Jim's Blog
Toggle navigation
Jim's Blog
Home
About Me
Archives
Tags
openssl 生成自签证书及查看证书细节
2018-06-15 06:37:42
241
0
0
jim
# 生成自签CA以及证书 ## 1. 生成X509格式的CA自签名证书 ``` openssl req -new -x509 -keyout ca.key -out ca.crt # 去除密码 openssl rsa -in ca.key -out ca.key ``` ## 2. 生成服务端的私钥(key文件)及csr文件 ``` openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr ``` ## 3. 生成客户端的私钥(key文件)及csr文件 ``` openssl genrsa -des3 -out client.key 1024 openssl req -new -key client.key -out client.csr ``` ## 4. 用生成的CA的证书为刚才生成的server.csr,client.csr文件签名 ``` openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key ``` 上面的命令执行后可能出现以下错误: ``` Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ca.key: /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' 139883256969032:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r') 139883256969032:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357: ``` 解决方法: ``` # Create the index.txt file. touch /etc/pki/CA/index.txt # Create a serial file to label the CA and all subsequent certificates. echo '1000' > /etc/pki/CA/serial ``` ## 5. 生成p12格式证书 ``` openssl pkcs12 -export -inkey client.key -in client.crt -out client.pfx openssl pkcs12 -export -inkey server.key -in server.crt -out server.pfx ``` ## 6. 生成pem格式证书 有时需要用到pem格式的证书,可以用以下方式合并证书文件(crt)和私钥文件(key)来生成 ``` cat client.crt client.key > client.pem cat server.crt server.key > server.pem ``` ## 7. PFX文件转换为X509证书文件和RSA密钥文件 ``` openssl pkcs12 -in server.pfx -nodes -out server.pem openssl rsa -in server.pem -out server2.key openssl x509 -in server.pem -out server2.crt ``` ## 8. PEM--DER/CER(BASE64--DER编码的转换) ``` openssl x509 -outform der -in server.pem -out server.cer ``` 这样生成服务端证书:ca.crt, server.key, server.crt, server.pem, server.pfx, 客户端证书:ca.crt, client.key, client.crt, client.pem, client.pfx # openssl x509部分查看命令 ## 1. 打印出证书的内容 ``` openssl x509 -in cert.pem -noout -text openssl x509 -pubkey -noout -in cert.crt # 校验证书、key diff -eq <(openssl x509 -pubkey -noout -in cert.crt) <(openssl rsa -pubout -in cert.key) ``` ## 2. 打印出证书的系列号 ``` openssl x509 -in cert.pem -noout -serial ``` ## 3. 打印出证书的拥有者名字 ``` openssl x509 -in cert.pem -noout -subject ``` ## 4. 以RFC2253规定的格式打印出证书的拥有者名字 ``` openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 ``` ## 5. 在支持UTF8的终端一行过打印出证书的拥有者名字 ``` openssl x509 -in cert.pem -noout -subject -nameopt oneline -nameopt -escmsb ``` ## 6. 打印出证书的MD5特征参数 ``` openssl x509 -in cert.pem -noout -fingerprint ``` ## 7. 打印出证书的SHA特征参数 ``` openssl x509 -sha1 -in cert.pem -noout -fingerprint ``` ## 8. 把PEM格式的证书转化成DER格式 ``` openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER ``` ## 9. 把一个证书转化成CSR ``` openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem ``` ## 10. 给一个CSR进行处理,颁发字签名证书,增加CA扩展项 ``` openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem ``` ## 11. 给一个CSR签名,增加用户证书扩展项 ``` openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial ``` ## 12. 查看csr文件细节 ``` openssl req -in my.csr -noout -text ``` > 原文链接:[https://www.cnblogs.com/threegun/p/7130985.html](https://www.cnblogs.com/threegun/p/7130985.html) > 可参考链接:[http://seanlook.com/2015/01/18/openssl-self-sign-ca/](http://seanlook.com/2015/01/18/openssl-self-sign-ca/)
Pre:
JavaScript ES 2017: Learn Async/Await by Example
Next:
Charts
0
likes
241
新浪微博
微信
腾讯微博
QQ空间
人人网
Please enable JavaScript to view the
comments powered by Disqus.
comments powered by
Disqus
Table of content