运维开发网

熟练掌握 openssl 证书命令说明

运维开发网 https://www.qedev.com 2020-02-28 10:22 出处:51CTO 作者:17gongdeng
熟练掌握openssl证书命令2、在我电脑建立好一个目录,并启动terminal,进入该目录cd/Users/dhbm/Desktop/ssl/sign2018072913、生成SelfSigned证书1)、生成一个key(我的私钥)opensslgenrsa-des3-outselfsign.key4096结果(过程中密码:123456)GeneratingRSAprivatekey,4096b

熟练掌握 openssl 证书命令说明

2、在我电脑建立好一个目录,并启动 terminal ,进入该目录

cd /Users/dhbm/Desktop/ssl/sign20180729

1

3、生成Self Signed证书

1)、生成一个key(我的私钥)

openssl genrsa -des3 -out selfsign.key 4096

结果 (过程中 密码: 123456)

Generating RSA private key, 4096 bit long modulus

...........++

...........................++

e is 65537 (0x10001)

Enter pass phrase for selfsign.key:

Verifying - Enter pass phrase for selfsign.key:

*** 这时应该生成了一个文件:selfsign.key

ls

selfsign.key

2)使用我的私钥(上面生成的key),生成一个自签名请求 certificate signing request (CSR)

openssl req -new -key selfsign.key -out selfsign.csr

结果

Enter pass phrase for selfsign.key:

unable to load Private Key

140735584793480:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:531:

140735584793480:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:488:

Enter pass phrase for selfsign.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:BeiJing

Locality Name (eg, city) []:BeiJing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn

Organizational Unit Name (eg, section) []:dhbm.cn

Common Name (e.g. server FQDN or YOUR name) []:wzh

Email Address []:13501062476@139.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:dhbm.cn

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

*** 这时应该又生成了一个文件 selfsign.csr

ls

selfsign.csr selfsign.key

3)、用以上证书请求文件(selfsign.csr),生成Self Signed证书

openssl x509 -req -days 365 -in selfsign.csr -signkey selfsign.key -out selfsign.crt

结果

Signature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh/emailAddress=13501062476@139.com
br/>subject=/C=CN/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh/emailAddress=13501062476@139.com
Enter pass phrase for selfsign.key:

*** 这时应该又生成了一个文件 selfsign.crt

ls

selfsign.crt selfsign.csr selfsign.key

1

2

3

4

5

6

7

8

9

10

4、生成自己的CA (Certificate Authority)

1)、生成CA的key,这一步和生成证书一样,也是一个私钥,文件名 叫 ca.key

openssl genrsa -des3 -out ca.key 4096

×××结果:

Generating RSA private key, 4096 bit long modulus

..................................................................................................++

.....................................++

e is 65537 (0x10001)

Enter pass phrase for ca.key:

Verifying - Enter pass phrase for ca.key:

*** 这时应该又生成了一个文件 ca.key

ls

ca.key selfsign.crt selfsign.csr selfsign.key

2)、生成CA的证书请求、证书 (两步合二为一了)

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

结果

Enter pass phrase for ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:BeiJing

Locality Name (eg, city) []:BeiJing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn

Organizational Unit Name (eg, section) []:dhbm.cn

Common Name (e.g. server FQDN or YOUR name) []:wzh

Email Address []:13501062476@139.com

*** 这时应该又生成了 1 个文件 ca.crt (没有 ca.csr?)

ls

ca.crt ca.key selfsign.crt selfsign.csr selfsign.key

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

5、生成服务器证书,由以上自建的 CA 颁发

1)、前面 2 步 和以上一样,生成一个 私钥(key),生成一个证书请求(csr)

生成私钥

openssl genrsa -des3 -out myserver.key 4096

结果:

Generating RSA private key, 4096 bit long modulus

...................................................................++

...............................................................................................................................................++

e is 65537 (0x10001)

Enter pass phrase for myserver.key:

Verifying - Enter pass phrase for myserver.key:

生成证书请求

openssl req -new -key myserver.key -out myserver.csr

结果:

Enter pass phrase for myserver.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:BeiJing

Locality Name (eg, city) []:BeiJing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn

Organizational Unit Name (eg, section) []:dhbm.cn

Common Name (e.g. server FQDN or YOUR name) []:wzh server

Email Address []:13501062476@139.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:dhbm.cn

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

这次和以上不一样,加上了一个中间人 CA ,表示这是由 CA 认可并办法的证书

openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt

结果:

Signature ok

subject=/C=cn/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh server/emailAddress=13501062476@139.com

Getting CA Private Key

Enter pass phrase for ca.key:

*** 到这里,又生成了 3 个文件 myserver.key,myserver.csr,myserver.crt

ls

ca.crt myserver.crt myserver.key selfsign.csr

ca.key myserver.csr selfsign.crt selfsign.key

1

2

3

4

5

6

7

8

9

10

6、查看我的证书情况 (myserver)

1)、查看维生素我的私钥

openssl rsa -noout -text -in myserver.key

结果

Enter pass phrase for myserver.key:

Private-Key: (4096 bit)

modulus:

00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:

0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29

...

2)、查看我的证书请求

openssl req -noout -text -in myserver.csr

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:

0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29:

...

Attributes:

challengePassword :123456

unstructuredName :dhbm.cn

Signature Algorithm: sha256WithRSAEncryption

00:6f:04:6c:30:93:88:34:ee:43:f2:ce:2b:d0:3e:11:20:46:

...

3)、查看我的证书

openssl x509 -noout -text -in myserver.crt

Data:

Version: 1 (0x0)

Serial Number: 1 (0x1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=CN, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh/emailAddress=13501062476@139.com

Validity

Not Before: Jul 29 09:02:55 2018 GMT

Not After : Jul 29 09:02:55 2019 GMT

Subject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:

0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29:

...

4)、验证我的证书

openssl verify -CAfile ca.crt myserver.crt

myserver.crt: OK

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

7、到这里完成了 3 步 ,自建名证书、CA证书、CA颁发 myserver 证书

疑问:什么是服务端用的?什么是客户端用的?

0

精彩评论

暂无评论...
验证码 换一张
取 消