世界杯亚洲球队

openssl生成证书和公私钥

大家好,又见面了,我是你们的朋友全栈君。

OpenSSL 生成证书 作者:Bright Xu

在当前目录创建配置文件,用于定义后面创建证书的相关配置

创建server.conf文件,并写入一下内容:

代码语言:javascript复制oid_section = new_oids

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7

[ req ]

default_bits = 2048

distinguished_name = req_distinguished_name

req_extensions = req_ext

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = CN

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = Beijing

localityName = Locality Name (eg, city)

localityName_default = Beijing

organizationName = Organization Name (eg, company)

organizationName_default = MyTest

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_max = 64

commonName_default = MyOnlyTest

[ req_ext ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2

subjectAltName = @alt_names

[alt_names]

DNS.1 = test.my

DNS.2 = *.test.my

DNS.3 = localhost

IP.1 = 192.168.2.186

IP.2 = 192.168.2.196

IP.3 = 127.0.0.1

IP.4 = ::1生成server证书代码语言:javascript复制# 生成证书密钥文件

openssl genrsa -aes256 -passout pass:123456 -out server_rsa_private.pem 2048

# 生成server证书

openssl req -new -key server_rsa_private.pem -out server.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest Server/CN=Only Test Server" -extensions req_ext -config server.conf -passin pass:123456

# 将加密的RSA密钥转成未加密的RSA密钥

openssl rsa -in server_rsa_private.pem -out server_rsa_private.pem.unsecure -passin pass:123456生成的文件:server_rsa_private.pem、server.csr、server_rsa_private.pem.unsecure。

自签CA证书非必要,通常不需要这样做,一般仅用于测试。通常情况下是在正规的CA证书颁发机构申请的,而不是自签的。

代码语言:javascript复制# 生成证书密钥文件

openssl genrsa -aes256 -passout pass:123ca456 -out ca_rsa_private.pem 2048

# 生成CA证书

openssl req -new -x509 -days 36500 -key ca_rsa_private.pem -out ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest CA/CN=Only Test" -passin pass:123ca456

# 使用CA证书及密钥,对server证书进行签名

openssl x509 -req -days 36500 -in server.csr -CA ca.crt -CAkey ca_rsa_private.pem -CAcreateserial -out server.crt -extensions req_ext -extfile server.conf -passin pass:123ca456生成的文件:ca_rsa_private.pem,ca.crt,server.crt。

使用到HTTPS部署到HTTPS服务器时,一般要用到证书签名文件server.crt(certificate)和私钥文件server_rsa_private.pem(PrivateKey)。不过每次使用server_rsa_private.pem的时候都需要输入密码,可换为server_rsa_private.pem.unsecure跳过输入密码的步骤。

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员栈长,转载请注明出处:https://javaforall.cn/191648.html原文链接:https://javaforall.cn