利用Openssl制作自签名证书
来源:互联网 发布:投资白银如何看数据 编辑:程序博客网 时间:2024/06/05 09:26
利用Openssl制作自签名证书
在apache
或者nginx
启用HTTPS
后,需要加密证书才能正常工作。我们现在可以利用OpenSSL
工具简单快速的创建一个自签名证书。
1 安装Openssl
在配置好yum
源的情况下,可以使用yum
方式快速安装openssl
包。
首先检测当前系统是否安装openssl
,然后查看openssl
包的信息:
[root@Centos7 R4 ~]#rpm -ql opensslpackage openssl is not installed[root@Centos7 R4 ~]#yum info opensslLoaded plugins: fastestmirrorLoading mirror speeds from cached hostfileAvailable PackagesName : opensslArch : x86_64Epoch : 1Version : 1.0.1eRelease : 60.el7Size : 713 kRepo : CDRomSummary : Utilities from the general purpose cryptography library with TLS implementationURL : http://www.openssl.org/License : OpenSSLDescription : The OpenSSL toolkit provides support for secure communications between : machines. OpenSSL includes a certificate management tool and shared : libraries which provide various cryptographic algorithms and : protocols.
开始安装
[root@Centos7 R4 ~]#yum install opensslLoaded plugins: fastestmirrorLoading mirror speeds from cached hostfileResolving Dependencies--> Running transaction check---> Package openssl.x86_64 1:1.0.1e-60.el7 will be installed--> Finished Dependency ResolutionDependencies Resolved======================================================================================= Package Arch Version Repository Size=======================================================================================Installing: openssl x86_64 1:1.0.1e-60.el7 CDRom 713 kTransaction Summary=======================================================================================Install 1 PackageTotal download size: 713 kInstalled size: 1.5 MIs this ok [y/d/N]: yDownloading packages:Running transaction checkRunning transaction testTransaction test succeededRunning transaction Installing : 1:openssl-1.0.1e-60.el7.x86_64 1/1 Verifying : 1:openssl-1.0.1e-60.el7.x86_64 1/1Installed: openssl.x86_64 1:1.0.1e-60.el7 Complete!
Openssl
安装完成,会在/etc/pki
目录下生成如下文件:
[root@Centos7 R4 ~]#rpm -ql openssl |grep '/etc/pki'/etc/pki/CA/etc/pki/CA/certs/etc/pki/CA/crl/etc/pki/CA/newcerts/etc/pki/CA/private/etc/pki/tls/certs/Makefile/etc/pki/tls/certs/make-dummy-cert/etc/pki/tls/certs/renew-dummy-cert/etc/pki/tls/misc/CA/etc/pki/tls/misc/c_hash/etc/pki/tls/misc/c_info/etc/pki/tls/misc/c_issuer/etc/pki/tls/misc/c_name
2 创建自签名证书
我们可以根据前面生成的/etc/pki/tls/certs/Makefile
利用make
命令生成自签名证书,但是要注意的是,使用make
命令,需要先进入Makefile
文件所在的路径/etc/pki/tls/certs/
。
[root@Centos7 R4 certs]#lsca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
现在我们开始使用make
命令创建自签名证书:
[root@Centos7 R4 certs]#make ../private/httpd.crtumask 77 ; \/usr/bin/openssl genrsa -aes128 2048 > ../private/httpd.keyGenerating RSA private key, 2048 bit long modulus............................................................+++.......................+++e is 65537 (0x10001)Enter pass phrase:Verifying - Enter pass phrase:umask 77 ; \/usr/bin/openssl req -utf8 -new -key ../private/httpd.key -x509 -days 365 -out ../private/httpd.crt -set_serial 0Enter pass phrase for ../private/httpd.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HuBeiLocality Name (eg, city) [Default City]:WuhanOrganization Name (eg, company) [Default Company Ltd]:WUTOrganizational Unit Name (eg, section) []:IT DeptCommon Name (eg, your name or your server's hostname) []:test.comEmail Address []:abc@whut.edu.cn
make ../private/httpd.crt
表示在../private/
目录下创建证书,并命令为httpd.crt
。命令执行过程中,上面的各个条目具体意义如下:
Country Name (2 letter code) 使用国际标准组织(ISO)国码格式,填写2个字母的国家代号State or Province Name (full name) 省份Locality Name (eg, city) 城市Organization Name (eg, company) 组织单位Organizational Unit Name (eg,section) 部门Common Name (eg, your websites domain name) 行使 SSL 加密的网站地址Email Address 邮件地址,可以不填
证书创建完成。
[root@Centos7 R4 certs]#ls /etc/pki/tls/private/httpd.crt httpd.key
3 去除私钥文件加密密码
安装上述方式创建证书要求我们设置密码,以后每次读取证书的信息时,都需要密码验证,我们可以使用cat
命令查看生成的私钥文件验证这一点:
[root@Centos7 R4 certs]#cat /etc/pki/tls/private/httpd.key-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: AES-128-CBC,E4F0636EF2E6E3FB37A2485B72646490yPP9T3CcZA9M3wE3JPWywfBuvOZdXl1k7Jt+UuznxyrpYuQTv+DvMDoLmof+RutRbGNvNgSzf+OnXjf+JNSlPXv7c3MU63cRiaagX5s+SZMwWmgtIg3kTkEGowrpfdKw1nEhrASSD1Y4+WpLE+do/U0TsjZKkPb+9bId65r8cMiVIDPqWQZzZfJkl3uNEJWkaVhd3IwkT/tKSJxo0oAhd5BCJrh7Bgwrc9QK5J70JEArpnpWjF4zv4ZFgADu5LjC…… ……
信息头ENCRYPTED
表示。由于是自用的自签名证书,我们可以将密码去掉。去掉的的方法很简单,
[root@Centos7 R4 certs]#mv ../private/httpd.key ../private/httpd.key[root@Centos7 R4 certs]#openssl rsa -in ../private/httpd.key.bak -out ../private/httpd.keyEnter pass phrase for ../private/httpd.key.bak:writing RSA key
密码去掉时,需要验证我们在最开始创建自签名证书时设定的密码。现在再来看看私钥文件信息头:
[root@Centos7 R4 certs]#cat ../private/httpd.key-----BEGIN RSA PRIVATE KEY-----MIIEogIBAAKCAQEAsTzazQWnabUdgf89YRmGa2MapDYMRxaGuducOhjpJvp8Xpg5hq4VBw2gE5pxIIDBY+2DNXvT31RVxoHAxXnKMz4vCR8BHnkNnqHVfAm5dF+uyB+47y1mpSpRfgzOiZyoRMZQ+GIa5ktoDBzW1Jy1lMztSgo1GpLrrEmK/4CDQzYP96WmfdVVKysSf6VL6Xz28bYtQe8HSeLgi9GEJxqO4RTjg9dbQAFkewJCNYfAXTsScG78…… ……
此时,私钥文件的加密信息头已经消失,密码去除完成。
阅读全文
0 0
- 利用Openssl制作自签名证书
- openssl如何制作自签名的CA证书,及利用CA签发证书
- openssl自签名根证书服务端和客户端证书制作
- 通过Easyrsa和Openssl制作自签名证书
- openssl keytool 制作签名证书
- 用openssl自签名证书
- openssl自签名的证书
- openssl创建自签名证书
- openssl创建自签名证书
- OpenSSL生成自签名证书
- openssl生成自签名证书
- openssl 生成自签名证书
- Windows下安装OpenSSL+用openssl命令制作生成证书和自签名
- 使用 Openssl 验证自签名证书
- 使用 Openssl 验证自签名证书
- 转载记录一下,openssl自签名证书
- 用OpenSSL做自签名的证书
- centos6 openssl生成自签名证书
- 371. Sum of Two Integers
- 矩阵乘以它的转置
- 5、ModelAndView——处理模型数据
- OC学习篇之---类的初始化方法和点语法的使用
- 从零开始前端学习[52]:js中的数据类型以及没有数据类型的数据类型typeof
- 利用Openssl制作自签名证书
- python学习笔记--json&&pickle
- 「mysql优化专题」高可用性、负载均衡的mysql集群解决方案(12)
- poj 3080 Blue Jeans
- 鼠标乱动问题
- iptables案例:iptables搭建路由器
- 联想无线键盘使用方法
- [Usaco2005]Part Acquisition
- 设计模式-策略模式