openssl产生自认证证书

最新推荐文章于 2025-07-08 18:22:42 发布

转载最新推荐文章于 2025-07-08 18:22:42 发布 · 61 阅读

0 ·

CC 4.0 BY-SA版权

原文链接：http://www.cnblogs.com/linxr/archive/2011/10/17/2215303.html

文章标签：

#数据库

本文详细介绍如何通过openssl工具自建SSL证书权威机构的过程，包括创建目录、配置openssl.cnf文件、生成CA密钥对、制作CSR文件及最终的证书等步骤。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

1. 新建一个ca目录。
mkdir ca

2. 新建一个openssl.cnf文件。内容如下：

dir = .

[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = EB Company
localityName_default = Shen Zhen
stateOrProvinceName_default = Guan Dong
countryName_default = CN

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

3.新建一个空的index.txt文件
    touch index.txt

4.建立一个文件serial.在文件中输入一个数字，做为以后颁发证书的序列号，
以后颁发的证书序列号就从你输入的数字开始.
    echo 01 > serial

5.生成CA的公私密钥对
    openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf
将产生
    1. private/cakey.pem    ca私钥
    2. cacert.pem            ca公钥，即为ca证书。服务器和客户端公用。

6.生成证书请求Certificate Signing Request(CSR).
    openssl req -new -nodes -out req.pem -config ./openssl.cnf
将产生
      1. key.pem                私钥
      2. req.pem                公钥，用于产生证书

7.生成证书，即用"ca私钥"对req.pem签名
    openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
去除可读信息部分
    mv cert.pem tmp.pem
    openssl x509 -in tmp.pem -out cert.pem
产生
      1. cert.pem                最终的用户证书

8. 获得证书文件。
    1. 服务端的密钥文件：
        server.pem(cat key.pem cert.pem > server.pem)
        cacert.pem
    2. 客户端证书文件：
        cacert.pem

转载于:https://www.cnblogs.com/linxr/archive/2011/10/17/2215303.html