openssl生成证书和公私钥_openssl查看证书信息

2022-11-05 10:32:52 浏览数 (2)

大家好,又见面了,我是你们的朋友全栈君。

OpenSSL 生成证书

作者:Bright Xu

在当前目录创建配置文件,用于定义后面创建证书的相关配置

创建server.conf文件,并写入一下内容:

代码语言:javascript复制
oid_section		= new_oids

[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7


[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
organizationName = Organization Name (eg, company)
organizationName_default = MyTest
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = MyOnlyTest

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names

[alt_names]
DNS.1 = test.my
DNS.2 = *.test.my
DNS.3 = localhost

IP.1 = 192.168.2.186
IP.2 = 192.168.2.196
IP.3 = 127.0.0.1
IP.4 = ::1

生成server证书

代码语言:javascript复制
# 生成证书密钥文件
openssl genrsa -aes256 -passout pass:123456 -out server_rsa_private.pem 2048

# 生成server证书
openssl req -new -key server_rsa_private.pem -out server.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest Server/CN=Only Test Server" -extensions req_ext -config server.conf -passin pass:123456

# 将加密的RSA密钥转成未加密的RSA密钥
openssl rsa -in server_rsa_private.pem -out server_rsa_private.pem.unsecure -passin pass:123456

生成的文件:server_rsa_private.pemserver.csrserver_rsa_private.pem.unsecure

自签CA证书

非必要,通常不需要这样做,一般仅用于测试。通常情况下是在正规的CA证书颁发机构申请的,而不是自签的。

代码语言:javascript复制
# 生成证书密钥文件
openssl genrsa -aes256 -passout pass:123ca456 -out ca_rsa_private.pem 2048

# 生成CA证书
openssl req -new -x509 -days 36500 -key ca_rsa_private.pem  -out ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest CA/CN=Only Test" -passin pass:123ca456

# 使用CA证书及密钥,对server证书进行签名
openssl x509 -req -days 36500 -in server.csr -CA ca.crt -CAkey ca_rsa_private.pem -CAcreateserial -out server.crt -extensions req_ext -extfile server.conf -passin pass:123ca456

生成的文件:ca_rsa_private.pemca.crtserver.crt

使用到HTTPS

部署到HTTPS服务器时,一般要用到证书签名文件server.crtcertificate)和私钥文件server_rsa_private.pemPrivateKey)。不过每次使用server_rsa_private.pem的时候都需要输入密码,可换为server_rsa_private.pem.unsecure跳过输入密码的步骤。

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/191648.html原文链接:https://javaforall.cn

0 人点赞