CA證書生成筆記
阿新 • • 發佈:2018-12-05
目錄
1、例項
2、幫助命令
3、常用命令
1、例項
----------------------------pem格式的證書------------- 1、CA的私鑰,自簽名證書 openssl genrsa -out ca-key.pem -aes128 2048 openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 1000 牢記下面三個屬性值,生成csr.pem時需要保持一致: Country Name,State or Province Name,Organization Name 2、server端的私鑰,證書請求,證書 openssl genrsa -out server-key.pem -aes128 2048 openssl req -new -key server-key.pem -out server-csr.pem openssl ca -in server-csr.pem -cert ca-cert.pem -keyfile ca-key.pem -out server-cert.pem -days 365 如果發生以下錯誤: "I am unable to access the ../../CA/newcerts directory ../../CA/newcerts: No such file or directory" 只需要: # create directory $ mkdir ../../CA $ mkdir ../../CA/newcerts # create empty file : $ vi ../../CA/index.txt # create file and input 01 (the content is 01) : $ vi ../../CA/serial 3、client端的私鑰,證書請求,證書 openssl genrsa -out client-key.pem -aes128 2048 openssl req -new -key client-key.pem -out client-csr.pem openssl ca -in client-csr.pem -cert ca-cert.pem -keyfile ca-key.pem -out client-cert.pem -days 365 ----------------------------p12格式的證書------------- openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out client-cert.p12 ----------------------------jks格式的證書------------- keytool -genkeypair -keyalg RSA -alias client -keystore client.jks # 刪除PrivateKeyEntry keytool -delete -alias client -keystore client.jks # check keystore #keytool -list -v -keystore client.jks # covert format,否則不能把private-key匯入到jks openssl pkcs8 -in client-key.pem -inform pem -out client-key.pk8 -outform der -topk8 -nocrypt # 需要下載pkeytool.jar到當前目錄 # import client-key.pk8,client-cert.pem java -jar pkeytool.jar -importkey -keyfile client-key.pk8 -certfile client-cert.pem -alias myclient -keystore client.jks # import ca-cert keytool -importcert -v -trustcacerts -file ca-cert.pem -alias myCA -keystore client.jks
2、幫助命令____
openssl --help
openssl x509 --help
3、常用命令
1、生成普通私鑰: openssl genrsa -out ca-key.pem 1024 2、生成帶加密口令的金鑰: openssl genrsa -des3 -out ca-key.pem 1024 3、去除金鑰的口令: openssl rsa -in ca-key.pem -out ca-key.pem 4、通過生成的私鑰去生成證書: openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 1095 5、通過私鑰生成公鑰: openssl rsa -in ca-key.pem -pubout -out pub-key.pem 6、格式轉換:(證書、私鑰、公鑰)(PEM DER) openssl x509 -in ca-cert.pem -inform PEM -out ca-cert.der -outform DER openssl rsa -in ca-key.pem -inform PEM -out ca-key.der -outform DER openssl rsa -pubin -in pub-key.pem -inform PEM -pubout -out pub-key.der -outform DER 7、合併成pfx證書(p12): openssl pkcs12 -export -in server-cert.pem -out server.p12 -inkey server-key.pem 8、p12證書文字化: openssl pkcs12 -in server.p12 -out server.txt 9、螢幕模式顯式:(證書、私鑰、公鑰) openssl x509 -in ca-cert.pem -noout -text -modulus openssl rsa -in ca-key.pem -noout -text -modulus openssl rsa -in pub-key.pem -noout -text -modulus