安装openssl
通过官网的下载源码编译或者直接通过exe文件直接下一步下一步安装完成,网上教程很多!
openssl制作证书
先创建3个目录 certificate、service 、client
进入cmd cd到上面三个目录的父目录
1.创建私钥 :
D:\IDEA\qqtxt>openssl genrsa -out certificate/ce-key.pem 1024
2.创建证书请求 :
D:\IDEA\qqtxt>openssl req -new -out certificate/ce-req.csr -key certificate/ce-key.pem
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:chongqing
Locality Name (eg, city) []:chongqing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tianshenyi
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:root
Email Address []:abc
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:tianshenyi
3.自签署证书 :
D:\IDEA\qqtxt>openssl x509 -req -in certificate/ce-req.csr -out certificate/ce-cert.pem -signkey certificate/ce-key.pem -days 3650
Signature ok
subject=C = cn, ST = chongqing, L = chongqing, O = tianshenyi, OU = test, CN = root, emailAddress = abc
Getting Private key
4.将证书导出成浏览器支持的.p12格式 :
D:\IDEA\qqtxt>openssl pkcs12 -export -clcerts -in certificate/ce-cert.pem -inkey certificate/ce-key.pem -out certificate/certificate.p12
Enter Export Password:
Verifying - Enter Export Password:
密码自己设置我这边设置的123
二.生成server证书。
1.创建私钥 :
D:\IDEA\qqtxt>openssl genrsa -out server/server-key.pem 1024
2.创建证书请求 :
D:\IDEA\qqtxt>openssl req -new -out server/server-req.csr -key server/server-key.pem
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:chongqing
Locality Name (eg, city) []:chongqing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tianshenyi
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:自己的ip地址
Email Address []:abc
3.自签署证书 :
D:\IDEA\qqtxt>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA certificate/ce-cert.pem -CAkey certificate/ce-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式 :
D:\IDEA\qqtxt>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
三.生成client证书。
1.创建私钥 :
D:\IDEA\qqtxt>openssl genrsa -out client/client-key.pem 1024
2.创建证书请求 :
C:\OpenSSL\bin>openssl req -new -out client/client-req.csr -key client/client-key.pem
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision
Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:sky
Email Address []:sky 注释:就是登入中心的用户(本来用户名应该是Common Name,但是中山公安的不知道为什么使用的Email Address,其他版本没有测试)
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:tsing
3.自签署证书 :
C:\OpenSSL\bin>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式 :
C:\OpenSSL\bin>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12