证书文件配置:
/etc/pki/tls/openssl.cnf
创建所需文件:
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
生成私钥:
openssl genrsa -out /etc/pki/CA/private/cakey.key
生成自签名证书:
openssl req -new -x509 -key /etc/pki/CA/private/cakey.key -days 7300 -out /etc/pki/CA/cacert.crt
-new:生成证书签署请求
-x509:专用于CA生成自签名证书
-key:请求时用到的私钥文件
-days:有效期时间
-out:证书保存路径
机构信息:
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Hunan
Locality Name (eg, city) [Default City]:Changsha
Organization Name (eg, company) [Default Company Ltd]:ZhongYi E-commerce corperation LTD.
Organizational Unit Name (eg, section) []:Data Department
Common Name (eg, your name or your server’s hostname) []😗.cmpay.com
Email Address []:
查看证书信息:
openssl x509 -in /etc/pki/CA/cacert.crt -noout -text
客户端申请证书(颁发证书):
生成私钥:
openssl genrsa -out /etc/pki/tls/private/clientkey.key
/etc/pki/CAprivate/cakey.pem
生成证书申请文件:123456\ /cmpay
openssl req -new -key /etc/pki/tls/private/clientkey.key -out /etc/pki/tls/clientkey.csr
传输申请文件:
xxx
CA签署证书,并将证书颁发给请求者:
openssl ca -in /etc/pki/tls/clientkey.csr -out /etc/pki/CA/certs/clientcertificate.crt -days 3650
(默认机构信息:国家、省、公司名称必须与CA一致)
查看证书公钥:
openssl x509 -in /etc/pki/CA/certs/clientcertificate.crt -pubkey -noout
转换JAVA私钥:
openssl pkcs8 -topk8 -inform PEM -outform DER -in clientkey.key -out clientkey_der.key -nocrypt
openssl pkcs8 -topk8 -inform PEM -in clientkey.key -outform PEM -nocrypt