一、整体步骤
openssl genrsa -des3 -outserver.key 1024//生成key openssl req -new -keyserver.key -out server.csr -config openssl.cnf//生成csr文件 openssl req -new -x509 -keyoutca.key -out ca.crt -config openssl.cnf//自生成CA openssl ca -in server.csr -outserver.crt -cert ca.crt -keyfile ca.key -config openssl.cnf//签名 penssl pkcs12 -export -inkeyserver.key -in server.crt -out server.pfx//合成pfx格式
二、准备
1,先准备配置文件openss.cnf(前提是先装了openssl);
openssl.cnf文件默认是安装在/etc/pki/tls目录下,将openssl.cnf文件拷贝到当前目录下。
[root@localhost openssl]# cp /etc/pki/tls/openssl.cnfopenssl.cnf
2,在当前工作目录创建所需目录及文件。
[root@localhost openssl]# mkdir ./demoCA [root@localhost openssl]# cd ./demoCA [root@localhost demoCA]# mkdir newcerts private [root@localhost demoCA]# chmod g-rwx,o-rwx private [root@localhost demoCA]# echo "01" > serial [root@localhost demoCA]# touch index.txt
3,修改openssl.cnf配置文件。
[root@localhost demoCA]# cd ..
[root@localhost openssl]# vim openssl.cnf 。。。。。。 dir = /home/test/workspace/openssl/demoCA //改成当前绝对路径 。。。。。。。。
三、准备工作做好后就可以开始生成证书了,具体步骤
1,生成私钥文件:server.key文件或prvtkey.pem(两者并没有本质区别,对于linux系统来说不看后缀名的)。
[root@localhostopenssl]# openssl genrsa -out server.key 2048
\\这种方式没有密码保护 GeneratingRSA private key, 2048 bit long modulus ................................................................+++ ...........+++ e is65537 (0x10001)
也可以先配置密码保护,然后去除密码
[root@localhostopenssl]# openssl genrsa -des3 -out server.key 1024 //1024位 GeneratingRSA private key, 1024 bit long modulus .........................................++++++ ...................++++++ e is65537 (0x10001) Enterpass phrase for server.key: //输入密码 Verifying- Enter pass phrase for server.key: //确认密码 [root@localhostopenssl]# openssl rsa -in server.key -out server.key //去除密码保护 Enterpass phrase for server.key: writing RSA key
2,生成证书申请文件(Certificate Signing Request)server.csr
[root@localhost openssl]# openssl req -new -key server.key -out server.csr -config openssl.cnf You areabout to be asked to enter information that will be incorporated into yourcertificate request. What youare about to enter is what is called a Distinguished Name or a DN. There arequite a few fields but you can leave some blank For somefields there will be a default value, If youenter '.', the field will be left blank. ----- CountryName (2 letter code) [XX]:cn State orProvince Name (full name) []:beijing LocalityName (eg, city) [Default City]:haidian OrganizationName (eg, company) [Default Company Ltd]:test OrganizationalUnit Name (eg, section) []: CommonName (eg, your name or your server's hostname) []:www.test.com EmailAddress []:[email protected] Pleaseenter the following 'extra' attributes to besent with your certificate request Achallenge password []: //这里可以不填 An optional company name []://这里可以不填 3,有了csr文件还需要CA签名才可以生成真正用的证书。我们可以自己生成CA [root@localhost openssl]# openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf Generatinga 2048 bit RSA private key ................................+++ ..................................+++ writingnew private key to 'ca.key' Enter PEMpass phrase: //输入密码 Verifying- Enter PEM pass phrase: //确认密码 ----- You areabout to be asked to enter information that will be incorporated into yourcertificate request. What youare about to enter is what is called a Distinguished Name or a DN. There arequite a few fields but you can leave some blank For somefields there will be a default value, If youenter '.', the field will be left blank. ----- CountryName (2 letter code) [XX]:cn State orProvince Name (full name) []:beijing LocalityName (eg, city) [Default City]:hd OrganizationName (eg, company) [Default Company Ltd]:test OrganizationalUnit Name (eg, section) []: CommonName (eg, your name or your server's hostname) []:www.test.com Email Address []:[email protected]
4,有了CA就可以对刚才生成的证书申请server.csr进行签名了。
[root@localhost openssl]# openssl ca -in server.csr -outserver.crt -cert ca.crt -keyfile ca.key -config openssl.cnf Usingconfiguration from openssl.cnf Enterpass phrase for ca.key: //输入CA的密码 Checkthat the request matches the signature Signatureok CertificateDetails: Serial Number: 2 (0x2) Validity Not Before: Jun 28 13:25:03 2015GMT Not After : Jun 27 13:25:03 2016GMT Subject: countryName = cn stateOrProvinceName = beijing organizationName = test commonName = www.test.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C9:67:D2:3B:4A:55:58:7C:D2:55:BD:DB:77:06:5B:0F:4B:57:02:8A X509v3 Authority Key Identifier: keyid:CF:49:6B:CB:7A:A3:0F:30:A0:87:CD:04:CE:03:D7:90:6F:5E:3D:EF Certificateis to be certified until Jun 27 13:25:03 2016 GMT (365 days) Sign thecertificate? [y/n]:y 1 out of1 certificate requests certified, commit? [y/n]y Write outdatabase with 1 new entries Data Base Updated
5,一般windows用的是pfx文件的证书(包含key),我们可以通过命令将生成证书crt和key合并成pfx文件。
[root@localhost openssl]# openssl pkcs12 -export-inkey server.key -in server.crt -out server.pfx Enter Export Password: //文件密码,可以不输入 Verifying - Enter Export Password:
6,至此我们需要的文件均好了。
[root@localhost openssl]# ls ca.crt ca.key demoCA openssl.cnf server.crt server.csr server.key server.pfx
四、补充
1,将微软的PFX数字证书转换成X509格式
opensslpkcs12 -in server.pfx -nodes -out server.pem # 生成明文所有内容 opensslrsa -in server.pem -out server.key # 取 key 文件 opensslx509 -in server.pem -out server.crt # 取证书
2,生成多级链证书openssl.cnf配置:basicConstraints=critical,CA:TRUE,pathlen:20
[ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=critical,CA:TRUE,pathlen:20