openssl产生自认证证书
1. 新建一个ca目录。
mkdir ca
2. 新建一个openssl.cnf文件。内容如下:
dir = .
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = EB Company
localityName_default = Shen Zhen
stateOrProvinceName_default = Guan Dong
countryName_default = CN
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
3.新建一个空的index.txt文件
touch index.txt
4.建立一个文件serial.在文件中输入一个数字,做为以后颁发证书的序列号,
以后颁发的证书序列号就从你输入的数字开始.
echo 01 > serial
5.生成CA的公私密钥对
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf
将产生
1. private/cakey.pem ca私钥
2. cacert.pem ca公钥,即为ca证书。服务器和客户端公用。
6.生成证书请求Certificate Signing Request(CSR).
openssl req -new -nodes -out req.pem -config ./openssl.cnf
将产生
1. key.pem 私钥
2. req.pem 公钥,用于产生证书
7.生成证书,即用"ca私钥"对req.pem签名
openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
去除可读信息部分
mv cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem
产生
1. cert.pem 最终的用户证书
8. 获得证书文件。
1. 服务端的密钥文件:
server.pem(cat key.pem cert.pem > server.pem)
cacert.pem
2. 客户端证书文件:
cacert.pem
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 周边上新:园子的第一款马克杯温暖上架
· Open-Sora 2.0 重磅开源!
· .NET周刊【3月第1期 2025-03-02】
· 分享 3 个 .NET 开源的文件压缩处理库,助力快速实现文件压缩解压功能!
· [AI/GPT/综述] AI Agent的设计模式综述