server.crt:

    [root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in server.csr -out server.crt
    Signature ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com Getting CA Private Key Enter pass phrase for private/root.key:    <--输入之前创建的密码

    7.创建客户端证书密钥文件client.key:

    [root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out client.key 1024
    Generating RSA private key, 1024 bit long modulus
    ..............................++++++
    ..................................................++++++
    e is 65537 (0x10001)
    Enter pass phrase for client.key:    <--输入一个密码
    Verifying - Enter pass phrase for client.key:   <--再次输入密码
    

    8.创建客户端证书的申请文件client.csr:

    [root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/client.key -out client.csr
    Enter pass phrase for private/client.key:    <--输入前面创建的密码
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN    <--输入国家名
    State or Province Name (full name) []:BeiJing    <--输入省份
    Locality Name (eg, city) [Default City]:haidian    <--输入城市名
    Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名   
    Organizational Unit Name (eg, section) []:    <--可不输入
    Common Name (eg, your name or your server's hostname) []:    <--可不输入
    Email Address []:mrlapulga@126.com    <--输入邮件地址
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:    <--可不输入
    An optional company name []:    <--可不输入
    

    9.创建一个有效期为一年的客户端证书client.crt:

    [root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in client.csr -out client.crt
    Signature ok
    subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com
    Getting CA Private Key
    Enter pass phrase for private/root.key:    <--输入之前创建的密码
    

    10.现在可将客户端证书文件client.crt和客户端证书密钥文件client.key合并为客户端的client.pfx安装包文件:

    [root@mrlapulga:/etc/pki/CA]#openssl pkcs12 -export -in client.crt -inkey private/client.key -out client.pfx
    Enter pass phrase for private/client.key:    <--输入之前创建的密码
    Enter Export Password:    <--创建一个新密码
    Verifying - Enter Export Password:    <--确认密码
    

    client.pfx是配置双向SSL时需要客户端安装的证书文件。

  • 相关阅读:
    [原创]如何在Windows下安装Bugfree2.0.0.1
    [原创]网站性能优化利器之一"google page speed"
    [原创]下一代Web 应用程序安全性测试工具HP WebInspect简介
    [原创]微软软件项目管理Team Foundation Server之测试人员
    [原创]Yeepay网站安全测试漏洞之跨站脚本注入
    [原创]软件测试过程改进的内容和注意事项
    [原创]快钱99bill网站安全性测试漏洞之“跨站式脚本注入”
    马化腾内部讲座:让产品自己召唤人
    [转贴]可用性测试
    [原创]浅谈缺陷分析的意义和方法
  • 原文地址:https://www.cnblogs.com/iuskye/p/6696832.html
Copyright © 2011-2022 走看看