How to create a self-signed SSL Certificate

最新推荐文章于 2024-08-15 09:29:28 发布
原创 最新推荐文章于 2024-08-15 09:29:28 发布 · 480 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#ssl #网络协议 #网络 #trino

本文简述了如何使用openssl生成RSA密钥、CSR,移除密钥密码,创建自签名证书,并配置Apache以启用SSL。重点讲解了PKI原理和证书在加密通信中的作用。

文章目录

Overview

The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server’s private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.

If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary - the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Step 1: Generate a Private Key

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for “Common Name (e.g., YOUR name)”. It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows:

openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [GB]:CH
State or Province Name (full name) [Berkshire]:Bern
Locality Name (eg, city) [Newbury]:Oberdiessbach
Organization Name (eg, company) [My Company Ltd]:Akadia AG
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:public.akadia.com
Email Address []:martin dot zahn at akadia dot ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

The newly created server.key file has no more passphrase in it.

-rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
-rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
-rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don’t plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 365 days, issue the following command:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled Virtual Hosts

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Step 7: Restart Apache and Test

/etc/init.d/httpd stop
/etc/init.d/httpd stop

https://public.akadia.com

other

生成pem文件

openssl genrsa -des3 -out server.key 1024

 openssl req -x509 -new -nodes -key server.key -sha256 -days 1024 -out server.pem

配置trino时还需要把server.key内容追加到server.pem尾

参考:https://www.akadia.com/services/ssh_test_certificate.html

How to reset LCL SS了certificate.doc
07-18
接下来,文档提供了两种选项:“Create a new self-signed certificate”和“Import an existing .pfx or .p12 certificate file”。选择重新生成自签名证书,是当您没有现有的证书文件时的一种选择。而导入一个现有...
创建 Android 上使用的自签名证书(Creating self-signed certificates for use on Android)
太阳火神的美丽人生
11-08 2391
创建 Android 上使用的自签名证书(Creating self-signed certificates for use on Android)
create a self-signed certificate
faith66667的博客
02-25 833
);part!wrong;3。
Create a self-signed SSL Certificate with OpenSSL
Kungreye
10-03 599
Creating a self-signed certificate with OpenSSL by Mike Solomon OpenSSL comes installed with Mac OS X (but see below), as well as many Linux and Unix distributions. Creating a certificate with it is v...
Using self-signed certificates
chan70707的专栏
10-10 469
Using self-signed certificates Upload your certificate using the certificate parameter in the setWebhook method. The certificate supplied should be PEM encoded (ASCII BASE64), the pem file should onl...
OPENAI - AZURE SSL error certification verification error
suiusoar
08-15 1087
OPENAI - AZURE SSL 错误:证书验证错误
NetApp续订自签名SSL证书及注意事项
RaySun的技术Blog
05-25 1269
主要会涉及到与第三方监控系统的对接,以下的话就是比较常见的问题,证书过期导致Unified Manager中无法正常加入,这时就涉及到需要对证书进行续订。
[root@master ~]# openssl x509 -noout -ext subjectAltName -in /etc/kubernetes/pki/apiserver.crt unknown option -ext usage: x509 args -inform arg - input format - default PEM (one of DER, NET or PEM) -outform arg - output format - default PEM (one of DER, NET or PEM) -keyform arg - private key format - default PEM -CAform arg - CA format - default PEM -CAkeyform arg - CA key format - default PEM -in arg - input file - default stdin -out arg - output file - default stdout -passin arg - private key password source -serial - print serial number value -subject_hash - print subject hash value -subject_hash_old - print old-style (MD5) subject hash value -issuer_hash - print issuer hash value -issuer_hash_old - print old-style (MD5) issuer hash value -hash - synonym for -subject_hash -subject - print subject DN -issuer - print issuer DN -email - print email address(es) -startdate - notBefore field -enddate - notAfter field -purpose - print out certificate purposes -dates - both Before and After dates -modulus - print the RSA key modulus -pubkey - output the public key -fingerprint - print the certificate fingerprint -alias - output certificate alias -noout - no certificate output -ocspid - print OCSP hash values for the subject name and public key -ocsp_uri - print OCSP Responder URL(s) -trustout - output a "trusted" certificate -clrtrust - clear all trusted purposes -clrreject - clear all rejected purposes -addtrust arg - trust certificate for a given purpose -addreject arg - reject certificate for a given purpose -setalias arg - set certificate alias -days arg - How long till expiry of a signed certificate - def 30 days -checkend arg - check whether the cert expires in the next arg seconds exit 1 if so, 0 if not -signkey arg - self sign cert with arg -x509toreq - output a certification request object -req - input is a certificate request, sign and output. -CA arg - set the CA certificate, must be PEM format. -CAkey arg - set the CA key, must be PEM format missing, it is assumed to be in the CA file. -CAcreateserial - create serial number file if it does not exist -CAserial arg - serial file -set_serial - serial number to use -text - print the certificate in text form -C - print out C code forms -<dgst> - digest to use, see openssl dgst -h output for list -extfile - configuration file with X509V3 extensions to add -extensions - section from config file with X509V3 extensions to add -clrext - delete extensions before signing and input certificate -nameopt arg - various certificate name options -engine e - use engine e, possibly a hardware device. -certopt arg - various certificate text options -checkhost host - check certificate matches "host" -checkemail email - check certificate matches "email" -checkip ipaddr - check certificate matches "ipaddr" [root@master ~]# 为什么还是出问题,你行不行,真的累了,做三天了,报错,给我都气哭了
最新发布
11-10
kubectl config view --raw -o jsonpath='{.users[0].user.client-certificate-data}' | \ base64 -d | openssl x509 -text | grep "X509v3" ``` ### 操作验证 ```mermaid graph TD A[开始] --> B{检查OpenSSL...
SSL/TLS Configuration How-To 是一组指南,它详细说明了如何配置服务器以支持安全套接层(SSL)/传输层安全性(TLS)协议
BLOG域名:programb.blog.youkuaiyun.com
04-24 1744
SSL/TLS Configuration How-To 是一组指南,它详细说明了如何配置服务器以支持安全套接层(SSL)/传输层安全性(TLS)协议。如果你正在使用APR(Apache Portable Runtime)或JSSE(Java Secure Socket Extension)的OpenSSL实现,你可以配置替代引擎来增强或替换默认的SSL功能。其中一个关键点在于访问SSL会话ID,这有助于跟踪客户端与服务器之间的连接状态。
转:创建自签名证书(How to Create a Self Signed Certificate in IIS 7)
weixin_34233856的博客
03-19 364
转:https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html SSL is an essential part of securing your IIS 7.0 site and creating a self-signed certificate in IIS 7 is ...
如何生成ssl自签名证书
weixin_30407099的博客
07-07 384
Overview The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process. Normal web traffic is sent unencrypted over the Inter...
搭建加密自签名网站
weixin_64311421的博客
05-12 282
自签名加密网站
https网址生成自签名证书
qq_31500143的博客
08-25 480
5.根据根证书私钥及根证书-CA CA-certificate.crt -CAkey CA-private.key、自签名证书申请文件 -in private.csr、自签名证书扩展文件 -extfile private.ext,生成自签名证书 -out private.crt。7.把该证书CA-certificate.crt安装到受信任的根证书颁发机构下,即可从谷歌浏览器正常访问https的对应网址且不会报不安全警告。3.根据自签名证书私钥生成自签名证书申请文件 -out private.csr。
如何搭建自签名证书的https网站
qq_57146982的博客
01-08 1951
ssl协议介绍,搭建https网站
ssl证书自动生成脚本_使用ssl-on-demand脚本管理SSL证书
cumo3681的博客
07-15 1101
ssl证书自动生成脚本竞争对手松懈 。 那样令人尴尬,将来肯定会发生在其他人身上。 在现代网络上,过期的证书可能会给网站造成严重的问题,从无法连接到网站的不满意用户到恶意利用更新证书失败行为的安全威胁。 按需Ssl是一组SSL脚本,可帮助网站所有者管理证书。 它用于按需证书生成和验证,并且可以创建证书签名请求( CSR )并预测现有证书的到期时间。 自动执行SSL到期检查 USAG...
使用 OpenSSL 创建ssl自签名证书
weixin_50218044的博客
03-30 9268
最近工作中需要创建私有化的ssl签名证书,以前使用的都是申请的免费的,没有了解过这方面的信息,经过查阅各种资料,加上数次测试,终于搞定了,一起来看看吧 什么是签名证书 自签名证书是未经公共或私有证书颁发机构签名的 SSL/TSL 证书。相反,它由创建者自己的个人或根 CA 证书签名。 这里借用一下大哥uncle的巨作,一篇文章了解数字证书 为了一个HTTPS,浏览器操碎了心 申请付费ssl证书流程 使用私钥创建证书签名请求 (CSR) 。CSR 包含有关位置、组织和 FQDN(完全限..
【https】Self-Signed SSL证书创建和使用
dualvencsdn的博客
07-15 5636
一般可用于个人测试使用和非域名https访问,通常CA机构不支持颁发IP证书,只有个别OV机构支持公网IP证书,但只能用于大型机构组织的网站。Whentheserver.keyserver.csrfiles.Theserver.crtserver.key其中server.key为服务端私钥文件,用于后续传输加解密。server.crt为签好名的证书文件,其中包含了服务描述信息和公钥,用于发往客户端进行合法验证,公钥用于后续传输加解密。以最新版本nginx启用ssl配置为例3.重载nginx配置信息。....
Mbedtls how to generate a Certificate Request (CSR)
天使之翼
02-05 2392
mbedtls how to generate a Certificate Request (CSR) The link of suggestion how to use mbedtls x509/cert_req to generate a Certificate Request: https://tls.mbed.org/kb/how-to/generate-a-certificate-req...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

大怀特

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值