OpenSSL自签生成SSL证书及本地信任自签证书CA的方法
文件说明
.crt/.cer 是由证书颁发机构(CA)签名后的证书,或者是开发者自签名的证书,包含证书持有人的信息,持有人的公钥,以及签署者的签名等信息 .key 是服务器上的私钥文件,用于对发送给客户端数据的加密,以及对从客户端接收到数据的解密 .csr 是证书签名请求文件,用于提交给证书颁发机构(CA)对证书签名 *.pem base64编码文本储存格式,可以单独放证书或密钥,也可以同时放两个;base64编码就是两条-------之间的那些莫名其妙的字符 *.der 证书的二进制储存格式(不常用)
subj参数
字段 字段含义 示例 /C= Country 国家 CN /ST= State or Province 省 beijing /L= Location or City 城市 beijing /O= Organization 组织或企业 stars-mine /OU= Organization Unit 部门 stars-mine /CN= Common Name 是证书拥有者名称 openssl
创建证书目录
# mkdir -pv certs/{CA,client,server} # touch certs/index.txt # touch certs/serial # echo "1000" > certs/serial # echo "unique_subject = no" > certs/index.txt.attr # Sign multiple certs for the same CN
openssl.conf
查看代码
# environment variable values CERT_DIR=certs [ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = ${ENV::CERT_DIR} certs = $dir crl_dir = $dir/crl new_certs_dir = $dir database = $dir/index.txt serial = $dir/serial # certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/intermediate-ca.crl crl_extensions = crl_ext default_crl_days = 30 default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 375 preserve = no policy = policy_loose [ policy_loose ] # Allow the CA to sign a range of certificates. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # `man req` default_bits = 4096 distinguished_name = req_distinguished_name string_mask = utf8only default_md = sha256 [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name # Certificate extensions (`man x509v3_config`) [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ client_cert ] basicConstraints = CA:FALSE nsCertType = client nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth [ server_cert ] basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth
certs(默认应该是存在的)存放已颁发的证书 newcerts(默认应该是存在的)存放CA指令生成的新证书 private(默认应该是存在的)存放私钥 crl(默认应该是存在的)存放已吊销的证书 index.txt openssl定义的已签发证书的文本数据库文件,这个文件通常在初始化的时候是空的 serial 证书签发时使用的序列号参考文件,该文件的序列号是以16进制格式进行存放的,该文件必须提供并包含一个有效序列号
CA 密钥和自签名证书
生成ca私钥
# openssl genrsa -out certs/CA/ca.key 4096 Generating RSA private key, 4096 bit long modulus (2 primes) ........................................................++++ ...............................................................++++ e is 65537 (0x010001)
为 CA 生成自签名证书
# openssl req -config openssl.conf -new -x509 -days 3650 -sha256 -key certs/CA/ca.key -extensions v3_ca -out certs/CA/ca.crt -subj /CN=ca
server 密钥和自签名证书
生成server私钥
# openssl genrsa -out certs/server/server.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ........................+++++ .......................................................+++++ e is 65537 (0x010001)
生成CSR
# openssl req -config openssl.conf -new -sha256 -key certs/server/server.key -out certs/server/server.csr -subj /CN=server
生成自签名证书
# openssl ca -batch -config openssl.conf -extensions server_cert -days 3650 -notext -md sha256 -in certs/server/server.csr -out certs/server/server.crt -cert certs/CA/ca.crt -keyfile certs/CA/ca.key Using configuration from openssl.conf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Aug 19 06:54:04 2022 GMT Not After : Aug 16 06:54:04 2032 GMT Subject: commonName = server X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 39:04:CA:53:46:83:AB:F9:E9:0C:D6:57:71:FE:E6:CB:8B:FE:77:11 X509v3 Authority Key Identifier: keyid:41:F5:D6:5E:6F:3B:82:CA:26:13:AF:A2:77:D2:97:7F:36:4D:BA:3B DirName:/CN=ca serial:07:E0:03:25:ED:75:03:DF:86:E4:E4:FE:75:8D:8D:68:22:4D:6E:12 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Aug 16 06:54:04 2032 GMT (3650 days) Write out database with 1 new entries Data Base Updated
client 密钥和自签名证书
生成client私钥
# openssl genrsa -out certs/client/client.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ....+++++ e is 65537 (0x010001)
生成CSR
# openssl req -config openssl.conf -new -sha256 -key certs/client/client.key -out certs/client/client.csr -subj /CN=server
生成自签名证书
# openssl ca -batch -config openssl.conf -extensions client_cert -days 3650 -notext -md sha256 -in certs/client/client.csr -out certs/client/client.crt -cert certs/CA/ca.crt -keyfile certs/CA/ca.key Using configuration from openssl.conf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4097 (0x1001) Validity Not Before: Aug 19 07:00:34 2022 GMT Not After : Aug 16 07:00:34 2032 GMT Subject: commonName = server X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 14:BA:0F:CA:5E:EF:B8:38:13:90:71:A9:26:50:26:A4:34:1F:8A:47 X509v3 Authority Key Identifier: keyid:41:F5:D6:5E:6F:3B:82:CA:26:13:AF:A2:77:D2:97:7F:36:4D:BA:3B X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Aug 16 07:00:34 2032 GMT (3650 days) Write out database with 1 new entries Data Base Updated
示例
生成CA根证书
1.生成私钥ca.key openssl genrsa -out ca.key 2048 2.生成csr请求文件 openssl req -new -key ca.key -out ca.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=My Organization/OU=My Unit/CN=example.com" 3.生成ca根证书 ca.crt openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
用自签根证书ca.crt
给签发server
1.生成私钥 openssl genrsa -out server.key 2048 2.生成证书请求 openssl req -new -key server.key -out server.csr 3.用CA根证书签名得到证书 openssl ca -days 3650 -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
用自签根证书ca.crt
给签发client证书
1.生成私钥 openssl genrsa -out client.key 2048 2.生成证书请求 openssl req -new -key client.key -out client.csr 3.用CA根证书签名得到证书 openssl ca -days 3650 -in client.csr -out clientr.crt -cert ca.crt -keyfile ca.key
示例二
支持多域名多IP
#!/bin/bash # 生成私钥openssl genrsa -out private.key 2048 # 创建 OpenSSL 配置文件 cat <<EOF > openssl.conf [ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [ req_distinguished_name ] C = CN ST = Beijing L = Beijing O = My Organization OU = My Unit CN = *.example.com [ v3_req ] subjectAltName = @alt_names [ alt_names ] DNS.1 = example.com DNS.2 = www.example.com DNS.3 = api.example.com IP.1 = 192.168.1.1 IP.2 = 192.168.1.2 EOF # 生成 CSR openssl req -new -key private.key -out request.csr -config openssl.conf # 生成自签名证书 openssl x509 -req -days 3650 -in request.csr -signkey private.key -out certificate.crt -extensions v3_req -extfile openssl.conf # 清理 CSR 文件(可选) rm request.csr echo "自签名证书生成成功: certificate.crt"
本地信任自签证书CA
先下载CA证书和自签的证书到本地,在本地电脑上运行mmc,再分别打开“certmgr.msc”和“certlm.msc”,在”受信任的根证书颁发机构“的”证书“下分别导入CA根证书和自签证书,然后关闭清浏览器,清空缓存后再打开即可变叹号的绿锁,表示已经添加信任并不再提示错误。
转自:
https://www.cnblogs.com/wangguishe/p/16592657.html
https://post.smzdm.com/p/admdzd9d/
SSL证书相关工具:
https://www.chinassl.net/ssltools/free-ssl.html
https://myssl.com/cert_decode.html
扫描二维码推送至手机访问。
版权声明:本文由 声光视趣 - lavfun.com 发布,如需转载请注明出处。