SSL证书的生成方法

简介: 在Linux下,我们进行下面的操作前都须确认已安装OpenSSL软件包。1.创建根证书密钥文件root.key:[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out root.

在Linux下,我们进行下面的操作前都须确认已安装OpenSSL软件包。

1.创建根证书密钥文件root.key:

[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out root.key 1024
Generating RSA private key, 1024 bit long modulus
...............................................................++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for root.key:    <--输入一个密码
Verifying - Enter pass phrase for root.key:    <--再次输入密码

2.创建根证书的申请文件root.csr:

[root@mrlapulga:/etc/pki/CA]#openssl req -new -key root.key -out root.csr
Enter pass phrase for root.key:    <--输入前面创建的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    <--输入国家名
State or Province Name (full name) []:BeiJing    <--输入省份
Locality Name (eg, city) [Default City]:haidian    <--输入城市名
Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名
Organizational Unit Name (eg, section) []:    <--可不输入
Common Name (eg, your name or your server's hostname) []:    <--可不输入
Email Address []:mrlapulga@126.com    <--输入邮件地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    <--可不输入
An optional company name []:    <--可不输入

3.创建一个为期十年的根证书root.crt:

[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey private/root.key -in root.csr -out root.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com
Getting Private key
Enter pass phrase for private/root.key:    <--输入之前创建的密码

4.创建服务器证书密钥server.key:

[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 2014 bit long modulus
............+++
................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:    <--输入一个密码
Verifying - Enter pass phrase for server.key:    <--再次输入密码

5.创建服务器证书的申请文件server.csr:

[root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/server.key -out server.csr
Enter pass phrase for private/server.key:    <--输入前面创建的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    <--输入国家名
State or Province Name (full name) []:BeiJing    <--输入省份
Locality Name (eg, city) [Default City]:haidian    <--输入城市名
Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名
Organizational Unit Name (eg, section) []:    <--可不输入
Common Name (eg, your name or your server's hostname) []:    <--可不输入
Email Address []:mrlapulga@126.com    <--输入邮件地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    <--可不输入
An optional company name []:    <--可不输入

6.创建一个为期一年的服务器证书server.crt:

[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in server.csr -out server.crt
Signature ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com Getting CA Private Key Enter pass phrase for private/root.key:    <--输入之前创建的密码

7.创建客户端证书密钥文件client.key:

[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
..............................++++++
..................................................++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:    <--输入一个密码
Verifying - Enter pass phrase for client.key:   <--再次输入密码

8.创建客户端证书的申请文件client.csr:

[root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/client.key -out client.csr
Enter pass phrase for private/client.key:    <--输入前面创建的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    <--输入国家名
State or Province Name (full name) []:BeiJing    <--输入省份
Locality Name (eg, city) [Default City]:haidian    <--输入城市名
Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名   
Organizational Unit Name (eg, section) []:    <--可不输入
Common Name (eg, your name or your server's hostname) []:    <--可不输入
Email Address []:mrlapulga@126.com    <--输入邮件地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    <--可不输入
An optional company name []:    <--可不输入

9.创建一个有效期为一年的客户端证书client.crt:

[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com
Getting CA Private Key
Enter pass phrase for private/root.key:    <--输入之前创建的密码

10.现在可将客户端证书文件client.crt和客户端证书密钥文件client.key合并为客户端的client.pfx安装包文件:

[root@mrlapulga:/etc/pki/CA]#openssl pkcs12 -export -in client.crt -inkey private/client.key -out client.pfx
Enter pass phrase for private/client.key:    <--输入之前创建的密码
Enter Export Password:    <--创建一个新密码
Verifying - Enter Export Password:    <--确认密码

client.pfx是配置双向SSL时需要客户端安装的证书文件。

目录
相关文章
|
3月前
|
网络安全 开发工具 Python
【Azure事件中心】使用Python SDK(Confluent)相关方法获取offset或lag时提示SSL相关错误
【Azure事件中心】使用Python SDK(Confluent)相关方法获取offset或lag时提示SSL相关错误
|
安全 网络安全 数据安全/隐私保护
IP申请SSL证书的条件和方法
IP申请SSL证书的条件和方法 互联网信息安全时代,网站部署SSL证书能实现HTTPS加密。通常SSL证书是颁发给域名的,但很多企事业单位需要IP地址实现HTTPS加密,那么IP能申请SSL证书吗?小编了解到数安时代GDCA能为IP地址颁发SSL证书。
9604 0
|
域名解析 网络协议 算法
阿里云申请免费网站SSL证书的方法步骤
阿里云申请免费网站SSL证书的方法步骤,阿里云SSL免费证书在哪申请?一个阿里云账号一年可以申请20张免费SSL证书,很多同学找不到免费SSL的入口,阿小云来详细说下阿里云SSL证书免费申请入口链接以及免费SSL证书申请流程
318 0
|
数据建模 网络安全
阿里云SSL证书类型DV SSL、OV SSL和EV SSL区别及选择方法
阿里云SSL证书分为OV企业级SSL、DV域名级SSL和EV增强型SSL,有什么区别?如何选择?
|
应用服务中间件 网络安全 nginx
|
网络安全 C# 数据安全/隐私保护
C#发送邮件三种方法(Localhost,SMTP,SSL-SMTP)
原文:C#发送邮件三种方法(Localhost,SMTP,SSL-SMTP) 最近公司由于一个R&I项目的需要,用户要求在购买产品或出货等一些环节,需要发送邮件提醒或者说每周一让系统自动采集数据发送一封E-mail,因此我也就找来相关资料,写了一个Demo分享给大家,大家共同学习学习。
2919 0
|
数据建模 网络安全
阿里云SSL证书类型DV SSL、OV SSL和EV SSL区别及选择方法
阿里云SSL证书分为OV企业级SSL、DV域名级SSL和EV增强型SSL,有什么区别?如何选择?
|
数据建模 网络安全
阿里云SSL证书类型DV SSL、OV SSL和EV SSL区别及选择方法
阿里云SSL证书分为OV企业级SSL、DV域名级SSL和EV增强型SSL,有什么区别?如何选择?
|
数据建模 网络安全
阿里云SSL证书类型DV SSL、OV SSL和EV SSL区别选择方法
阿里云SSL证书分为OV企业级SSL、DV域名级SSL和EV增强型SSL,有什么区别?如何选择?
2272 1
阿里云SSL证书类型DV SSL、OV SSL和EV SSL区别选择方法

热门文章

最新文章

相关实验场景

更多