熟练掌握 openssl 证书命令说明

熟练掌握 openssl 证书命令说明 2、在我电脑建立好一个目录，并启动 terminal ，进入该目录 cd /Users/dhbm/Desktop/ssl/sign20180729 1 3、生成Self Signed证书 1）、生成一个key（我的私钥） openssl genrsa -des3 -out selfsign.key 4096

结果 （过程中 密码： 123456） Generating RSA private key, 4096 bit long modulus ...........++ ...........................++ e is 65537 (0x10001) Enter pass phrase for selfsign.key: Verifying - Enter pass phrase for selfsign.key:

*** 这时应该生成了一个文件：selfsign.key ls selfsign.key

2）使用我的私钥（上面生成的key），生成一个自签名请求 certificate signing request (CSR) openssl req -new -key selfsign.key -out selfsign.csr 结果 Enter pass phrase for selfsign.key: unable to load Private Key 140735584793480:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:531: 140735584793480:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:488:

Enter pass phrase for selfsign.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:BeiJing Locality Name (eg, city) []:BeiJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn Organizational Unit Name (eg, section) []:dhbm.cn Common Name (e.g. server FQDN or YOUR name) []:wzh Email Address []:13501062476@139.com

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:dhbm.cn 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 *** 这时应该又生成了一个文件 selfsign.csr ls selfsign.csr selfsign.key

3)、用以上证书请求文件（selfsign.csr），生成Self Signed证书 openssl x509 -req -days 365 -in selfsign.csr -signkey selfsign.key -out selfsign.crt 结果 Signature ok subject=/C=CN/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh/emailAddress=13501062476@139.com Getting Private key Enter pass phrase for selfsign.key: *** 这时应该又生成了一个文件 selfsign.crt ls selfsign.crt selfsign.csr selfsign.key 1 2 3 4 5 6 7 8 9 10 4、生成自己的CA (Certificate Authority) 1）、生成CA的key，这一步和生成证书一样，也是一个私钥，文件名 叫 ca.key openssl genrsa -des3 -out ca.key 4096

×××结果： Generating RSA private key, 4096 bit long modulus ..................................................................................................++ .....................................++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key: *** 这时应该又生成了一个文件 ca.key ls ca.key selfsign.crt selfsign.csr selfsign.key

2）、生成CA的证书请求、证书 （两步合二为一了） openssl req -new -x509 -days 365 -key ca.key -out ca.crt

结果 Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:BeiJing Locality Name (eg, city) []:BeiJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn Organizational Unit Name (eg, section) []:dhbm.cn Common Name (e.g. server FQDN or YOUR name) []:wzh Email Address []:13501062476@139.com *** 这时应该又生成了 1 个文件 ca.crt （没有 ca.csr?） ls ca.crt ca.key selfsign.crt selfsign.csr selfsign.key 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 5、生成服务器证书，由以上自建的 CA 颁发 1）、前面 2 步 和以上一样，生成一个 私钥（key），生成一个证书请求（csr）

生成私钥

openssl genrsa -des3 -out myserver.key 4096 结果： Generating RSA private key, 4096 bit long modulus ...................................................................++ ...............................................................................................................................................++ e is 65537 (0x10001) Enter pass phrase for myserver.key: Verifying - Enter pass phrase for myserver.key:

生成证书请求

openssl req -new -key myserver.key -out myserver.csr 结果： Enter pass phrase for myserver.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:BeiJing Locality Name (eg, city) []:BeiJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn Organizational Unit Name (eg, section) []:dhbm.cn Common Name (e.g. server FQDN or YOUR name) []:wzh server Email Address []:13501062476@139.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:dhbm.cn 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 这次和以上不一样，加上了一个中间人 CA ，表示这是由 CA 认可并办法的证书 openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt 结果： Signature ok subject=/C=cn/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh server/emailAddress=13501062476@139.com Getting CA Private Key Enter pass phrase for ca.key: *** 到这里，又生成了 3 个文件 myserver.key，myserver.csr，myserver.crt ls ca.crt myserver.crt myserver.key selfsign.csr ca.key myserver.csr selfsign.crt selfsign.key 1 2 3 4 5 6 7 8 9 10 6、查看我的证书情况 （myserver） 1）、查看维生素我的私钥
openssl rsa -noout -text -in myserver.key 结果 Enter pass phrase for myserver.key: Private-Key: (4096 bit) modulus: 00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e: 0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29 ...

2)、查看我的证书请求 openssl req -noout -text -in myserver.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e: 0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29: ... Attributes: challengePassword :123456 unstructuredName :dhbm.cn Signature Algorithm: sha256WithRSAEncryption 00:6f:04:6c:30:93:88:34:ee:43:f2:ce:2b:d0:3e:11:20:46: ... 3)、查看我的证书 openssl x509 -noout -text -in myserver.crt Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh/emailAddress=13501062476@139.com Validity Not Before: Jul 29 09:02:55 2018 GMT Not After : Jul 29 09:02:55 2019 GMT Subject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e: 0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29: ...

4）、验证我的证书 openssl verify -CAfile ca.crt myserver.crt myserver.crt: OK 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 7、到这里完成了 3 步 ，自建名证书、CA证书、CA颁发 myserver 证书 疑问：什么是服务端用的？什么是客户端用的？