【openssl学习笔记】SSL Server Cert制作

openssl.cfg配置：

Key Usage

Key usage is a multi valued extension consisting of a list of names of the permitted key usages.
The supporte names are: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly.

Examples:

 keyUsage=digitalSignature, nonRepudiation

 keyUsage=critical, keyCertSign

---

Extended Key Usage

This extensions consists of a list of usages indicating purposes for which the certificate public key can be used for,
These can either be object short names of the dotted numerical form of OIDs. While any OID can be used only certain values make sense. In particular the following PKIX, NS and MS values are meaningful:

 Value                  Meaning -----                  ------- serverAuth             SSL/TLS Web Server Authentication. clientAuth             SSL/TLS Web Client Authentication. codeSigning            Code signing. emailProtection        E-mail Protection (S/MIME). timeStamping           Trusted Timestamping msCodeInd              Microsoft Individual Code Signing (authenticode) msCodeCom              Microsoft Commercial Code Signing (authenticode) msCTLSign              Microsoft Trust List Signing msSGC                  Microsoft Server Gated Crypto msEFS                  Microsoft Encrypted File System nsSGC                  Netscape Server Gated Crypto

Examples:

 extendedKeyUsage=critical,codeSigning,1.2.3.4 extendedKeyUsage=nsSGC,msSGC

证书制作步骤：

1、生成自签名CA证书

openssl req -new -x509 -keyout ca.pem -out ca.crt -config openssl.cfg

2、生成ssl server key

openssl genrsa -aes256 -out server.pem -rand openssl.cfg 2048

3、生成ssl server cert csr

openssl req -new -key server.pem -config openssl.cfg -out server.csr

4、生成ssl server cert

openssl ca -in server.csr -out server.crt -config openssl.cfg

5、转换带pass的private key为不带pass的private key

openssl rsa -in server.pem -out server-no.pem