怎样获取自己的SSL证书

原创文章,转载请注明出处:server非业余研究http://blog.csdn.net/erlib 作者Sunface


假设仅为了測试,那使用以下方法就可以:

測试证书创建:

1.创建证书的key

  1. $ openssl genrsa -out key.pem 1024


2.创建证书,注意这里的common name应该填你的server name

  1. $ openssl req -new -key key.pem -out request.pem

  2.    Country Name (2 letter code) [AU]:UA
  3.    State or Province Name (full name) [Some-State]:
  4.    Locality Name (eg, city) []:Kiev
  5.    Organization Name (eg, company) [Internet Widgits Pty Ltd]:site4fast blog
  6.    Organizational Unit Name (eg, section) []:.
  7.    Common Name (eg, YOUR name) []:site4fast.example.net
  8.    Email Address []:site4fast@example.net

  9.    Please enter the following 'extra' attributes
  10.    to be sent with your certificate request
  11.    A challenge password []:
  12.    An optional company name []:


3.证书签字

  1. $ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem


4.至此,我们须要的測试证书已经创建好了:"self-signed certificate".



正式的证书创建步骤:

1.安装CA证书

  1. $ aptitude install ssl-cert ca-certificates

2.在startssl.com注冊

3.创建一个请求

  1. $ openssl req -new -newkey rsa:2048 -nodes -keyout www_privatekey.pem -out www_csr.pem


  1. Generating a 2048 bit RSA private key
  2.  ..................................++++++
  3.  ....................++++++
  4.  writing new private key to 'www_privatekey.pem'
  5.  -----
  6.  You are about to be asked to enter information that will be incorporated
  7.  into your certificate request.
  8.  What you are about to enter is what is called a Distinguished Name or a DN.
  9.  There are quite a few fields but you can leave some blank
  10.  For some fields there will be a default value,
  11.  If you enter '.', the field will be left blank.
  12.  -----
  13.  Country Name (2 letter code) [AU]:UA
  14.  State or Province Name (full name) [Some-State]:Some state
  15.  Locality Name (eg, city) []:Some City
  16.  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Organisation
  17.  Organizational Unit Name (eg, section) []:IT
  18.  Common Name (eg, YOUR name) []:www.example.org
  19.  Email Address []:test@example.org
  20.  
  21.  Please enter the following 'extra' attributes
  22.  to be sent with your certificate request
  23.  A challenge password []:
  24.  An optional company name []:

4.在发送之前验证请求的内容

  1. $ openssl req -in www_csr.pem -text -verify -noout

5.将请求发送给startssl.com,从站点请求一个新的证书。当须要CSR的时候将'www_csr.pem'填进去


6.从网页上复制证书。然后放入'www_certificate.pem'文件,然后检查文件的内容:

  1. $ openssl x509 -in www_certificate.pem -text -noout

7.測试server证书

  1. $ openssl verify www_certificate.pem

假设都正确。那就会看到OK的提示

  1. www_certificate.pem: OK



posted @ 2016-01-12 13:33  lcchuguo  阅读(465)  评论(0编辑  收藏  举报