openssl生成证书

一.openssl命令

     

 

NAME

       openssl - OpenSSL command line tool

 

SYNOPSIS

       openssl command [ command_opts ] [ command_args ]

[a4729821@JYstd openssl]$ openssl --help

openssl:Error: '--help' is an invalid command.

 

Standard commands

asn1parse         ca                ciphers           cms               

crl               crl2pkcs7         dgst              dh                

dhparam           dsa               dsaparam          ec                

ecparam           enc               engine            errstr            

gendh             gendsa            genpkey           genrsa            

nseq              ocsp              passwd            pkcs12            

pkcs7             pkcs8             pkey              pkeyparam         

pkeyutl           prime             rand              req               

rsa               rsautl            s_client          s_server          

s_time            sess_id           smime             speed             

spkac             ts                verify            version           

x509              

 

version    用于查看版本信息

 

enc        用于加解密

 

ciphers    列出加密套件

 

genrsa    用于生成私钥

 

NAME

       genrsa - generate an RSA private key

 

SYNOPSIS

       openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4]

       [-3] [-rand file(s)] [-engine id] [numbits]

参数：

-out filename： 私有密钥

-passout arg：输出文件口令保护存放方式。

numbits：生成密钥的位数。必须是本指令的最后一个参数。如果没有指明，则产生512bit长的参数。

-des|-des3|-idea|-aes128|-aes192|-aes256：指定私钥口令保护算法，如果不指定，私钥将被明文存放。

 

rsa        RSA密钥管理(例如:从私钥中提取公钥)

 

req       基本功能主要有两个：生成证书请求和生成自签名证书。其他还有一些校验、查看请求文件等功能

openssl req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin

       arg] [-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify]

       [-modulus] [-new] [-rand file(s)] [-newkey rsa:bits] [-newkey alg:file]

       [-nodes] [-key filename] [-keyform PEM|DER] [-keyout filename]

       [-keygen_engine id] [-[digest]] [-config filename] [-subj arg]

       [-multivalue-rdn] [-x509] [-days n] [-set_serial n] [-asn1-kludge]

       [-no-asn1-kludge] [-newhdr] [-extensions section] [-reqexts section]

       [-utf8] [-nameopt] [-reqopt] [-subject] [-subj arg] [-batch] [-verbose]

       [-engine id]       //参数太多  

 [new/x509]

当使用-new选取的时候，说明是要生成证书请求，当使用x509选项的时候，说明是要生成自签名证书。

[/key/newkey/keyout]

key和newkey是互斥的，key是指定已有的密钥文件，而newkey是指在生成证书请求或者自签名证书的时候自动生成密钥，然后生成的密钥名称有keyout参数指定。

当指定newkey选项时，后面指定rsa:bits说明产生rsa密钥，位数由bits指定。指定dsa:file说明产生dsa密钥，file是指生成dsa密钥的参数文件(由dsaparam生成)

[in/out/inform/outform/keyform]

in选项指定证书请求文件，当查看证书请求内容或者生成自签名证书的时候使用

out选项指定证书请求或者自签名证书文件名，或者公钥文件名(当使用pubkey选项时用到)，以及其他一些输出信息。

inform、outform、keyform分别指定了in、out、key选项指定的文件格式，默认是PEM格式。

                     

COMMAND OPTIONS

       -inform DER|PEM

        -outform DER|PEM

        -in filename

 

crl        证书吊销列表(CRL)管理

 

ca         CA管理(例如对证书进行签名)

 

dgst      生成信息摘要

 

NAME

       dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests

 

SYNOPSIS

       openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d]

       [-hex] [-binary] [-out filename] [-sign filename] [-keyform arg] [-passin

       arg] [-verify filename] [-prverify filename] [-signature filename] [-hmac

       key] [file...]

 

       [md5|md4|md2|sha1|sha|mdc2|ripemd160] [-c] [-d] [file...]

 

OPTIONS

       -c  print out the digest in two digit groups separated by colons, only

           relevant if hex format output is used.

 

       -d  print out BIO debugging information.

 

       -hex

           digest is to be output as a hex dump. This is the default case for a

           "normal" digest as opposed to a digital signature.

 

       -binary

           output the digest or signature in binary form.

 

       -out filename

           filename to output to, or standard output by default.     

 

 

rsautl    用于完成RSA签名、验证、加密和解密功能

 

passwd    生成散列密码

 

rand      生成伪随机数

 

speed      用于测试加解密速度     

               

s_client  通用的SSL/TLS客户端测试工具

 

X509       X.509证书管理       详细https://blog.csdn.net/as3luyuan123/article/details/16873093

 

verify      X.509证书验证

 

pkcs7       PKCS#7协议数据管理

 

二.证书  

   SSL常用于身份验证、数据加密等应用中，要使用SSL，我们密码有自己的证书。数字证书一般要向专业的认证公司(如VeriSign)申请，并且都是收费的，某些情况下，我们只是想使用加密的数据通信，而不在乎认证，这时就可以自己制作一个证书，自己制作一个证书，有两种方式，一种是Self Signed,另一种是自己制作一个CA，然后由这个CA,来发布我们需要的证书

   步骤：

第一步：生成客户端的密钥，即客户端的公私钥对，且要保证私钥只有客户端自己拥有。

 

第二步：以客户端的密钥和客户端自身的信息(国家、机构、域名、邮箱等)为输入，生成证书请求文件。其中客户端的公钥和客户端信息是明文保存在证书请求文件中的，而客户端私钥的作用是对客户端公钥及客户端信息做签名，自身是不包含在证书请求中的。然后把证书请求文件发送给CA机构。

 

第三步：CA机构接收到客户端的证书请求文件后，首先校验其签名，然后审核客户端的信息，最后CA机构使用自己的私钥为证书请求文件签名，生成证书文件，下发给客户端。此证书就是客户端的身份证，来表明用户的身份。

2.1生成selfsigned证书

[a4729821@JYstd openssl]$ openssl     //进入交互模式

OpenSSL> genrsa -des -out selfsign.key 2048    //私钥采用des对称加密，

Generating RSA private key, 2048 bit long modulus

........................................................+++

....................................................................................................................................................................................+++

e is 65537 (0x10001)

Enter pass phrase for selfsign.key:                        //输入密码，以后使用私密的时候需要，也可以不输入

Verifying - Enter pass phrase for selfsign.key:                     //重复确认密码

使用私钥，生成证书请求

（#如果你的key有密码保护，openssl首先会询问你的密码，然后询问你一系列问题，#其中Common Name(CN)是最重要的，它代表你的证书要代表的目标，如果你为网站申请的证书，就要添你的域名。）

OpenSSL> req -new -key selfsign.key -out selfsign.csr

Enter pass phrase for selfsign.key:       //输入私钥密码

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:se

State or Province Name (full name) []:selfsign

Locality Name (eg, city) [Default City]:wuhan

Organization Name (eg, company) [Default Company Ltd]:jy                                                   

Organizational Unit Name (eg, section) []:linux

Common Name (eg, your name or your server's hostname) []:huangjunyu

Email Address []:771018493@qq.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:12456

An optional company name []:lingyun

生成证书

OpenSSL> x509 -req -days 365 -in selfsign.csr -signkey selfsign.key -out selfsign.crt

Signature ok

subject=/C=se/ST=selfsign/L=wuhan/O=jy/OU=linux/CN=huangjunyu/emailAddress=771018493@qq.com

Getting Private key

Enter pass phrase for selfsign.key:

查看

[a4729821@JYstd openssl]$ ls

selfsign.crt  selfsign.csr  selfsign.key

2.2用自己做的CA生成证书

[a4729821@JYstd openssl]$ openssl genrsa -des3 -out ca.key 4096   //生成CA私钥

Generating RSA private key, 4096 bit long modulus

...++

.................................................................++

e is 65537 (0x10001)

Enter pass phrase for ca.key:

Verifying - Enter pass phrase for ca.key:

 

//生成CA证书

[a4729821@JYstd openssl]$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Enter pass phrase for ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:china

string is too long, it needs to be less than  2 bytes long

Country Name (2 letter code) [XX]:china n

string is too long, it needs to be less than  2 bytes long

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:wuhan

Locality Name (eg, city) [Default City]:HUBEI

Organization Name (eg, company) [Default Company Ltd]:lingyun

Organizational Unit Name (eg, section) []:666

Common Name (eg, your name or your server's hostname) []:huangjunyu

Email Address []:771018493@qq.com

接下来和上面一样

[a4729821@JYstd openssl]$ openssl genrsa -des3 -out myserve.key 4096    //生成私钥

[a4729821@JYstd openssl]$ openssl req -new -key myserve.key -out myserve.csr     //生成证书请求

 

用CA证书和key生成我们的证书

[a4729821@JYstd openssl]$ openssl x509 -req -days 365 -in myserve.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserve.crt

三.一些基本命令

查看key信息

[a4729821@JYstd openssl]$ openssl rsa -noout -text -in myserve.key    //查看命令

Enter pass phrase for myserve.key:

Private-Key: (4096 bit)

modulus:

    00:b5:c9:77:75:dd:12:73:3b:f7:06:a6:45:3d:94:

    83:cb:35:72:c0:9a:d4:f0:26:cc:6e:30:ce:14:7a:

    04:f5:fb:be:f2:13:10:e2:b1:e4:14:3a:70:8b:30:

    84:19:71:ab:a9:bd:e6:3a:de:4c:86:35:4a:2f:b7:

    fd:40:c2:3e:e9:78:08:fb:6b:7d:bf:81:f3:cd:5d:

    03:ce:93:34:74:d7:fa:18:01:89:21:09:72:52:4f:

    f9:59:0b:6b:a1:0c:a3:f8:0f:8c:11:42:7b:21:7b:

    d4:3e:53:67:6a:bf:08:1a:ff:40:1b:19:78:43:08:

    90:c4:76:e8:2b:df:7f:10:e6:b5:7d:ae:99:cb:22:

    1a:87:58:c8:48:ac:5d:f7:36:bc:9c:9e:c7:f0:30:

    c5:a1:4e:dd:5e:c6:bc:cd:43:64:5a:82:9c:ac:ed:

    3a:cc:9c:7a:89:d4:99:73:39:bd:ce:df:29:c5:7f:

    e8:01:bb:f6:a3:e1:3f:01:ac:ff:7e:e5:37:72:6a:

      *** **** *** ** **

 

验证证书

 [a4729821@JYstd openssl]$ openssl verify selfsign.crt

selfsign.crt: C = se, ST = selfsign, L = wuhan, O = jy, OU = linux, CN = huangjunyu, emailAddress = 771018493@qq.com

error 18 at 0 depth lookup:s    

OK

 

 

[a4729821@JYstd openssl]$ openssl verify -CAfile ca.crt myserve.crt

myserve.crt: OK                           //myserve.crt是我们制作的CA证书发布的 验证OK

 

 

根据私钥生成公钥

[a4729821@JYstd openssl]$ openssl rsa -in myserve.key -pubout -out myserve_public.key

Enter pass phrase for myserve.key:

writing RSA key

 

 

参考：https://blog.csdn.net/baidu_36649389/article/details/54379935