使用OpenSSL生成自签名证书和格式转换

OpenSSL安装：https://blog.csdn.net/qq_44734154/article/details/125995475

一、生成证书私钥

genrsa 介绍：https://www.openssl.org/docs/man1.1.1/man1/genrsa.html

1.生成私钥key

openssl genrsa -aes128 -passout pass:Test@2022 -out test_private.key 2048

2.私钥key转成pem格式

openssl rsa -in test_private.key -outform PEM -out test_private.pem -passin pass:Test@2022

3.获取私钥的pkcs8编码pem文件

saml程序中privatekey配置此文件中的base64字符串
私钥在使用前为pkcs1格式，而java在不引用第三方包的情况下无法直接使用pkcs1格式的秘钥，需要将其转化为pkcs8编码
pkcs8介绍：https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs8.html

openssl pkcs8 -topk8 -inform PEM -in test_private.pem -outform PEM -out test_private_pkcs8.pem -nocrypt

二、生成证书请求

req介绍: https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html

openssl req -new -key test_private.key -passin pass:Test@2022 -out test_req.csr -days 7300

执行过程：

# -key test_private.key 指定私钥
# -passin pass:Test@2022 指定私钥密码
# -days 7300 指定证书有效期
[root@node0 test-cert]# openssl req -new -key test_private.key -passin pass:Test@2022 -out test_req.csr -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# 输入国家名称
Country Name (2 letter code) [XX]:CN
# 输入省份
State or Province Name (full name) []:ShangHai
# 输入城市
Locality Name (eg, city) [Default City]:ShangHai
# 输入机构名称
Organization Name (eg, company) [Default Company Ltd]:    
Organizational Unit Name (eg, section) []:
# 输入域名
Common Name (eg, your name or your server's hostname) []:
# 输入邮箱
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
# 输入验证密码
A challenge password []:Test@2022
# 输入可选的公司名称
An optional company name []:

三、生成crt格式的自签名根证书(CA根证书)

1.生成crt格式的自签名根证书

crt证书在window环境下安装之后，可以导出对外的自签名der公钥证书文件

openssl req -x509 -key test_private.key -in test_req.csr -out test_root.crt -days 7300 -passin pass:Test@2022

2.获取证书指纹

openssl x509 -fingerprint -sha256 -in test_root.crt

四、生成pem格式的自签名根证书

saml程序中使用的x509证书，x509cert配置此文件中的base64字符串

openssl req -x509 -key test_private.key -in test_req.csr -out test_root.pem -days 7300 -passin pass:Test@2022

五、导出根证书pfx格式的私钥文件

对外提供自签名的私钥文件
pkcs12 介绍：https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs12.html

openssl pkcs12 -export -inkey test_private.key -in test_root.crt -out test_root_private.pfx -passin pass:Test@2022

操作交互：

[root@node0 test-cert]# openssl pkcs12 -export -inkey test_private.key -in test_root.crt -out test_root_private.pfx -passin pass:Test@2022
# 输入导出的私钥密码Test@2022private
Enter Export Password:
# 再次输入Test@2022private，两次输入保持一致
Verifying - Enter Export Password:

OpenSSL生成CA自签名根证书和颁发证书:https://blog.csdn.net/qq_44734154/article/details/126167945