openssl生成自签名证书-流程

转：https://www.jianshu.com/p/0e9ee7ed6c1d

通常自签的证书等，用来给内部启用https。

自己建一个CA，然后对自己的请求文件进行认证然后生成证书，私钥和证书，一共俩

ubuntu上一般都自带安装了OpenSSL

 ubuntu:~$ openssl
OpenSSL> version
OpenSSL 1.1.1  11 Sep 2018
OpenSSL>help
Standard commands # 标准命令
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dhparam           
dsa               dsaparam          ec                ecparam           
enc               engine            errstr            gendsa            
genpkey           genrsa            help              list              
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              rehash            
req               rsa               rsautl            s_client          
s_server          s_time            sess_id           smime             
speed             spkac             srp               storeutl          
ts                verify            version           x509              
 
Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4               
md5               rmd160            sha1              sha224            
sha256            sha3-224          sha3-256          sha3-384          
sha3-512          sha384            sha512            sha512-224        
sha512-256        shake128          shake256          sm3               
 
Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb      
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb      
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1     
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb      
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8     
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64            
bf                bf-cbc            bf-cfb            bf-ecb            
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast              
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb         
cast5-ofb         des               des-cbc           des-cfb           
des-ecb           des-ede           des-ede-cbc       des-ede-cfb       
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb      
des-ede3-ofb      des-ofb           des3              desx              
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            seed              seed-cbc          seed-cfb          
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb           
sm4-ctr           sm4-ecb           sm4-ofb

1.基本概念

CA：认证机构。有自己的证书，可以拿自己的证书给别人签名然后收钱，这个星球上的CA被几家说英语的人垄断了。在这里我们会虚拟出一个CA机构，然后用他来给自己的证书认证签名。
(网站)证书：发送给客户端的证书，其中大部分是公钥。是一个包含自己网站的公钥、认证、签名等信息的文件。
(网站)私钥：服务器留存的解密私钥(server)
注意区分 CA机构的证书（可以拿来给其他网站证书签名）和自己网站的证书（不可以），不一样

2.基本流程

1. 搞一个虚拟的CA机构，生成一个证书
1. 生成一个自己的密钥，然后填写证书认证申请，拿给上面的CA机构去签名
1. 于是就得到了自（自建CA机构认证的）签名证书

2.1 首先，虚构一个CA认证机构出来

 # 生成CA认证机构的证书密钥key
# 需要设置密码，输入两次
openssl> genrsa -des3 -out ca.key 1024
 
# 去除密钥里的密码(可选)
# 这里需要再输入一次原来设的密码
openssl> rsa -in ca.key -out ca.key
 
# 用私钥ca.key生成CA认证机构的证书ca.crt
# 其实就是相当于用私钥生成公钥，再把公钥包装成证书
openssl> req -new -x509 -key ca.key -out ca.crt -days 365
# 这个证书ca.crt有的又称为"根证书",因为可以用来认证其他证书

2.2其次，才是生成网站的证书

用上面那个虚构出来的CA机构来认证，免费

 # 生成自己网站的密钥server.key
openssl> genrsa -des3 -out server.key 1024
 
# 生成自己网站证书的请求文件
# 如果找外面的CA机构认证，也是发个请求文件给他们
# 这个私钥就包含在请求文件中了，认证机构要用它来生成网站的公钥，然后包装成一个证书
openssl> req -new -key server.key -out server.csr
 
# 使用虚拟的CA认证机构的证书ca.crt，来对自己网站的证书请求文件server.csr进行处理，生成签名后的证书server.crt
# 注意设置序列号和有效期（一般都设1年）
openssl> x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -days 365

至此，私钥server.key和证书server.crt已全部生成完毕，可以放到网站源代码中去用了。

3.补充

其实后缀名不影响文件的实质内容的，内容都可以文本打开看

例如生成的ca.key文件，输入两次密码，然后再查看其内容：

 OpenSSL> genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
....+++++
...........................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
OpenSSL> exit
ubuntu:~/web/ssl$ ls
ca.key
ubuntu:~/web/ssl$ cat ca.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6D519E92415BEE33
 
UcZyq1NkoodzdWBHq37G2+y+Q/QigaPmXdNjZA7rBbz17VVqB1JrU11tbFo5BDZV
...
-----END RSA PRIVATE KEY-----
ubuntu:~/web/ssl$

再如生成ca.crt证书文件：

 OpenSSL> req -new -x509 -key ca.key -out ca.crt -days 365
Can't load /home/xqq/.rnd into RNG
139920876560832:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/xqq/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:spn
Locality Name (eg, city) []:ln
Organization Name (eg, company) [Internet Widgits Pty Ltd]:on
Organizational Unit Name (eg, section) []:oun
Common Name (e.g. server FQDN or YOUR name) []:cn
Email Address []:ea
OpenSSL> exit
 
ubuntu:~/web/ssl$ ls
ca.key ca.crt ca.lol  # ca.lol是我自己乱起的扩展名
 
# ca.lol
ubuntu:~/web/ssl$ cat ca.lol
-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIUAOsXW5KDRNvBDTLaIreadCJVnn4wDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE-----
 
# ca.key
xqq@VM-0-4-ubuntu:~/web/ssl$ cat ca.key
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQCxImyGkSj2rB7zSNSM/2h4dg5tpJNGwJDQLE/PNKQtkorMgrbI
...
-----END RSA PRIVATE KEY-----
xqq@VM-0-4-ubuntu:~/web/ssl$

扩展名并不影响密钥文件的内容

posted on 2021-07-23 17:14 进击的davis 阅读(1491) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

阅读排行：
· TypeScript + Deepseek 打造卜卦网站：技术与玄学的结合
· Manus的开源复刻OpenManus初探
· AI 智能体引爆开源社区「GitHub 热点速览」
· 三行代码完成国际化适配，妙~啊~
· .NET Core 中如何实现缓存的预热？

终点就在前方

openssl生成自签名证书-流程

1.基本概念

2.基本流程

2.1 首先，虚构一个CA认证机构出来

2.2其次，才是生成网站的证书

3.补充

导航

积分与排名

随笔分类 (955)

随笔档案 (648)

阅读排行榜

	ubuntu:~$ openssl
	OpenSSL> version
	OpenSSL 1.1.1 11 Sep 2018
	OpenSSL>help
	Standard commands # 标准命令
	asn1parse ca ciphers cms
	crl crl2pkcs7 dgst dhparam
	dsa dsaparam ec ecparam
	enc engine errstr gendsa
	genpkey genrsa help list
	nseq ocsp passwd pkcs12
	pkcs7 pkcs8 pkey pkeyparam
	pkeyutl prime rand rehash
	req rsa rsautl s_client
	s_server s_time sess_id smime
	speed spkac srp storeutl
	ts verify version x509

	Message Digest commands (see the `dgst' command for more details)
	blake2b512 blake2s256 gost md4
	md5 rmd160 sha1 sha224
	sha256 sha3-224 sha3-256 sha3-384
	sha3-512 sha384 sha512 sha512-224
	sha512-256 shake128 shake256 sm3

	Cipher commands (see the `enc' command for more details)
	aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
	aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
	aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
	aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
	aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
	aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
	aria-256-ctr aria-256-ecb aria-256-ofb base64
	bf bf-cbc bf-cfb bf-ecb
	bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
	camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
	cast-cbc cast5-cbc cast5-cfb cast5-ecb
	cast5-ofb des des-cbc des-cfb
	des-ecb des-ede des-ede-cbc des-ede-cfb
	des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
	des-ede3-ofb des-ofb des3 desx
	rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
	rc2-cfb rc2-ecb rc2-ofb rc4
	rc4-40 seed seed-cbc seed-cfb
	seed-ecb seed-ofb sm4-cbc sm4-cfb
	sm4-ctr sm4-ecb sm4-ofb

	# 生成CA认证机构的证书密钥key
	# 需要设置密码，输入两次
	openssl> genrsa -des3 -out ca.key 1024

	# 去除密钥里的密码(可选)
	# 这里需要再输入一次原来设的密码
	openssl> rsa -in ca.key -out ca.key

	# 用私钥ca.key生成CA认证机构的证书ca.crt
	# 其实就是相当于用私钥生成公钥，再把公钥包装成证书
	openssl> req -new -x509 -key ca.key -out ca.crt -days 365
	# 这个证书ca.crt有的又称为"根证书",因为可以用来认证其他证书

	# 生成自己网站的密钥server.key
	openssl> genrsa -des3 -out server.key 1024

	# 生成自己网站证书的请求文件
	# 如果找外面的CA机构认证，也是发个请求文件给他们
	# 这个私钥就包含在请求文件中了，认证机构要用它来生成网站的公钥，然后包装成一个证书
	openssl> req -new -key server.key -out server.csr

	# 使用虚拟的CA认证机构的证书ca.crt，来对自己网站的证书请求文件server.csr进行处理，生成签名后的证书server.crt
	# 注意设置序列号和有效期（一般都设1年）
	openssl> x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -days 365

	OpenSSL> genrsa -des3 -out ca.key 1024
	Generating RSA private key, 1024 bit long modulus (2 primes)
	....+++++
	...........................................................................+++++
	e is 65537 (0x010001)
	Enter pass phrase for ca.key:
	Verifying - Enter pass phrase for ca.key:
	OpenSSL> exit
	ubuntu:~/web/ssl$ ls
	ca.key
	ubuntu:~/web/ssl$ cat ca.key
	-----BEGIN RSA PRIVATE KEY-----
	Proc-Type: 4,ENCRYPTED
	DEK-Info: DES-EDE3-CBC,6D519E92415BEE33

	UcZyq1NkoodzdWBHq37G2+y+Q/QigaPmXdNjZA7rBbz17VVqB1JrU11tbFo5BDZV
	...
	-----END RSA PRIVATE KEY-----
	ubuntu:~/web/ssl$

	OpenSSL> req -new -x509 -key ca.key -out ca.crt -days 365
	Can't load /home/xqq/.rnd into RNG
	139920876560832:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/xqq/.rnd
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [AU]:cn
	State or Province Name (full name) [Some-State]:spn
	Locality Name (eg, city) []:ln
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:on
	Organizational Unit Name (eg, section) []:oun
	Common Name (e.g. server FQDN or YOUR name) []:cn
	Email Address []:ea
	OpenSSL> exit

	ubuntu:~/web/ssl$ ls
	ca.key ca.crt ca.lol # ca.lol是我自己乱起的扩展名

	# ca.lol
	ubuntu:~/web/ssl$ cat ca.lol
	-----BEGIN CERTIFICATE-----
	MIICqjCCAhOgAwIBAgIUAOsXW5KDRNvBDTLaIreadCJVnn4wDQYJKoZIhvcNAQEL
	...
	-----END CERTIFICATE-----

	# ca.key
	xqq@VM-0-4-ubuntu:~/web/ssl$ cat ca.key
	-----BEGIN RSA PRIVATE KEY-----
	MIICXgIBAAKBgQCxImyGkSj2rB7zSNSM/2h4dg5tpJNGwJDQLE/PNKQtkorMgrbI
	...
	-----END RSA PRIVATE KEY-----
	xqq@VM-0-4-ubuntu:~/web/ssl$