大家好,又见面了,我是你们的朋友全栈君。
OpenSSL 生成证书
作者:Bright Xu
在当前目录创建配置文件,用于定义后面创建证书的相关配置
创建server.conf文件,并写入一下内容:
oid_section = new_oids
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
organizationName = Organization Name (eg, company)
organizationName_default = MyTest
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = MyOnlyTest
[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names
[alt_names]
DNS.1 = test.my
DNS.2 = *.test.my
DNS.3 = localhost
IP.1 = 192.168.2.186
IP.2 = 192.168.2.196
IP.3 = 127.0.0.1
IP.4 = ::1生成server证书
代码语言:javascript复制# 生成证书密钥文件
openssl genrsa -aes256 -passout pass:123456 -out server_rsa_private.pem 2048
# 生成server证书
openssl req -new -key server_rsa_private.pem -out server.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest Server/CN=Only Test Server" -extensions req_ext -config server.conf -passin pass:123456
# 将加密的RSA密钥转成未加密的RSA密钥
openssl rsa -in server_rsa_private.pem -out server_rsa_private.pem.unsecure -passin pass:123456生成的文件:server_rsa_private.pem、server.csr、server_rsa_private.pem.unsecure。
自签CA证书
非必要,通常不需要这样做,一般仅用于测试。通常情况下是在正规的CA证书颁发机构申请的,而不是自签的。
代码语言:javascript复制# 生成证书密钥文件
openssl genrsa -aes256 -passout pass:123ca456 -out ca_rsa_private.pem 2048
# 生成CA证书
openssl req -new -x509 -days 36500 -key ca_rsa_private.pem -out ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest CA/CN=Only Test" -passin pass:123ca456
# 使用CA证书及密钥,对server证书进行签名
openssl x509 -req -days 36500 -in server.csr -CA ca.crt -CAkey ca_rsa_private.pem -CAcreateserial -out server.crt -extensions req_ext -extfile server.conf -passin pass:123ca456生成的文件:ca_rsa_private.pem,ca.crt,server.crt。
使用到HTTPS
部署到HTTPS服务器时,一般要用到证书签名文件server.crt(certificate)和私钥文件server_rsa_private.pem(PrivateKey)。不过每次使用server_rsa_private.pem的时候都需要输入密码,可换为server_rsa_private.pem.unsecure跳过输入密码的步骤。
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/191648.html原文链接:https://javaforall.cn
