Linux下利用openssl 生成SSL证书步骤
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Linux下利用openssl 生成SSL证书步骤
1、概念
首先要有一个CA根证书,然后用CA根证书来签发用户证书。
用户进行证书申请:一般先生成一个私钥,然后用私钥生成证书请求(证书请求里应含有公钥信息),再利用证书服务器的CA根证书来签发证书。
2、后缀详解
.key格式:私有的密钥
.csr格式:证书签名请求(证书请求文件),含有公钥信息,certificate signing request 的缩写
.crt格式:证书文件,certificate的缩写
.crl格式:证书吊销列表,Certificate Revocation List的缩写
.pem格式:用于导出,导入证书时候的证书的格式,有证书开头,结尾的格式
3、添加 index.txt 和 serial 文件
cd /etc/pki/CA/
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 01 > /etc/pki/CA/serial
4、CA根证书的生成
4.1 生成CA私钥(.key)
openssl genrsa -out ca.key 2048
[root@CA]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
.....+++
e is 65537 (0x10001)
4.2 生成CA证书请求(.csr)
openssl req -new -key ca.key -out ca.csr
[root@CA]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:OR
Locality Name (eg, city) [Default City]:OR
Organization Name (eg, company) [Default Company Ltd]:LXOR
Organizational Unit Name (eg, section) []:LXORAQ
Common Name (eg, your name or your server's hostname) []:
Email Address []:eg@
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:demon2234
An optional company name []:OR
4.3 自签名得到根证书(.crt)(CA给自已颁发的证书)
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
[root@CA]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt Signature ok
subject=/C=US/ST=OR/L=OR/O=LXOR/OU=LXORAQ/CN=/emailAddress=eg@ Getting Private key
5、用户证书的生成
5.1 生成私钥(.key)
openssl genrsa -des3 -out server.key 1024
[root@CA]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
........++++++
...................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
5.2 生成证书请求(.csr)
openssl req -new -key server.key -out server.csr
[root@CA]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.