OpenSSL provides cryptographic libraries and features. We can use OpenSSL from reading DER files to generate random numbers. But one of the most used feature is creating a Self Signed Certificate. ,
OpenSSL提供了加密库和功能。 我们可以使用OpenSSL通过读取DER文件来生成随机数。 但是,最常用的功能之一是创建自签名证书。 ,
自签名证书 (Self Signed Certificate)
X509 is the certificate standard used in internet and corporate today. X509 certificates are designed to create a tree like trust hierarchy between X509 certificates. For example Google is a trusted entity and poftut.com
is another entity trusted by Google so we created a chain with this trust relationship. But as we see there is always a root. Self signed certificates are not signed by other certificates which means they may be used as root certificate or as standalone.
X509是当今互联网和企业中使用的证书标准。 X509证书旨在在X509证书之间创建树状信任树。 例如,Google是一个受信任的实体,而poftut.com
是Google信任的另一个实体,因此我们使用这种信任关系创建了一个链。 但正如我们所见,总有根。 自签名证书不会被其他证书签名,这意味着它们可以用作根证书或独立证书。
创建自签名证书 (Create Self Signed Certificate)
We can create a self signed X509 certificate by using OpenSSL req
verb. Other options are
我们可以使用OpenSSL req
动词创建一个自签名X509证书。 其他选项是
- Algorithm is RSA算法是RSA
- Key size is 4096 bit 密钥大小为4096位
- Format is PEM格式为PEM
- Until valid 365 days 直到有效365天
$ openssl req -x509 -newkey rsa:4096 -keyout mycert.pem -out cert.pem -days 360
创建不加密的自签名证书(Create Self Signed Certificate without Encrypting)
In previous step we will be asked for the password with the following phrase
在上一步中,我们将要求您输入以下短语的密码
We can prevent the encrytion of the created Self signed certificate with the -node
option like below.
我们可以使用-node
选项防止对创建的自签名证书进行加密,如下所示。
$ openssl req -x509 -node -newkey rsa:4096 -keyout mycert.pem -out cert.pem -days 360
自签名证书错误和警告 (Self Signed Certificate Errors and Warnings)
As stated before self signed certificates to not enter a trust relationship with other certificates. This is generally creates some errors and warnings especially by browsers. Browsers uses Certificate Authorities Root Certificates to check trust of the provided certificate. Because self signed certificate is not signed by any of them browser will show a warning message .
如前所述,自签名证书不会与其他证书建立信任关系。 通常这会产生一些错误和警告,尤其是浏览器。 浏览器使用证书颁发机构根证书来检查对所提供证书的信任。 由于自签名证书未被任何人签名,因此浏览器将显示警告消息。
翻译自: https://www.poftut.com/create-self-signed-root-certificate-openssl/