zoukankan      html  css  js  c++  java
  • SSL证书的生成方法

    在Linux下,我们进行下面的操作前都须确认已安装OpenSSL软件包。

    1.创建根证书密钥文件root.key:

    [root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out root.key 1024
    Generating RSA private key, 1024 bit long modulus
    ...............................................................++++++
    ..........++++++
    e is 65537 (0x10001)
    Enter pass phrase for root.key:    <--输入一个密码
    Verifying - Enter pass phrase for root.key:    <--再次输入密码
    

    2.创建根证书的申请文件root.csr:

    [root@mrlapulga:/etc/pki/CA]#openssl req -new -key root.key -out root.csr
    Enter pass phrase for root.key:    <--输入前面创建的密码
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN    <--输入国家名
    State or Province Name (full name) []:BeiJing    <--输入省份
    Locality Name (eg, city) [Default City]:haidian    <--输入城市名
    Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名
    Organizational Unit Name (eg, section) []:    <--可不输入
    Common Name (eg, your name or your server's hostname) []:    <--可不输入
    Email Address []:mrlapulga@126.com    <--输入邮件地址
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:    <--可不输入
    An optional company name []:    <--可不输入
    

    3.创建一个为期十年的根证书root.crt:

    [root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey private/root.key -in root.csr -out root.crt
    Signature ok
    subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com
    Getting Private key
    Enter pass phrase for private/root.key:    <--输入之前创建的密码
    

    4.创建服务器证书密钥server.key:

    [root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out server.key 1024
    Generating RSA private key, 2014 bit long modulus
    ............+++
    ................................................+++
    e is 65537 (0x10001)
    Enter pass phrase for server.key:    <--输入一个密码
    Verifying - Enter pass phrase for server.key:    <--再次输入密码
    

    5.创建服务器证书的申请文件server.csr:

    [root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/server.key -out server.csr
    Enter pass phrase for private/server.key:    <--输入前面创建的密码
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN    <--输入国家名
    State or Province Name (full name) []:BeiJing    <--输入省份
    Locality Name (eg, city) [Default City]:haidian    <--输入城市名
    Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名
    Organizational Unit Name (eg, section) []:    <--可不输入
    Common Name (eg, your name or your server's hostname) []:    <--可不输入
    Email Address []:mrlapulga@126.com    <--输入邮件地址
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:    <--可不输入
    An optional company name []:    <--可不输入
    

    6.创建一个为期一年的服务器证书server.crt:

    [root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in server.csr -out server.crt
    Signature ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com Getting CA Private Key Enter pass phrase for private/root.key:    <--输入之前创建的密码

    7.创建客户端证书密钥文件client.key:

    [root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out client.key 1024
    Generating RSA private key, 1024 bit long modulus
    ..............................++++++
    ..................................................++++++
    e is 65537 (0x10001)
    Enter pass phrase for client.key:    <--输入一个密码
    Verifying - Enter pass phrase for client.key:   <--再次输入密码
    

    8.创建客户端证书的申请文件client.csr:

    [root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/client.key -out client.csr
    Enter pass phrase for private/client.key:    <--输入前面创建的密码
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN    <--输入国家名
    State or Province Name (full name) []:BeiJing    <--输入省份
    Locality Name (eg, city) [Default City]:haidian    <--输入城市名
    Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名   
    Organizational Unit Name (eg, section) []:    <--可不输入
    Common Name (eg, your name or your server's hostname) []:    <--可不输入
    Email Address []:mrlapulga@126.com    <--输入邮件地址
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:    <--可不输入
    An optional company name []:    <--可不输入
    

    9.创建一个有效期为一年的客户端证书client.crt:

    [root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in client.csr -out client.crt
    Signature ok
    subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com
    Getting CA Private Key
    Enter pass phrase for private/root.key:    <--输入之前创建的密码
    

    10.现在可将客户端证书文件client.crt和客户端证书密钥文件client.key合并为客户端的client.pfx安装包文件:

    [root@mrlapulga:/etc/pki/CA]#openssl pkcs12 -export -in client.crt -inkey private/client.key -out client.pfx
    Enter pass phrase for private/client.key:    <--输入之前创建的密码
    Enter Export Password:    <--创建一个新密码
    Verifying - Enter Export Password:    <--确认密码
    

    client.pfx是配置双向SSL时需要客户端安装的证书文件。

  • 相关阅读:
    宿主机( win 7 系统) ping 虚拟机VMware( cent os 6.6 ) 出现“请求超时”或者“无法访问目标主机”的解决方法
    Java实现 LeetCode 23 合并K个排序链表
    Java实现 LeetCode 23 合并K个排序链表
    Java实现 LeetCode 23 合并K个排序链表
    Java实现 LeetCode 22 括号生成
    Java实现 LeetCode 22 括号生成
    Java实现 LeetCode 22 括号生成
    Java实现 LeetCode 21 合并两个有序链表
    Java实现 LeetCode 21 合并两个有序链表
    Java实现 LeetCode 21 合并两个有序链表
  • 原文地址:https://www.cnblogs.com/iuskye/p/6696832.html
Copyright © 2011-2022 走看看