OpenSSL 生成证书

时间:2025-03-18 11:46:16

OpenSSL 生成证书

作者:Bright Xu

在当前目录创建配置文件,用于定义后面创建证书的相关配置

创建文件,并写入一下内容:

oid_section		= new_oids

[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7


[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
organizationName = Organization Name (eg, company)
organizationName_default = MyTest
commonName = Common Name (. server FQDN or YOUR name)
commonName_max = 64
commonName_default = MyOnlyTest

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2
subjectAltName = @alt_names

[alt_names]
DNS.1 = 
DNS.2 = *.
DNS.3 = localhost

IP.1 = 192.168.2.186
IP.2 = 192.168.2.196
IP.3 = 127.0.0.1
IP.4 = ::1

生成server证书

# 生成证书密钥文件
openssl genrsa -aes256 -passout pass:123456 -out server_rsa_private.pem 2048

# 生成server证书
openssl req -new -key server_rsa_private.pem -out  -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest Server/CN=Only Test Server" -extensions req_ext -config  -passin pass:123456

# 将加密的RSA密钥转成未加密的RSA密钥
openssl rsa -in server_rsa_private.pem -out server_rsa_private. -passin pass:123456

生成的文件:server_rsa_private.pemserver_rsa_private.

自签CA证书

非必要,通常不需要这样做,一般仅用于测试。通常情况下是在正规的CA证书颁发机构申请的,而不是自签的。

# 生成证书密钥文件
openssl genrsa -aes256 -passout pass:123ca456 -out ca_rsa_private.pem 2048

# 生成CA证书
openssl req -new -x509 -days 36500 -key ca_rsa_private.pem  -out  -subj "/C=CN/ST=Beijing/L=Beijing/O=MyTest/OU=MyOnlyTest CA/CN=Only Test" -passin pass:123ca456

# 使用CA证书及密钥,对server证书进行签名
openssl x509 -req -days 36500 -in  -CA  -CAkey ca_rsa_private.pem -CAcreateserial -out  -extensions req_ext -extfile  -passin pass:123ca456

生成的文件:ca_rsa_private.pem

使用到HTTPS

部署到HTTPS服务器时,一般要用到证书签名文件certificate)和私钥文件server_rsa_private.pemPrivateKey)。不过每次使用server_rsa_private.pem的时候都需要输入密码,可换为server_rsa_private.跳过输入密码的步骤。