原创文章,转载请注明出处:server非业余研究http://blog.csdn.net/erlib 作者Sunface
假设仅为了測试,那使用以下方法就可以:
測试证书创建:
1.创建证书的key
- $ openssl genrsa -out key.pem 1024
2.创建证书,注意这里的common name应该填你的server name
- $ openssl req -new -key key.pem -out request.pem
- Country Name (2 letter code) [AU]:UA
- State or Province Name (full name) [Some-State]:
- Locality Name (eg, city) []:Kiev
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:site4fast blog
- Organizational Unit Name (eg, section) []:.
- Common Name (eg, YOUR name) []:site4fast.example.net
- Email Address []:site4fast@example.net
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
3.证书签字
- $ openssl x509 -req -days 30 -in request.pem -signkey key.pem -out certificate.pem
4.至此,我们须要的測试证书已经创建好了:"self-signed certificate".
正式的证书创建步骤:
1.安装CA证书
- $ aptitude install ssl-cert ca-certificates
2.在startssl.com注冊
3.创建一个请求
- $ openssl req -new -newkey rsa:2048 -nodes -keyout www_privatekey.pem -out www_csr.pem
- Generating a 2048 bit RSA private key
- ..................................++++++
- ....................++++++
- writing new private key to 'www_privatekey.pem'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [AU]:UA
- State or Province Name (full name) [Some-State]:Some state
- Locality Name (eg, city) []:Some City
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Organisation
- Organizational Unit Name (eg, section) []:IT
- Common Name (eg, YOUR name) []:www.example.org
- Email Address []:test@example.org
-
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
4.在发送之前验证请求的内容
- $ openssl req -in www_csr.pem -text -verify -noout
5.将请求发送给startssl.com,从站点请求一个新的证书。当须要CSR的时候将'www_csr.pem'填进去
6.从网页上复制证书。然后放入'www_certificate.pem'文件,然后检查文件的内容:
- $ openssl x509 -in www_certificate.pem -text -noout
7.測试server证书
- $ openssl verify www_certificate.pem
假设都正确。那就会看到OK的提示
- www_certificate.pem: OK