SSL證書的生成方法
阿新 • • 發佈:2017-12-11
ssl在Linux下,我們進行下面的操作前都須確認已安裝OpenSSL軟件包。
1.創建根證書密鑰文件root.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl?genrsa?-des3?-out?root.key?1024 Generating?RSA?private?key,?1024?bit?long?modulus ...............................................................++++++ ..........++++++ e?is?65537?(0x10001) Enter?pass?phrase?for?root.key:????<--輸入一個密碼 Verifying?-?Enter?pass?phrase?for?root.key:????<--再次輸入密碼
2.創建根證書的申請文件root.csr:
[root@mrlapulga:/etc/pki/CA]#openssl?req?-new?-key?root.key?-out?root.csr Enter?pass?phrase?for?root.key:????<--輸入前面創建的密碼 You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?‘.‘,?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN????<--輸入國家名 State?or?Province?Name?(full?name)?[]:BeiJing????<--輸入省份 Locality?Name?(eg,?city)?[Default?City]:haidian????<--輸入城市名 Organization?Name?(eg,?company)?[Default?Company?Ltd]:mrlapulga????<--輸入公司名 Organizational?Unit?Name?(eg,?section)?[]:????<--可不輸入 Common?Name?(eg,?your?name?or?your?server‘s?hostname)?[]:????<--可不輸入 Email?Address?[]:[email protected]????<--輸入郵件地址 Please?enter?the?following?‘extra‘?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]:????<--可不輸入 An?optional?company?name?[]:????<--可不輸入
3.創建一個為期十年的根證書root.crt:
[root@mrlapulga:/etc/pki/CA]#openssl?x509?-req?-days?3650?-sha1?-extensions?v3_ca?-signkey?private/root.key?-in?root.csr?-out?root.crt Signature?ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/[email protected] Getting?Private?key Enter?pass?phrase?for?private/root.key:????<--輸入之前創建的密碼
4.創建服務器證書密鑰server.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl?genrsa?-des3?-out?server.key?1024 Generating?RSA?private?key,?2014?bit?long?modulus ............+++ ................................................+++ e?is?65537?(0x10001) Enter?pass?phrase?for?server.key:????<--輸入一個密碼 Verifying?-?Enter?pass?phrase?for?server.key:????<--再次輸入密碼
5.創建服務器證書的申請文件server.csr:
[root@mrlapulga:/etc/pki/CA]#openssl?req?-new?-key?private/server.key?-out?server.csr Enter?pass?phrase?for?private/server.key:????<--輸入前面創建的密碼 You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?‘.‘,?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN????<--輸入國家名 State?or?Province?Name?(full?name)?[]:BeiJing????<--輸入省份 Locality?Name?(eg,?city)?[Default?City]:haidian????<--輸入城市名 Organization?Name?(eg,?company)?[Default?Company?Ltd]:mrlapulga????<--輸入公司名 Organizational?Unit?Name?(eg,?section)?[]:????<--可不輸入 Common?Name?(eg,?your?name?or?your?server‘s?hostname)?[]:????<--可不輸入 Email?Address?[]:[email protected]????<--輸入郵件地址 Please?enter?the?following?‘extra‘?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]:????<--可不輸入 An?optional?company?name?[]:????<--可不輸入
6.創建一個為期一年的服務器證書server.crt:
[root@mrlapulga:/etc/pki/CA]#openssl?x509?-req?-days?365?-sha1?-extensions?v3_req?-CA?root.crt?-CAkey?private/root.key?-CAcreateserial?-in?server.csr?-out?server.crt Signature?ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/[email protected] Getting?CA?Private?Key Enter?pass?phrase?for?private/root.key:????<--輸入之前創建的密碼
7.創建客戶端證書密鑰文件client.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl?genrsa?-des3?-out?client.key?1024 Generating?RSA?private?key,?1024?bit?long?modulus ..............................++++++ ..................................................++++++ e?is?65537?(0x10001) Enter?pass?phrase?for?client.key:????<--輸入一個密碼 Verifying?-?Enter?pass?phrase?for?client.key:???<--再次輸入密碼
8.創建客戶端證書的申請文件client.csr:
[root@mrlapulga:/etc/pki/CA]#openssl?req?-new?-key?private/client.key?-out?client.csr Enter?pass?phrase?for?private/client.key:????<--輸入前面創建的密碼 You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?‘.‘,?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN????<--輸入國家名 State?or?Province?Name?(full?name)?[]:BeiJing????<--輸入省份 Locality?Name?(eg,?city)?[Default?City]:haidian????<--輸入城市名 Organization?Name?(eg,?company)?[Default?Company?Ltd]:mrlapulga????<--輸入公司名??? Organizational?Unit?Name?(eg,?section)?[]:????<--可不輸入 Common?Name?(eg,?your?name?or?your?server‘s?hostname)?[]:????<--可不輸入 Email?Address?[]:[email protected]????<--輸入郵件地址 Please?enter?the?following?‘extra‘?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]:????<--可不輸入 An?optional?company?name?[]:????<--可不輸入
9.創建一個有效期為一年的客戶端證書client.crt:
[root@mrlapulga:/etc/pki/CA]#openssl?x509?-req?-days?365?-sha1?-extensions?v3_req?-CA?root.crt?-CAkey?private/root.key?-CAcreateserial?-in?client.csr?-out?client.crt Signature?ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/[email protected] Getting?CA?Private?Key Enter?pass?phrase?for?private/root.key:????<--輸入之前創建的密碼
10.現在可將客戶端證書文件client.crt和客戶端證書密鑰文件client.key合並為客戶端的client.pfx安裝包文件:
[root@mrlapulga:/etc/pki/CA]#openssl?pkcs12?-export?-in?client.crt?-inkey?private/client.key?-out?client.pfx Enter?pass?phrase?for?private/client.key:????<--輸入之前創建的密碼 Enter?Export?Password:????<--創建一個新密碼 Verifying?-?Enter?Export?Password:????<--確認密碼
client.pfx是配置雙向SSL時需要客戶端安裝的證書文件。
SSL證書的生成方法