生成服务端证书与客户端证书
1. 生成根证书
根证书(Root Certificate)是属于根证书颁发机构(CA)的公钥证书。用来验证它所签发的证书(服务端、客户端)
(1)打开openssl
执行openssl
(2)生成根证书私钥文件
执行 genrsa -out ca.key 2048,生成ca.key私钥文件
(3)生成根证书公钥文件
执行 req -new -x509 -days 3650 -key ca.key -out ca.pem ,生成ca.pem公钥文件
注:此步骤生成时Common Name填写localhost
以上执行命令如下所示:
#(1)打开openssl
E:\Program Files\OpenSSL-Win64\bin>openssl
#(2)生成根证书私钥文件
OpenSSL> genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
......................................................................................+++++
e is 65537 (0x010001)
#(3)生成根证书公钥文件
OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tracy
Organizational Unit Name (eg, section) []:tracy
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:2. 生成服务端证书
(1)生成服务端私钥文件
执行 genrsa -out server.key 2048 ,生成server.key私钥文件
(2)请求创建服务端证书
执行 req -new -key server.key -out server.csr ,生成server.csr证书文件
若出现以下错误,打开一个新窗囗再执行命令 注:此步骤生成时Common Name填写localhost
(3)生成服务端公钥文件
执行 x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem ,根据server.csr签发生成server.pem公钥文件
以上执行命令如下所示:
E:\Program Files\OpenSSL-Win64\bin>openssl
#(1)生成服务端私钥文件
OpenSSL> genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................+++++
.............+++++
e is 65537 (0x010001)
#(2)请求创建服务端证书
OpenSSL> req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tracy
Organizational Unit Name (eg, section) []:tracy
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#(3)生成服务端公钥文件
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
Signature ok
subject=C = cn, ST = beijing, L = beijing, O = tracy, OU = tracy, CN = localhost
Getting CA Private Key3. 生成客户端证书
(1)生成客户端私钥文件
执行 ecparam -genkey -name secp384r1 -out client.key ,生成client.key私钥文件
(2)请求创建客户端证书
执行 req -new -key client.key -out client.csr ,生成client.csr证书文件
注:此步骤生成时Common Name填写localhost
(3)生成客户端公钥文件
执行 x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem,根据client.csr签发生成client.pem公钥文件
以上执行命令如下所示:
E:\Program Files\OpenSSL-Win64\bin>openssl
#(1)生成客户端私钥文件
OpenSSL> ecparam -genkey -name secp384r1 -out client.key
#(2)请求创建客户端证书
OpenSSL> req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tracy
Organizational Unit Name (eg, section) []:tracy
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#(3)生成客户端公钥文件
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
Signature ok
subject=C = cn, ST = beijing, L = beijing, O = tracy, OU = tracy, CN = localhost
Getting CA Private Key参考视频: