mac ssl证书路径_Mac 生成ssl自签证书 和 CA证书

创建自签证书

1.执行 openssl

Last login: Tue Sep 29 19:35:49 on ttys001

➜ ~ openssl

OpenSSL>

2.执行genrsa -des3 -out server.key 2048 生成server.key私钥文件

OpenSSL> genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus

...................................................................................+++

..........+++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

3.执行 req -new -key server.key -out server.csr 创建证书请求，生成server.csr

OpenSSL> req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) []:cn

State or Province Name (full name) []:beijing

Locality Name (eg, city) []:beijing

Organization Name (eg, company) []:huidev

Organizational Unit Name (eg, section) []:ihuidev

Common Name (eg, fully qualified host name) []:devhui.org

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

[选]4.删除密码 rsa -in server.key -out server_no_password.key 生成一个新的key

OpenSSL> rsa -in server.key -out server_no_password.key

Enter pass phrase for server.key:

writing RSA key

5.生成crt证书 x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt

OpenSSL> x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt

Signature ok

subject=/C=cn/ST=beijing/L=beijing/O=huidev/OU=ihuidev/CN=devhui.org

Getting Private key

OpenSSL>

证书：

执行第四步删除密码的有效证书文件为： server_no_password.key 和 server.crt

没有执行第四步删除密码的有效证书文件为： server.key 和 server.crt

创建ca证书

执行genrsa -out ca.key 2048

➜ ~ openssl

OpenSSL> genrsa -out ca.key 2048

Generating RSA private key, 2048 bit long modulus

................................................................................................................+++

.......................................+++

e is 65537 (0x10001)

执行req -new -x509 -days 3650 -key ca.key -out ca.pem

OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) []:cn

State or Province Name (full name) []:beijing

Locality Name (eg, city) []:beijing

Organization Name (eg, company) []:ihuidev

Organizational Unit Name (eg, section) []:ihuidev

Common Name (eg, fully qualified host name) []:localhost

Email Address []:

OpenSSL>

3. 重新生成服务端证书

1)genrsa -out server.key 2048

OpenSSL> genrsa -out server.key 2048

Generating RSA private key, 2048 bit long modulus

.........................................................+++

..............................+++

e is 65537 (0x10001)

2)req -new -key server.key -out server.csr

OpenSSL> req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) []:cn

State or Province Name (full name) []:beijing

Locality Name (eg, city) []:beijing

Organization Name (eg, company) []:ihuidev

Organizational Unit Name (eg, section) []:ihuidev

Common Name (eg, fully qualified host name) []:localhost

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem

两次域名一定要写一致，我这里全部写的localhost

OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem

Signature ok

subject=/C=cn/ST=beijing/L=beijing/O=ihuidev/OU=ihuidev/CN=localhost

Getting CA Private Key

OpenSSL>

4. 同理重新生成客户端

1)

ecparam -genkey -name secp384r1 -out client.key

OpenSSL> ecparam -genkey -name secp384r1 -out client.key

2)req -new -key client.key -out client.csr

OpenSSL> req -new -key client.key -out client.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) []:cn

State or Province Name (full name) []:beijing

Locality Name (eg, city) []:beijing

Organization Name (eg, company) []:ihuidev

Organizational Unit Name (eg, section) []:ihuidev

Common Name (eg, fully qualified host name) []:localhost

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem

OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem

Signature ok

subject=/C=cn/ST=beijing/L=beijing/O=ihuidev/OU=ihuidev/CN=localhost

Getting CA Private Key

OpenSSL>

客户端：client.key ca.pem client.pem

服务端：server.key ca.pem server.pem