- OpenSSL 基本配置
- 生成自签名CA证书及密钥
- 为域名生成CSR及密钥 – dev.ymeng.net
- 用CA的私钥为dev.ymeng.net签名,生成用户证书
- 转换证书为pkcs12格式
- 查看pkcs12证书
- 使用openssl验证SSL双向认证
- 根据已有的证书和私钥生成CSR
1. OpenSSL基本配置 TOP
dir = /etc/apache2/ssl-cert/ca [ req ] default_bits = 2048 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #---------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------------ ------------------------------ 0.organizationName_default = Company Technologies Co., Ltd. organizationalUnitName_default = Development Dept. emailAddress_default = ca@company.com localityName_default = Helsinki # stateOrProvinceName_default = countryName_default = FI [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional |
2. 生成自签名CA证书及密钥 TOP
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.conf |
查看证书:
openssl x509 -in cacert.pem -noout -text |
3. 为域名生成CSR及密钥 – dev.ymeng.net TOP
openssl req -new -nodes -out dev.ymeng.net-csr.pem -keyout private/dev.ymeng.net-key.pem -config ./openssl.conf |
查看CSR:
openssl req -in dev.ymeng.net-csr.pem -text -verify -noout |
4. 用CA的私钥为dev.ymeng.net签名,生成用户证书 TOP
openssl ca -out dev.ymeng.net-cert.pem -config ./openssl.conf -infiles dev.ymeng.net-csr.pem |
签名用到的CA密钥在配置文件中指定 [ CA_default ]
5. 转换证书为pkcs12格式 TOP
openssl pkcs12 -export -in dev.ymeng.net-cert.pem -out dev.ymeng.net-cert.p12 -inkey private/dev.ymeng.net-key.pem |
6. 查看pkcs12证书 TOP
openssl pkcs12 -info -in keyStore.p12 |
7. 使用openssl验证SSL双向认证 TOP
openssl s_client -connect testgw.girogate.de:443 -cert customer.crt -key customer.key -CAfile ca.crt |
8. 根据已有的证书和私钥生成CSR TOP
openssl x509 -x509toreq -in certificate.crt -out certificate-request.csr -signkey private-key.key |
