Linux下利用openssl 生成SSL证书步骤
1、概念
首先要有一个CA根证书,然后用CA根证书来签发用户证书。
用户进行证书申请:一般先生成一个私钥,然后用私钥生成证书请求(证书请求里应含有公钥信息),再利用证书服务器的CA根证书来签发证书。
2、后缀详解
.key格式:私有的密钥
.csr格式:证书签名请求(证书请求文件),含有公钥信息,certificate signing request的缩写
.crt格式:证书文件,certificate的缩写
.crl格式:证书吊销列表,Certificate Revocation List的缩写
.pem格式:用于导出,导入证书时候的证书的格式,有证书开头,结尾的格式
3、添加 index.txt 和 serial 文件
cd /etc/pki/CA/
touch /etc/pki/CA/index.txt touch /etc/pki/CA/serial echo 01 > /etc/pki/CA/serial
4、CA根证书的生成
4.1 生成CA私钥(.key)
openssl genrsa -out ca.key 2048
[root@CA]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus .............+++ .....+++
e is 65537 (0x10001)
4.2 生成CA证书请求(.csr)
openssl req -new -key ca.key -out ca.csr
[root@CA]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [XX]:US State or Province Name (full name) []:OR Locality Name (eg, city) [Default City]:OR
Organization Name (eg, company) [Default Company Ltd]:LXOR Organizational Unit Name (eg, section) []:LXORAQ
Common Name (eg, your name or your server's hostname) []:egl.com Email Address []:eg@mail.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:demon2234 An optional company name []:OR
4.3 自签名得到根证书(.crt)(CA给自已颁发的证书)
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
[root@CA]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt Signature ok
subject=/C=US/ST=OR/L=OR/O=LXOR/OU=LXORAQ/CN=egl.com/emailAddress=eg@mail.com Getting Private key
5、用户证书的生成
5.1 生成私钥(.key)
openssl genrsa -des3 -out server.key 1024
[root@CA]# openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus ........++++++
...................++++++ e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
5.2 生成证书请求(.csr)
openssl req -new -key server.key -out server.csr
[root@CA]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US State or Province Name (full name) []:OR Locality Name (eg, city) [Default City]:OR
Organization Name (eg, company) [Default Company Ltd]:LXOR Organizational Unit Name (eg, section) []:LXORAQ
Common Name (eg, your name or your server's hostname) []:egl.com Email Address []:eg@mail.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:demon2234 An optional company name []:OR
5.3 用CA根证书签名得到证书(.crt)
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
[root@CA]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok
Certificate Details: Serial Number: 3 (0x3) Validity
Not Before: Mar 13 07:01:44 2018 GMT Not After : Mar 13 07:01:44 2019 GMT Subject:
countryName = US
stateOrProvinceName = OR organizationName = LXOR
organizationalUnitName = LXORAQ commonName = egl.com
emailAddress = eg@mail.com X509v3 extensions:
X509v3 Basic Constraints: CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate X509v3 Subject Key Identifier:
11:62:12:26:6C:1C:56:CD:9D:B2:6A:65:06:24:57:27:3E:5C:BC:EA X509v3 Authority Key Identifier:
DirName:/C=US/ST=OR/L=OR/O=LXOR/OU=LXORAQ/CN=egl.com/emailAddress=eg@mail.com serial:C9:6E:10:F7:A5:40:8F:1D
Certificate is to be certified until Mar 13 07:01:44 2019 GMT (365 days)