526互联

使用openssl生成根证书和服务器证书

发布时间 2023-09-25 10:02:54作者: 風£飛

1、生成服务器私钥

openssl genrsa -out server.key 2048

2、根据服务器私钥文件生成证书请求文件,这个文件中会包含申请人的一些信息,所以执行下面这行命令过程中需要用户在命令行输入一些用户信息,随便填写,一路回车即可

openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Hunan
Locality Name (eg, city) [Default City]:Changsha
Organization Name (eg, company) [Default Company Ltd]:company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:synology
Email Address []:synology@synology.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3、生成CA机构的私钥,命令和生成服务器私钥一样,只不过这是CA的私钥

openssl genrsa -out ca.key 1024

4、生成CA机构自己的证书申请文件

openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Hunan
Locality Name (eg, city) [Default City]:Changsha
Organization Name (eg, company) [Default Company Ltd]:company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:synology
Email Address []:synology@synology.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

5、生成自签名证书,CA机构用自己的私钥和证书申请文件生成自己签名的证书,俗称自签名证书,这里可以理解为根证书

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

6、根据CA机构的自签名证书ca.crt或者叫根证书生、CA机构的私钥ca.key、服务器的证书申请文件server.csr生成服务端证书,-days指定证书有效期,若不指定默认为一个月

openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt -days 3650

7、使用openssl命令验证证书有效性

openssl verify -CAfile ca.crt -purpose sslserver server.crt

8、检查已创建的证书

openssl x509 -noout -text -in server.crt

9、一键生成服务器证书

openssl genrsa -out server.key 1024
openssl req -new -x509 -days 3650 -key server.key -out server.crt -subj "/C=[Country Name]/ST=[State or Province Name]/L=[City]/O=[company]/OU=[Organizational Unit Name]/CN=domain1/CN=domain2/CN=domain3"

参考链接:
      https://cloud.tencent.com/developer/article/1548350?ivk_sa=1024320u      # 使用openssl创建https证书
      https://www.cnblogs.com/littleatp/p/5878763.html      # 使用 openssl 生成证书