阿里云-云小站(无限量代金券发放中)
【腾讯云】云服务器、云数据库、COS、CDN、短信等热卖云产品特惠抢购

Linux下生成OpenSSL证书

152次阅读
没有评论

共计 5150 个字符,预计需要花费 13 分钟才能阅读完成。

下载安装 openssl,进入 /bin/ 下面,执行命令(把 ssl 目录下的 openssl.cnf 拷贝到 bin 目录下)

1. 首先要生成服务器端的私钥(key 文件):

openssl genrsa -des3 -out server.key 1024

[root@airwaySSL openssl]# cd ssl/

[root@airwaySSL ssl]# pwd

/home/openssl/ssl

[root@airwaySSL ssl]# ls

certs  man  misc  openssl.cnf  private  server.csr  server.key

运行时会提示输入密码, 此密码用于加密 key 文件 (参数 des3 便是指加密算法, 当然也可以选用其他你认为安全的算法.), 以后每当需读取此文件(通过 openssl 提供的命令或 API) 都需输入口令. 如果觉得不方便, 也可以去除这个口令, 但一定要采取其他的保护措施!

去除 key 文件口令的命令:

openssl rsa -in server.key -out server.key

2.openssl req -new -key server.key -out server.csr -config openssl.cnf

[root@airwaySSL bin]# openssl req -new -key server.key -out server.csr -config openssl.cnf

Enter pass phrase for server.key:12345

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:wuhan

Organization Name (eg, company) [Internet Widgits Pty Ltd]:airway

Organizational Unit Name (eg, section) []:airway

Common Name (eg, YOUR name) []:airway

Email Address []:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

生成 Certificate Signing Request(CSR), 生成的 csr 文件交给 CA 签名后形成服务端自己的证书. 屏幕上将有提示, 依照其指示一步一步输入要求的个人信息即可.

3. 对客户端也作同样的命令生成 key 及 csr 文件:

openssl genrsa -des3 -out client.key 1024

Generating RSA private key, 1024 bit long modulus

………..++++++

..++++++

e is 65537 (0x10001)

Enter pass phrase for client.key:12345

Verifying – Enter pass phrase for client.key:12345

openssl req -new -key client.key -out client.csr -config openssl.cnf

[root@airwaySSL bin]# openssl req -new -key client.key -out client.csr -config openssl.cnf

Enter pass phrase for client.key:12345

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:wuhan

Organization Name (eg, company) [Internet Widgits Pty Ltd]:airway

Organizational Unit Name (eg, section) []:airway

Common Name (eg, YOUR name) []:airway

Email Address []:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4.CSR 文件必须有 CA 的签名才可形成证书. 可将此文件发送到 verisign 等地方由它验证, 要交一大笔钱, 何不自己做 CA 呢.

openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

[root@airwaySSL bin]# openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

Generating a 1024 bit RSA private key

…++++++

……………….++++++

writing new private key to ‘ca.key’

Enter PEM pass phrase:12345

Verifying – Enter PEM pass phrase:

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:wuhan

Organization Name (eg, company) [Internet Widgits Pty Ltd]:airway

Organizational Unit Name (eg, section) []:airway

Common Name (eg, YOUR name) []:airway

Email Address []:

在继续下面操作前,将 openssl.conf 文件打开,查看其 dir 路径将其修改为 dir = /home/openssl/bin/demoCA /,否则下面的步骤会提示路径无法找到。

自己手动创建一个 CA 目录结构:

[weigw@TEST bin]$ mkdir ./demoCA

[weigw@TEST bin]$ mkdir demoCA/newcerts

创建个空文件:

[weigw@TEST bin]$ vi demoCA/index.txt

向文件中写入 01:

[weigw@TEST bin]$ vi demoCA/serial

5. 用生成的 CA 的证书为刚才生成的 server.csr,client.csr 文件签名:

openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

[root@airwaySSL bin]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Feb 26 04:15:02 2009 GMT

Not After : Feb 26 04:15:02 2010 GMT

Subject:

countryName              = CN

stateOrProvinceName      = china

organizationName          = airway

organizationalUnitName    = airway

commonName                = airway

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

30:70:D2:EB:9B:73:AE:7B:0E:8E:F6:94:33:7C:53:5B:EF:93:FC:38

X509v3 Authority Key Identifier:

keyid:DB:D6:83:BB:7F:28:C2:A9:40:6A:D8:32:FC:01:E0:5C:48:27:51:19

Certificate is to be certified until Feb 26 04:15:02 2010 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

[root@airwaySSL bin]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

The countryName field needed to be the same in the

CA certificate (CN) and the request (cn)

现在我们所需的全部文件便生成了.

另:

client 使用的文件有:ca.crt,client.crt,client.key

server 使用的文件有:ca.crt,server.crt,server.key

OpenSSL 的详细介绍:请点这里
OpenSSL 的下载地址:请点这里

推荐阅读:

通过 OpenSSL 提供 FTP+SSL/TLS 认证功能,并实现安全数据传输 http://www.linuxidc.com/Linux/2013-05/84986.htm

正文完
星哥说事-微信公众号
post-qrcode
 
星锅
版权声明:本站原创文章,由 星锅 2022-01-20发表,共计5150字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
【腾讯云】推广者专属福利,新客户无门槛领取总价值高达2860元代金券,每种代金券限量500张,先到先得。
阿里云-最新活动爆款每日限量供应
评论(没有评论)
验证码
【腾讯云】云服务器、云数据库、COS、CDN、短信等云产品特惠热卖中