学习 openssl 证书命令

最新推荐文章于 2024-08-08 19:47:25 发布

哈哈虎123

最新推荐文章于 2024-08-08 19:47:25 发布

阅读量1.2k

点赞数

分类专栏：日常记录文章标签： openssl 证书 CA

本文链接：https://blog.csdn.net/u010953609/article/details/88112167

版权

日常记录专栏收录该内容

67 篇文章 6 订阅

订阅专栏

20180729 学习 openssl 证书命令

1、参考

https://blog.csdn.net/madding/article/details/26717963

2、在我电脑建立好一个目录，并启动 terminal ，进入该目录

cd /Users/dhbm/Desktop/ssl/sign20180729

3、生成Self Signed证书

1）、生成一个key（我的私钥）
openssl genrsa -des3 -out selfsign.key 4096

结果 （过程中 密码： 123456）
Generating RSA private key, 4096 bit long modulus
...........++
...........................++
e is 65537 (0x10001)
Enter pass phrase for selfsign.key:
Verifying - Enter pass phrase for selfsign.key:

*** 这时应该生成了一个文件：selfsign.key
ls
selfsign.key

2）使用我的私钥（上面生成的key），生成一个自签名请求 certificate signing request (CSR)
openssl req -new -key selfsign.key -out selfsign.csr
结果
Enter pass phrase for selfsign.key:
unable to load Private Key
140735584793480:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:531:
140735584793480:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:488:

Enter pass phrase for selfsign.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn
Organizational Unit Name (eg, section) []:dhbm.cn
Common Name (e.g. server FQDN or YOUR name) []:wzh
Email Address []:13501062476@139.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:dhbm.cn

*** 这时应该又生成了一个文件 selfsign.csr
ls
selfsign.csr selfsign.key

3)、用以上证书请求文件（selfsign.csr），生成Self Signed证书
openssl x509 -req -days 365 -in selfsign.csr -signkey selfsign.key -out selfsign.crt
结果
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh/emailAddress=13501062476@139.com
Getting Private key
Enter pass phrase for selfsign.key:
*** 这时应该又生成了一个文件 selfsign.crt
 ls
 selfsign.crt	selfsign.csr	selfsign.key

4、生成自己的CA (Certificate Authority)

1）、生成CA的key，这一步和生成证书一样，也是一个私钥，文件名 叫 ca.key
openssl genrsa -des3 -out ca.key 4096

结果：
Generating RSA private key, 4096 bit long modulus
..................................................................................................++
.....................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
*** 这时应该又生成了一个文件 ca.key
ls
ca.key		selfsign.crt	selfsign.csr	selfsign.key

2）、生成CA的证书请求、证书 （两步合二为一了）
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

结果
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn
Organizational Unit Name (eg, section) []:dhbm.cn
Common Name (e.g. server FQDN or YOUR name) []:wzh
Email Address []:13501062476@139.com
*** 这时应该又生成了 1 个文件 ca.crt （没有 ca.csr?）
    ls
    ca.crt		ca.key		selfsign.crt	selfsign.csr	selfsign.key

5、生成服务器证书，由以上自建的 CA 颁发

1）、前面 2 步 和以上一样，生成一个 私钥（key），生成一个证书请求（csr）        
### 生成私钥
openssl genrsa -des3 -out myserver.key 4096
结果：
Generating RSA private key, 4096 bit long modulus
...................................................................++
...............................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for myserver.key:
Verifying - Enter pass phrase for myserver.key:
### 生成证书请求
openssl req -new -key myserver.key -out myserver.csr
结果：
Enter pass phrase for myserver.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn
Organizational Unit Name (eg, section) []:dhbm.cn
Common Name (e.g. server FQDN or YOUR name) []:wzh server
Email Address []:13501062476@139.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:dhbm.cn

这次和以上不一样，加上了一个中间人 CA ，表示这是由 CA 认可并办法的证书

openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt
结果：
Signature ok
subject=/C=cn/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh server/emailAddress=13501062476@139.com
Getting CA Private Key
Enter pass phrase for ca.key:
*** 到这里，又生成了 3 个文件 myserver.key，myserver.csr，myserver.crt
ls
ca.crt		myserver.crt	myserver.key	selfsign.csr
ca.key		myserver.csr	selfsign.crt	selfsign.key

6、查看我的证书情况（myserver）

1）、查看我的私钥   
   openssl rsa -noout -text -in myserver.key
   结果
   Enter pass phrase for myserver.key:
   Private-Key: (4096 bit)
   modulus:
	   00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:
	   0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29
	   ...

2)、查看我的证书请求
   openssl req -noout -text -in myserver.csr
   Certificate Request:
	   Data:
		   Version: 0 (0x0)
		   Subject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.com
		   Subject Public Key Info:
			   Public Key Algorithm: rsaEncryption
				   Public-Key: (4096 bit)
				   Modulus:
					   00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:
					   0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29:
					   ...
			   Attributes:
						   challengePassword        :123456
						   unstructuredName         :dhbm.cn
				   Signature Algorithm: sha256WithRSAEncryption
						00:6f:04:6c:30:93:88:34:ee:43:f2:ce:2b:d0:3e:11:20:46:
						...
3)、查看我的证书
   openssl x509 -noout -text -in myserver.crt
	Data:
		   Version: 1 (0x0)
		   Serial Number: 1 (0x1)
	   Signature Algorithm: sha256WithRSAEncryption
		   Issuer: C=CN, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh/emailAddress=13501062476@139.com
		   Validity
			   Not Before: Jul 29 09:02:55 2018 GMT
			   Not After : Jul 29 09:02:55 2019 GMT
		   Subject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.com
		   Subject Public Key Info:
			   Public Key Algorithm: rsaEncryption
				   Public-Key: (4096 bit)
				   Modulus:
					   00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:
					   0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29:
					   ...

4）、验证我的证书
   openssl verify -CAfile ca.crt myserver.crt
   myserver.crt: OK

7、到这里完成了 3 步，自建名证书、CA证书、CA颁发 myserver 证书

疑问：什么是服务端用的？什么是客户端用的？

哈哈虎123

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
打赏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫

专栏目录