OpenSSL安装:https://blog.csdn.net/qq_44734154/article/details/125995475
一、生成证书私钥
genrsa 介绍:https://www.openssl.org/docs/man1.1.1/man1/genrsa.html
1.生成私钥key
openssl genrsa -aes128 -passout pass:Test@2022 -out test_private.key 2048
2.私钥key转成pem格式
openssl rsa -in test_private.key -outform PEM -out test_private.pem -passin pass:Test@2022
3.获取私钥的pkcs8编码pem文件
saml程序中privatekey配置此文件中的base64字符串
私钥在使用前为pkcs1格式,而java在不引用第三方包的情况下无法直接使用pkcs1格式的秘钥,需要将其转化为pkcs8编码
pkcs8介绍:https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs8.html
openssl pkcs8 -topk8 -inform PEM -in test_private.pem -outform PEM -out test_private_pkcs8.pem -nocrypt
二、生成证书请求
req介绍: https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html
openssl req -new -key test_private.key -passin pass:Test@2022 -out test_req.csr -days 7300
执行过程:
# -key test_private.key 指定私钥
# -passin pass:Test@2022 指定私钥密码
# -days 7300 指定证书有效期
[root@node0 test-cert]# openssl req -new -key test_private.key -passin pass:Test@2022 -out test_req.csr -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# 输入国家名称
Country Name (2 letter code) [XX]:CN
# 输入省份
State or Province Name (full name) []:ShangHai
# 输入城市
Locality Name (eg, city) [Default City]:ShangHai
# 输入机构名称
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
# 输入域名
Common Name (eg, your name or your server's hostname) []:
# 输入邮箱
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
# 输入验证密码
A challenge password []:Test@2022
# 输入可选的公司名称
An optional company name []:
三、生成crt格式的自签名根证书(CA根证书)
1.生成crt格式的自签名根证书
crt证书在window环境下安装之后,可以导出对外的自签名der公钥证书文件
openssl req -x509 -key test_private.key -in test_req.csr -out test_root.crt -days 7300 -passin pass:Test@2022
2.获取证书指纹
openssl x509 -fingerprint -sha256 -in test_root.crt
四、生成pem格式的自签名根证书
saml程序中使用的x509证书,x509cert配置此文件中的base64字符串
openssl req -x509 -key test_private.key -in test_req.csr -out test_root.pem -days 7300 -passin pass:Test@2022
五、导出根证书pfx格式的私钥文件
对外提供自签名的私钥文件
pkcs12 介绍:https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs12.html
openssl pkcs12 -export -inkey test_private.key -in test_root.crt -out test_root_private.pfx -passin pass:Test@2022
操作交互:
[root@node0 test-cert]# openssl pkcs12 -export -inkey test_private.key -in test_root.crt -out test_root_private.pfx -passin pass:Test@2022
# 输入导出的私钥密码Test@2022private
Enter Export Password:
# 再次输入Test@2022private,两次输入保持一致
Verifying - Enter Export Password:
OpenSSL生成CA自签名根证书和颁发证书:https://blog.csdn.net/qq_44734154/article/details/126167945