OpenSSL 生成证书
作者:Bright Xu
在当前目录创建配置文件,用于定义后面创建证书的相关配置
创建文件,并写入一下内容:
oid_section = new_oids
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
organizationName = Organization Name (eg, company)
organizationName_default = MyTest
commonName = Common Name (. server FQDN or YOUR name)
commonName_max = 64
commonName_default = MyOnlyTest
[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names
[alt_names]
DNS.1 =
DNS.2 = *.
DNS.3 = localhost
IP.1 = 192.168.2.186
IP.2 = 192.168.2.196
IP.3 = 127.0.0.1
IP.4 = ::1
生成server证书
# 生成证书密钥文件
openssl genrsa -aes256 -passout pass:123456 -out server_rsa_private.pem 2048
# 生成server证书
openssl req -new -key server_rsa_private.pem -out -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest Server/CN=Only Test Server" -extensions req_ext -config -passin pass:123456
# 将加密的RSA密钥转成未加密的RSA密钥
openssl rsa -in server_rsa_private.pem -out server_rsa_private. -passin pass:123456
生成的文件:server_rsa_private.pem、、server_rsa_private.。
自签CA证书
非必要,通常不需要这样做,一般仅用于测试。通常情况下是在正规的CA证书颁发机构申请的,而不是自签的。
# 生成证书密钥文件
openssl genrsa -aes256 -passout pass:123ca456 -out ca_rsa_private.pem 2048
# 生成CA证书
openssl req -new -x509 -days 36500 -key ca_rsa_private.pem -out -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest CA/CN=Only Test" -passin pass:123ca456
# 使用CA证书及密钥,对server证书进行签名
openssl x509 -req -days 36500 -in -CA -CAkey ca_rsa_private.pem -CAcreateserial -out -extensions req_ext -extfile -passin pass:123ca456
生成的文件:ca_rsa_private.pem,,。
使用到HTTPS
部署到HTTPS服务器时,一般要用到证书签名文件(certificate)和私钥文件server_rsa_private.pem(PrivateKey)。不过每次使用server_rsa_private.pem的时候都需要输入密码,可换为server_rsa_private.跳过输入密码的步骤。