文件说明
.crt/.cer 是由证书颁发机构(CA)签名后的证书,或者是开发者自签名的证书,包含证书持有人的信息,持有人的公钥,以及签署者的签名等信息
.key 是服务器上的私钥文件,用于对发送给客户端数据的加密,以及对从客户端接收到数据的解密
.csr 是证书签名请求文件,用于提交给证书颁发机构(CA)对证书签名
*.pem base64编码文本储存格式,可以单独放证书或密钥,也可以同时放两个;base64编码就是两条-------之间的那些莫名其妙的字符
*.der 证书的二进制储存格式(不常用)
subj参数
字段 字段含义 示例
/C= Country 国家 CN
/ST= State or Province 省 beijing
/L= Location or City 城市 beijing
/O= Organization 组织或企业 stars-mine
/OU= Organization Unit 部门 stars-mine
/CN= Common Name 是证书拥有者名称 openssl
创建证书目录
# mkdir -pv certs/{CA,client,server}
# touch certs/index.txt
# touch certs/serial
# echo "1000" > certs/serial
# echo "unique_subject = no" > certs/index.txt.attr # Sign multiple certs for the same CN
openssl.conf
查看代码
# environment variable values
CERT_DIR=certs
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ${ENV::CERT_DIR}
certs = $dir
crl_dir = $dir/crl
new_certs_dir = $dir
database = $dir/index.txt
serial = $dir/serial
# certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate-ca.crl
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_loose ]
# Allow the CA to sign a range of certificates.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# `man req`
default_bits = 4096
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
# Certificate extensions (`man x509v3_config`)
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ client_cert ]
basicConstraints = CA:FALSE
nsCertType = client
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
certs(默认应该是存在的)存放已颁发的证书
newcerts(默认应该是存在的)存放CA指令生成的新证书
private(默认应该是存在的)存放私钥
crl(默认应该是存在的)存放已吊销的证书
index.txt openssl定义的已签发证书的文本数据库文件,这个文件通常在初始化的时候是空的
serial 证书签发时使用的序列号参考文件,该文件的序列号是以16进制格式进行存放的,该文件必须提供并包含一个有效序列号
CA 密钥和自签名证书
生成ca私钥
# openssl genrsa -out certs/CA/ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
........................................................++++
...............................................................++++
e is 65537 (0x010001)
为 CA 生成自签名证书
# openssl req -config openssl.conf -new -x509 -days 3650 -sha256 -key certs/CA/ca.key -extensions v3_ca -out certs/CA/ca.crt -subj /CN=ca
server 密钥和自签名证书
生成server私钥
# openssl genrsa -out certs/server/server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................+++++
.......................................................+++++
e is 65537 (0x010001)
生成CSR
# openssl req -config openssl.conf -new -sha256 -key certs/server/server.key -out certs/server/server.csr -subj /CN=server
生成自签名证书
# openssl ca -batch -config openssl.conf -extensions server_cert -days 3650 -notext -md sha256 -in certs/server/server.csr -out certs/server/server.crt -cert certs/CA/ca.crt -keyfile certs/CA/ca.key
Using configuration from openssl.conf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Aug 19 06:54:04 2022 GMT
Not After : Aug 16 06:54:04 2032 GMT
Subject:
commonName = server
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
39:04:CA:53:46:83:AB:F9:E9:0C:D6:57:71:FE:E6:CB:8B:FE:77:11
X509v3 Authority Key Identifier:
keyid:41:F5:D6:5E:6F:3B:82:CA:26:13:AF:A2:77:D2:97:7F:36:4D:BA:3B
DirName:/CN=ca
serial:07:E0:03:25:ED:75:03:DF:86:E4:E4:FE:75:8D:8D:68:22:4D:6E:12
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Aug 16 06:54:04 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
client 密钥和自签名证书
生成client私钥
# openssl genrsa -out certs/client/client.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
....+++++
e is 65537 (0x010001)
生成CSR
# openssl req -config openssl.conf -new -sha256 -key certs/client/client.key -out certs/client/client.csr -subj /CN=server
生成自签名证书
# openssl ca -batch -config openssl.conf -extensions client_cert -days 3650 -notext -md sha256 -in certs/client/client.csr -out certs/client/client.crt -cert certs/CA/ca.crt -keyfile certs/CA/ca.key
Using configuration from openssl.conf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4097 (0x1001)
Validity
Not Before: Aug 19 07:00:34 2022 GMT
Not After : Aug 16 07:00:34 2032 GMT
Subject:
commonName = server
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client
Netscape Comment:
OpenSSL Generated Client Certificate
X509v3 Subject Key Identifier:
14:BA:0F:CA:5E:EF:B8:38:13:90:71:A9:26:50:26:A4:34:1F:8A:47
X509v3 Authority Key Identifier:
keyid:41:F5:D6:5E:6F:3B:82:CA:26:13:AF:A2:77:D2:97:7F:36:4D:BA:3B
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Aug 16 07:00:34 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
示例
生成CA根证书
1.生成私钥ca.key
openssl genrsa -out ca.key 2048
2.生成csr请求文件
openssl req -new -key ca.key -out ca.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=My Organization/OU=My Unit/CN=example.com"
3.生成ca根证书 ca.crt
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
用自签根证书ca.crt给签发server
1.生成私钥
openssl genrsa -out server.key 1024
2.生成证书请求
openssl req -new -key server.key -out server.csr
3.用CA根证书签名得到证书
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
用自签根证书ca.crt给签发client证书
1.生成私钥
openssl genrsa -out client.key 1024
2.生成证书请求
openssl req -new -key client.key -out client.csr
3.用CA根证书签名得到证书
openssl ca -in client.csr -out clientr.crt -cert ca.crt -keyfile ca.key
示例二
支持多域名多IP
#!/bin/bash
# 生成私钥
openssl genrsa -out private.key 2048
# 创建 OpenSSL 配置文件
cat <<EOF > openssl.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
C = CN
ST = Beijing
L = Beijing
O = My Organization
OU = My Unit
CN = *.example.com
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
IP.1 = 192.168.1.1
IP.2 = 192.168.1.2
EOF
# 生成 CSR
openssl req -new -key private.key -out request.csr -config openssl.conf
# 生成自签名证书
openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt -extensions v3_req -extfile openssl.conf
# 清理 CSR 文件(可选)
rm request.csr
echo "自签名证书生成成功: certificate.crt"
