創建自簽證書
1.執行 openssl
Last login: Tue Sep 29 19:35:49 on ttys001
➜ ~ openssl
OpenSSL>
2.執行genrsa -des3 -out server.key 2048 生成server.key私鑰文件
OpenSSL> genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................................+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
3.執行 req -new -key server.key -out server.csr 創建證書請求,生成server.csr
OpenSSL> req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:huidev
Organizational Unit Name (eg, section) []:ihuidev
Common Name (eg, fully qualified host name) []:devhui.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
[選]4.刪除密碼 rsa -in server.key -out server_no_password.key 生成一個新的key
OpenSSL> rsa -in server.key -out server_no_password.key
Enter pass phrase for server.key:
writing RSA key
5.生成crt證書 x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt
OpenSSL> x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huidev/OU=ihuidev/CN=devhui.org
Getting Private key
OpenSSL>
證書:
執行第四步刪除密碼的有效證書文件為: server_no_password.key 和 server.crt
沒有執行第四步刪除密碼的有效證書文件為: server.key 和 server.crt
創建ca證書
- 執行
genrsa -out ca.key 2048
➜ ~ openssl
OpenSSL> genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
................................................................................................................+++
.......................................+++
e is 65537 (0x10001)
- 執行
req -new -x509 -days 3650 -key ca.key -out ca.pem
OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:ihuidev
Organizational Unit Name (eg, section) []:ihuidev
Common Name (eg, fully qualified host name) []:localhost
Email Address []:
OpenSSL>
3. 重新生成服務端證書
1)genrsa -out server.key 2048
OpenSSL> genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................+++
..............................+++
e is 65537 (0x10001)
2)req -new -key server.key -out server.csr
OpenSSL> req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:ihuidev
Organizational Unit Name (eg, section) []:ihuidev
Common Name (eg, fully qualified host name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
兩次域名一定要寫一致,我這里全部寫的localhost
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=ihuidev/OU=ihuidev/CN=localhost
Getting CA Private Key
OpenSSL>
4. 同理重新生成客戶端
1)
ecparam -genkey -name secp384r1 -out client.key
OpenSSL> ecparam -genkey -name secp384r1 -out client.key
2)req -new -key client.key -out client.csr
OpenSSL> req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:ihuidev
Organizational Unit Name (eg, section) []:ihuidev
Common Name (eg, fully qualified host name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=ihuidev/OU=ihuidev/CN=localhost
Getting CA Private Key
OpenSSL>
客戶端:client.key ca.pem client.pem
服務端:server.key ca.pem server.pem