创建自己的PKI公/私密钥对和公钥证书

1. 创建certificate request configuration file

cert_req.conf
************************************************

[ req ]
default_bits = 2048
default_keyfile = keystonekey.pem
default_md = default

prompt = no
distinguished_name = Distiguished_name

[ Distiguished_name ] 
countryName = CN 
stateOrProvinceName = BJ 
localityName = Beijing 
organizationName = example 
organizationalUnitName = example 
commonName = Keystone Signing 
emailAddress = example@example.com

 

************************************************

2. 生成私钥和CSR（Certificate Signing Request），注意私钥不能加密（-nodes选项），最终私钥为signing_key.pem, CSR为signing_cert_req.pem

$ openssl \
req -newkey rsa:2048 -nodes\
-keyout signing_key.pem -keyform PEM \
-out signing_cert_req.pem -outform PEM \
-config cert_req.conf \

 

3. 将生成的CSR发给CA，请求我们的证书
我们采用CAcert来生成证书，仅用于实验环境，最终保存为：signing_cert.pem

4. 获取CA的证书，用于构建证书信任链
这里我们直接采用CAcert公司的证书，保存为：ca_cert.pem

转载于:https://www.cnblogs.com/Security-Darren/p/4077484.html