openssl

制作自签名证书(无用户名密码保护)

openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt -days 3650 -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=localhost\[email protected]" 

制作自签名证书(有用户名密码保护)

openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
openssl req -new -key server.key -out server.csr -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=localhost\[email protected]"
openssl x509 -req -sha256 -days 3650 -in server.csr -signkey server.key -out server.crt

制作CA根证书并为第三方颁发证书

openssl genrsa -out ca.key 2048
openssl req -new -x509 -nodes -days 3650 -key ca.key -out ca.crt -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=ca.example.com\[email protected]"

openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server.key -out server.csr -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=server.example.com\[email protected]"
openssl x509 -req -in server.csr -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client.key -out client.csr -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=client.example.com\[email protected]"
openssl x509 -req -in client.csr -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

#颁发泛域名证书
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout example.key -out example.csr -subj /C=CN/ST=Chongqing/L=Chongqing/O=org/OU=OrgUnit/CN=*.example.com/[email protected]
cat << EOF > v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.example.com
DNS.2 = example.com
IP.1 = 192.168.1.100
IP.2 = 192.168.1.200
EOF
openssl x509 -req -in example.csr -days 3650 -CA ca.crt -CAkey ca.key -set_serial 100 -out example.crt -extfile v3.ext

#转p12格式
openssl pkcs12 -chain -CAfile ca.crt -export -in example.crt -inkey example.key -out example.p12 -name example.com

获取服务器上的证书

openssl s_client -servername baidu.com -connect baidu.com:443 \
    < /dev/null 2>/dev/null \
    | openssl x509 -outform pem \
    > baidu.com.crt

ubuntu 上安装证书

sudo su -
cp baidu.com.crt /usr/local/share/ca-certificates/baidu.com.crt
update-ca-certificates

centos 上安装证书

cp baidu.com.crt /etc/pki/ca-trust/source/anchors/baidu.com.crt
update-ca-trust

java 中安装证书

cd $JAVA_HOME

#导入证书
./jre/bin/keytool -keystore jre/lib/security/cacerts -importcert -alias baidu.com -file  baidu.com.crt -storepass changeit 

#查看证书
./jre/bin/keytool -list -keystore jre/lib/security/cacerts -storepass changeit | grep baidu.com

./jre/bin/keytool -keystore jre/lib/security/cacerts -delete -alias baidu.com

你可能感兴趣的:(openssl)