openssl

第一步： 生成私钥
$ openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus . .......................... e is 65537 (0x10001)
$ openssl genrsa -out client.key 1024
Generating RSA private key, 1024 bit long modulus ... .................................................... e is 65537 (0x10001)
$ openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus ............................................................. ......... e is 65537 (0x10001)

第二步： 证书请求
$ openssl req -new -key server.key -out server.csr -days 1095
$ openssl req -new -key client.key -out client.csr -days 1095
$ openssl req -new -x509 -key ca.key -out ca.crt -days 1095
第三步： 申请证书（为请求文件签名）
$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
如果在这步出现错误信息：
$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
Using configuration from /usr/share/ssl/openssl.cnf I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory
 
自己手动创建一个 CA 目录结构：
$ mkdir ./demoCA
$ mkdir demoCA/newcerts
创建个空文件：
$ vi demoCA/index.txt
向文件中写入 01 ：
$ vi demoCA/serial
合并证书文件（ crt ）和私钥文件（ key ）：
$ cat client.crt client.key > client.pem [weigw@TEST bin]$ cat server.crt server.key > server.pem
合并成 pfx 证书：
$ openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Enter Export Password:
Verifying - Enter Export Password:
$openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12
Enter Export Password:
Verifying - Enter Export Password:
文本化证书：
$ openssl pkcs12 -in client.p12 -out client.txt Enter Import Password:
MAC verified OK
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
$openssl pkcs12 -in server.p12 -out server.txt
Enter Import Password:
MAC verified OK
Enter PEM pass phrase: Verifying - Enter PEM pass phrase: