测试环境:
[root@xjyasia_cn CAs]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@xjyasia_cn CAs]#
命令参数简介:
-aes256 使用AES算法(256为密钥)对产生的私钥加密 |
-key 密钥 |
-new 表示新的请求 |
-out 输出路径 |
-subj 指定用户信息 |
Ca 签发证书命令 |
Genrsa 产生RSA密钥命令 |
pkcs12 PKCS#12编码格式证书命令 |
Rand 随机数命令 |
Req 产生证书签发申请命令 |
x509 签发X.509格式证书命令 |
-Cacreateserial 表示创建CA证书序列号 |
-Cakey 表示CA证书密钥 |
-Caserial 表示CA证书序列号文件 |
-CA 表示CA证书 |
-cert 表示证书文件 |
-clcerts 表示仅导出客户证书 |
-days 表示有效天数 |
-export 表示导出证书 |
-extensions 表示按OpenSSL配置文件v3_ca项添加扩展 |
-extensions 表示按OpenSSL配置文件v3_req项添加扩展 |
-inkey 表示输入文件 |
-in 表示输入文件 |
-keyfile 表示根证书密钥文件 |
-req 表示证书输入请求 |
-sha1 表示证书摘要算法,这里为SHA1算法 |
-signkey 表示自签名密钥 |
(1)
过程大致为:生成CA私钥-->生成CA证书请求-->自签名得到CA根证书(.crt)
1、生成CA私钥,名为ca-Private-Key.pem
[root@xjyasia_cn CAs]# openssl genrsa -out ca-Private-Key.pem 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
..........................................+++
e is 65537 (0x10001)
2、使用CA的私钥生成CA证书请求ca-Req.csr
[root@xjyasia_cn CAs]# openssl req -new -key ca-Private-Key.pem -out ca-Req.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ".", the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家
State or Province Name (full name) []:ZJ //省份
Locality Name (eg, city) [Default City]:HZ //城市
Organization Name (eg, company) [Default Company Ltd]:***.*** //所属组织或公司
Organizational Unit Name (eg, section) []:***.*** //所属部门
Common Name (eg, your name or your server"s hostname) []:***.*** //域名
Email Address []: //邮件地址
Please enter the following "extra" attributes
to be sent with your certificate request
A challenge password []:*** //密码
An optional company name []: //可选公司名称
[root@xjyasia_cn CAs]#
3、自签名得到CA根证书(生成 x509V3版本)
[root@xjyasia_cn CAs]# openssl x509 -req -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -in ca-Req.csr -out ca-cert.pem -signkey ca-Private-Key.pem -days 3650
// /etc/pki/tls/openssl.cnf是openssl的配置文件,其中包含了对于扩展参数v3_ca的定义
Signature ok
subject=/C=CN/ST=ZJ/L=HZ/O=***.***/OU=***.***/CN=***.***
Getting Private key
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]# ll
total 12
-rw-r--r-- 1 root root 1318 Jan 12 13:21 ca-cert.pem
-rw-r--r-- 1 root root 1675 Jan 12 13:18 ca-Private-Key.pem
-rw-r--r-- 1 root root 1037 Jan 12 13:21 ca-Req.csr
[root@xjyasia_cn CAs]#
(2)
过程大致为:生成私钥-->生成证书请求-->用CA根证书签名得到证书
1、生成服务端证书的私钥server-Private-Key.pem
[root@xjyasia_cn CAs]# openssl genrsa -out server-Private-Key.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
...........+++
e is 65537 (0x10001)
[root@xjyasia_cn CAs]#
2、使用服务端证书的私钥生成服务端证书请求
[root@xjyasia_cn CAs]# openssl req -new -key server-Private-Key.pem -out server-Req.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ".", the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZJ
Locality Name (eg, city) [Default City]:HZ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server"s hostname) []:***.***
Email Address []:
Please enter the following "extra" attributes
to be sent with your certificate request
A challenge password []:*****
An optional company name []:
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]#
3、使用 CA 证书、CA私钥、服务端私钥签发服务端证书,有效期为10年(生成 x509V3版本)
[root@xjyasia_cn CAs]# openssl x509 -req -extfile /etc/pki/tls/openssl.cnf -extensions v3_server -in server-Req.csr -out server-cert.pem -signkey server-Private-Key.pem -CA ca-cert.pem -CAkey ca-Private-Key.pem -CAcreateserial -days 3650
// /etc/pki/tls/openssl.cnf是openssl的配置文件,其中包含了对于扩展参数v3_server的定义
Signature ok
subject=/C=CN/ST=ZJ/L=HZ/O=Default Company Ltd/CN=***.***
Getting Private key
Getting CA Private Key
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]# ll
total 28
-rw-r--r-- 1 root root 1318 Jan 12 13:21 ca-cert.pem
-rw-r--r-- 1 root root 17 Jan 12 13:23 ca-cert.srl
-rw-r--r-- 1 root root 1675 Jan 12 13:18 ca-Private-Key.pem
-rw-r--r-- 1 root root 1037 Jan 12 13:21 ca-Req.csr
-rw-r--r-- 1 root root 1342 Jan 12 13:23 server-cert.pem
-rw-r--r-- 1 root root 1675 Jan 12 13:22 server-Private-Key.pem
-rw-r--r-- 1 root root 1021 Jan 12 13:23 server-Req.csr
[root@xjyasia_cn CAs]#
(3)
过程大致为:生成私钥-->生成证书请求-->用CA根证书签名得到证书
1、生成客户端证书的私钥userxjy-Private-Key.pem
[root@xjyasia_cn CAs]# openssl genrsa -out userxjy-Private-Key.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
............................+++
e is 65537 (0x10001)
[root@xjyasia_cn CAs]#
2、//使用客户端证书的私钥生成客户端证书请求userxjy-Req.csr
[root@xjyasia_cn CAs]# openssl req -new -key userxjy-Private-Key.pem -out userxjy-Req.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ".", the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZJ
Locality Name (eg, city) [Default City]:HZ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server"s hostname) []:userxjy //使用者为userxjy,如果结合sslvpn做认证,默认情况下使用该证书的sslvpn用户名也应该是userxjy
Email Address []:
Please enter the following "extra" attributes
to be sent with your certificate request
A challenge password []:***
An optional company name []:
[root@xjyasia_cn CAs]#
3、使用 CA 证书、CA私钥、客户端私钥签发客户端证书,有效期为10年(生成 x509V3版本)
[root@xjyasia_cn CAs]# openssl x509 -req -extfile /etc/pki/tls/openssl.cnf -extensions v3_client -in userxjy-Req.csr -out userxjy-cert.pem -signkey userxjy-Private-Key.pem -CA ca-cert.pem -CAkey ca-Private-Key.pem -CAcreateserial -days 3650
// /etc/pki/tls/openssl.cnf是openssl的配置文件,其中包含了对于扩展参数v3_client的定义
Signature ok
subject=/C=CN/ST=ZJ/L=HZ/O=Default Company Ltd/CN=userxjy
Getting Private key
Getting CA Private Key
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]# ll
total 40
-rw-r--r-- 1 root root 1318 Jan 12 13:21 ca-cert.pem
-rw-r--r-- 1 root root 17 Jan 12 13:27 ca-cert.srl
-rw-r--r-- 1 root root 1675 Jan 12 13:18 ca-Private-Key.pem
-rw-r--r-- 1 root root 1037 Jan 12 13:21 ca-Req.csr
-rw-r--r-- 1 root root 1342 Jan 12 13:23 server-cert.pem
-rw-r--r-- 1 root root 1675 Jan 12 13:22 server-Private-Key.pem
-rw-r--r-- 1 root root 1021 Jan 12 13:23 server-Req.csr
-rw-r--r-- 1 root root 1338 Jan 12 13:27 userxjy-cert.pem
-rw-r--r-- 1 root root 1679 Jan 12 13:24 userxjy-Private-Key.pem
-rw-r--r-- 1 root root 1017 Jan 12 13:25 userxjy-Req.csr
[root@xjyasia_cn CAs]#/
(4)证书相关文件格式转换
1、将服务端证书格式从pem转换成pfx
[root@xjyasia_cn CAs]# openssl pkcs12 -export -out server-cert.pfx -inkey server-Private-Key.pem -in server-cert.pem
Enter Export Password:
Verifying - Enter Export Password:
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]# ll
total 44
-rw-r--r-- 1 root root 1342 Jan 12 13:23 server-cert.pem
-rw-r--r-- 1 root root 2549 Jan 12 13:27 server-cert.pfx
[root@xjyasia_cn CAs]#
2、将客户端证书格式从pem转换成pfx
[root@xjyasia_cn CAs]# openssl pkcs12 -export -out userxjy-cert.pfx -inkey userxjy-Private-Key.pem -in userxjy-cert.pem
Enter Export Password:
Verifying - Enter Export Password:
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]# ll
total 48
-rw-r--r-- 1 root root 1338 Jan 12 13:27 userxjy-cert.pem
-rw-r--r-- 1 root root 2549 Jan 12 13:28 userxjy-cert.pfx
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]#
3、将ca证书从pem转换成cer格式
[root@xjyasia_cn CAs]# openssl x509 -extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -inform pem -in ca-cert.pem -outform der -out ca-cert.cer
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]# ll
total 52
-rw-r--r-- 1 root root 931 Jan 12 13:28 ca-cert.cer
-rw-r--r-- 1 root root 1318 Jan 12 13:21 ca-cert.pem
[root@xjyasia_cn CAs]#
[root@xjyasia_cn CAs]#
3、将服务端私钥从pem转换成key格式
[root@xjyasia_cn CAs]# openssl rsa -in server-Private-Key.pem -out server-Private-Key.key
writing RSA key
[root@xjyasia_cn CAs]# ll
total 72
-rw-r--r-- 1 root root 1675 Jan 12 18:58 server-Private-Key.key
-rw-r--r-- 1 root root 1675 Jan 12 13:22 server-Private-Key.pem
[root@xjyasia_cn CAs]#
部分openssl配置文件
[ v3_server ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth //指定用途为服务端验证
[ v3_client ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, clientAuth //指定用途为客户端验证
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
是的,是实际生成三个证书并完成了证书测试才发表的案例