openssl证书生成
来源:互联网 发布:unity3d射击游戏源码 编辑:程序博客网 时间:2024/06/05 15:36
下载安装openssl
./config
make
make test
make install
下载地址:http://www.openssl.org/source/
进入程序执行路径下面(/data/gfj/openssl-1.0.1s/demos/ssl),将/data/gfj/openssl-1.0.1s/apps/openssl.cnf 拷贝到/data/gfj/openssl-1.0.1s/demos/ssl目录下
1.生成server.key(生成服务器端的私钥key文件)
cd /data/gfj/openssl-1.0.1s/demos/ssl
执行命令:openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
...........................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key: (密码123456)
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key
生成公钥方式:openssl rsa -in server.key -pubout -out server_public.key
或者openssl genrsa -out prvtkey.pem 1024/2038(无密码保护)
注:本例采用加密key
2.生成server.csr(一个证书请求文件,你可以拿着这个文件去数字证书颁发机构(即CA)申请一个数字证书)
执行命令:openssl req -new -key server.key -out server.csr -config openssl.cnf
Enter pass phrase for server.key: (server.key加密密码123456)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:hubei
Locality Name (eg, city) []:huanggang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:no
Organizational Unit Name (eg, section) []:no
Common Name (e.g. server FQDN or YOUR name) []:no
Email Address []:fjgui@sina.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:hehe
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
3.生成ca.key,ca.crt(CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,自己生成CA)
执行命令:openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
Generating a 1024 bit RSA private key
........................++++++
...........................................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase: //密码111111
-----
You are about to be asked to enter information that will be incorporated orporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.ame or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA //要跟 server.crt一致
State or Province Name (full name) [Some-State]:hubei //要跟 server.crt一致
Locality Name (eg, city) []:guangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:no //要跟 server.crt一致,否则后面生成server.crt失败(空值)
Organizational Unit Name (eg, section) []:11
Common Name (e.g. server FQDN or YOUR name) []:11
Email Address []:11
在继续下面操作前,将openssl.conf文件打开,查看其dir路径将其修改为dir = ./demoCA /,否则下面的步骤会提示路径无法找到。
在/data/gfj/openssl-1.0.1s/demos/ssl下:
mkdir ./demoCA
mkdir demoCA/newcerts
touch demoCA/index.txt
touch demoCA/serial
cat > demoCA/serial
01
^C
4.生成server.crt(用生成的CA的证书为刚才生成的server.csr,client.csr文件签名)
执行命令:openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key: (ca.key密码111111)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 30 06:58:41 2016 GMT
Not After : Mar 30 06:58:41 2017 GMT
Subject:
countryName = CA
stateOrProvinceName = hubei
organizationName = no
organizationalUnitName = no
commonName = no
emailAddress = fjgui@sina.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
49:C1:1F:C5:7E:FC:7B:BA:6E:C2:3A:86:B2:B3:4C:67:AC:56:26:DE
X509v3 Authority Key Identifier:
keyid:73:2C:C2:87:5B:D2:4A:D6:BD:71:27:E7:69:D1:91:6D:6F:B0:5A:9B
Certificate is to be certified until Mar 30 06:58:41 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
总共生成5个文件:
server.key server.csr ca.key ca.crt server.crt
server使用的文件有:ca.crt,server.crt,server.key
5.对客户端也作同样的命令生成key及crt文件:
执行命令:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
服务端客户端双向验证必须要加载相同的CA证书(测试了不同的CA证书连接不上)
加载CA证书函数:
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_load_verify_locations(ctx, CA, NULL);
client使用的文件有:ca.crt,client.crt,client.key
./config
make
make test
make install
下载地址:http://www.openssl.org/source/
进入程序执行路径下面(/data/gfj/openssl-1.0.1s/demos/ssl),将/data/gfj/openssl-1.0.1s/apps/openssl.cnf 拷贝到/data/gfj/openssl-1.0.1s/demos/ssl目录下
1.生成server.key(生成服务器端的私钥key文件)
cd /data/gfj/openssl-1.0.1s/demos/ssl
执行命令:openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
...........................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key: (密码123456)
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key
生成公钥方式:openssl rsa -in server.key -pubout -out server_public.key
或者openssl genrsa -out prvtkey.pem 1024/2038(无密码保护)
注:本例采用加密key
2.生成server.csr(一个证书请求文件,你可以拿着这个文件去数字证书颁发机构(即CA)申请一个数字证书)
执行命令:openssl req -new -key server.key -out server.csr -config openssl.cnf
Enter pass phrase for server.key: (server.key加密密码123456)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:hubei
Locality Name (eg, city) []:huanggang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:no
Organizational Unit Name (eg, section) []:no
Common Name (e.g. server FQDN or YOUR name) []:no
Email Address []:fjgui@sina.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:hehe
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
3.生成ca.key,ca.crt(CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,自己生成CA)
执行命令:openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
Generating a 1024 bit RSA private key
........................++++++
...........................................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase: //密码111111
-----
You are about to be asked to enter information that will be incorporated orporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.ame or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA //要跟 server.crt一致
State or Province Name (full name) [Some-State]:hubei //要跟 server.crt一致
Locality Name (eg, city) []:guangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:no //要跟 server.crt一致,否则后面生成server.crt失败(空值)
Organizational Unit Name (eg, section) []:11
Common Name (e.g. server FQDN or YOUR name) []:11
Email Address []:11
在继续下面操作前,将openssl.conf文件打开,查看其dir路径将其修改为dir = ./demoCA /,否则下面的步骤会提示路径无法找到。
在/data/gfj/openssl-1.0.1s/demos/ssl下:
mkdir ./demoCA
mkdir demoCA/newcerts
touch demoCA/index.txt
touch demoCA/serial
cat > demoCA/serial
01
^C
4.生成server.crt(用生成的CA的证书为刚才生成的server.csr,client.csr文件签名)
执行命令:openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key: (ca.key密码111111)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 30 06:58:41 2016 GMT
Not After : Mar 30 06:58:41 2017 GMT
Subject:
countryName = CA
stateOrProvinceName = hubei
organizationName = no
organizationalUnitName = no
commonName = no
emailAddress = fjgui@sina.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
49:C1:1F:C5:7E:FC:7B:BA:6E:C2:3A:86:B2:B3:4C:67:AC:56:26:DE
X509v3 Authority Key Identifier:
keyid:73:2C:C2:87:5B:D2:4A:D6:BD:71:27:E7:69:D1:91:6D:6F:B0:5A:9B
Certificate is to be certified until Mar 30 06:58:41 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
总共生成5个文件:
server.key server.csr ca.key ca.crt server.crt
server使用的文件有:ca.crt,server.crt,server.key
5.对客户端也作同样的命令生成key及crt文件:
执行命令:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
服务端客户端双向验证必须要加载相同的CA证书(测试了不同的CA证书连接不上)
加载CA证书函数:
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_load_verify_locations(ctx, CA, NULL);
client使用的文件有:ca.crt,client.crt,client.key
0 0
- openssl https openssl 证书生成
- OpenSSL证书生成
- openssl生成https证书
- openssl生成https证书
- 使用OpenSSL生成证书
- openssl生成证书文件
- OpenSSL生成证书
- openssl 生成v3证书
- openssl生成https证书
- OpenSSL 生成证书
- openssl手工生成证书
- openssl 生成证书【整理】
- OpenSSL生成证书
- openssl生成证书
- OpenSSL证书生成
- openssl 生成v3证书
- 使用OpenSSL生成证书
- openssl生成https证书
- 官网mysql安装
- android涉及的设计模式
- 看图片 读故事:轻松理解数字签名和数字证书
- Spring Security 整合 UM Editor遇到的问题
- HDU 3998 Sequence(LIS+最大流-Dinic)
- openssl证书生成
- Linux手动添加swap分区
- MFC炼狱之旅(二)画图像
- 数据库(八)mysql常用命令(权限相关)
- Ubuntu14.04下Vim的安装并配置成强大的IDE
- 常用正则表达式
- 数据结构之栈
- TODO
- android缓存框架ASimpleCache
