openssl制作CA自签证书

文章目录

• 1. 根证书
• • 1.1 创建根证书密钥文件（root.key）
  • 1.2 创建根证书的申请文件（ root.csr）
  • 1.3 创建自己的根证书 （root.crt）
• 2. 创建服务器证书
• • 2.1 创建服务器证书密钥（server.key）
  • 2.2 创建服务器证书的申请文件（server.csr）
  • 2.3 创建服务器证书（server.crt）
• 3. 创建客户证书
• • 3.1 创建客户证书 （client.key）
  • 3.2 创建客户端证书的申请文件（client.csr）
  • 3.3 创建一个客户端证书（client.crt）
  • 3.4 client.pfx 文件（非必要）
  • 3.5 使用
  • 3.6 pem文件（非必要）

1. 根证书

1.1 创建根证书密钥文件（root.key）

[root@n9e-client-01 cert]# openssl genrsa -des3 -out root.key
Generating RSA private key, 2048 bit long modulus
......+++
..................+++
e is 65537 (0x10001)
Enter pass phrase for root.key:
Verifying - Enter pass phrase for root.key:

密码本次 40010355

1.2 创建根证书的申请文件（ root.csr）

[root@n9e-client-01 cert]# openssl genrsa -des3 -out root.key
Generating RSA private key, 2048 bit long modulus
......+++
..................+++
e is 65537 (0x10001)
Enter pass phrase for root.key:
Verifying - Enter pass phrase for root.key:
[root@n9e-client-01 cert]# openssl req -new -key root.key -out root.csr
Enter pass phrase for root.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:XiShu
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 

1.3 创建自己的根证书 （root.crt）

创建一个100年的根证书。

[root@n9e-client-01 cert]# openssl x509 -req -days 36500 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=XiShu
Getting Private key
Enter pass phrase for root.key:

2. 创建服务器证书

2.1 创建服务器证书密钥（server.key）

[root@n9e-client-01 cert]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
......................................+++
e is 65537 (0x10001)

2.2 创建服务器证书的申请文件（server.csr）

[root@n9e-client-01 cert]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:XiShu
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

2.3 创建服务器证书（server.crt）

[root@n9e-client-01 cert]# openssl x509 -req -days 3650 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=XiShu
Getting CA Private Key
Enter pass phrase for root.key:

3. 创建客户证书

3.1 创建客户证书 （client.key）

[root@n9e-client-01 cert]# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
...............................+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:

3.2 创建客户端证书的申请文件（client.csr）

[root@n9e-client-01 cert]# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
...............................+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
[root@n9e-client-01 cert]# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.3 创建一个客户端证书（client.crt）

创建一个自即日起，有效期为两年的证书。

[root@n9e-client-01 cert]# openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=Default Company Ltd
Getting CA Private Key
Enter pass phrase for root.key:

3.4 client.pfx 文件（非必要）

将客户端证书文件client.crt和客户端证书密钥文件client.key合并成客户端证书安装包client.pfx

[root@n9e-client-01 cert]# openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=Default Company Ltd
Getting CA Private Key
Enter pass phrase for root.key:
[root@n9e-client-01 cert]# openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:

3.5 使用

• server.crt和server.key是配置单向SSL时需要使用的证书文件
• client.crt是配置双向SSL时需要使用的证书文件
• client.pfx是配置双向SSL时需要客户端安装的证书文件

3.6 pem文件（非必要）

如需使用pem文件：
将.crt文件和.key可以合到一个文件里面（直接拷贝过去就行了），2个文件合成了一个.pem文件。