openssl 签发证书相关命令
原创
©著作权归作者所有:来自51CTO博客作者mb636d9e4ce84d1的原创作品,请联系作者获取转载授权,否则将追究法律责任
文章目录
- 生成私钥作为根证书私钥
- 生成csr文件
- 生成ca证书
- 签发服务器/客户端证书
- 证书格式转换
- 查看证书内容
- jks证书转pem
- 对加密的私钥进行解密
- 验证证书和私钥有效性
生成私钥作为根证书私钥
[root@localhost certs]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
...............+++
...................+++
e is 65537 (0x10001)
[root@localhost certs]# ll
total 12
-rw-r--r--. 1 root root 1261 Apr 17 21:03 cert.pem
-rw-r--r--. 1 root root 1704 Apr 17 21:03 key.pem
-rw-r--r--. 1 root root 1675 Apr 17 22:36 ca.key
生成csr文件
[root@localhost certs]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:pcitc
Organizational Unit Name (eg, section) []:pcitc
Common Name (eg, your name or your server's hostname) []:192.168.195.10
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
You have new mail in /var/spool/mail/root
[root@localhost certs]# ll
total 16
-rw-r--r--. 1 root root 1261 Apr 17 21:03 cert.pem
-rw-r--r--. 1 root root 1704 Apr 17 21:03 key.pem
-rw-r--r--. 1 root root 993 Apr 17 22:42 ca.csr
-rw-r--r--. 1 root root 1675 Apr 17 22:36 ca.key
生成ca证书
[root@localhost certs]# openssl x509 -req -in ca.csr -signkey ca.key -days 3650 -out ca.pem
Signature ok
subject=/C=cn/ST=bj/L=bj/O=pcitc/OU=pcitc/CN=192.168.195.10
Getting Private key
[root@localhost certs]# ll
total 20
-rw-r--r--. 1 root root 993 Apr 17 22:42 ca.csr
-rw-r--r--. 1 root root 1675 Apr 17 22:36 ca.key
-rw-r--r--. 1 root root 1184 Apr 17 22:44 ca.pem
-rw-r--r--. 1 root root 1261 Apr 17 21:03 cert.pem
-rw-r--r--. 1 root root 1704 Apr 17 21:03 key.pem
签发服务器/客户端证书
重复上述步骤生成 服务器/客户端 的key 和 csr文件
[root@localhost certs]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.....................................+++
e is 65537 (0x10001)
[root@localhost certs]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:pcitc
Organizational Unit Name (eg, section) []:pictc
Common Name (eg, your name or your server's hostname) []:192.168.195.10
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost certs]# ll
total 28
-rw-r--r--. 1 root root 993 Apr 17 22:42 ca.csr
-rw-r--r--. 1 root root 1675 Apr 17 22:36 ca.key
-rw-r--r--. 1 root root 1184 Apr 17 22:44 ca.pem
-rw-r--r--. 1 root root 1261 Apr 17 21:03 cert.pem
-rw-r--r--. 1 root root 1704 Apr 17 21:03 key.pem
-rw-r--r--. 1 root root 993 Apr 17 22:47 server.csr
-rw-r--r--. 1 root root 1675 Apr 17 22:46 server.key
签发服务器/客户端证书
root@localhost certs]# openssl ca -in server.csr -cert ca.pem -keyfile ca.key -out server.pem
......
[root@localhost certs]# ll
total 36
-rw-r--r--. 1 root root 993 Apr 17 22:42 ca.csr
-rw-r--r--. 1 root root 1675 Apr 17 22:36 ca.key
-rw-r--r--. 1 root root 1184 Apr 17 22:44 ca.pem
-rw-r--r--. 1 root root 1261 Apr 17 21:03 cert.pem
-rw-r--r--. 1 root root 1704 Apr 17 21:03 key.pem
-rw-r--r--. 1 root root 993 Apr 17 22:47 server.csr
-rw-r--r--. 1 root root 1675 Apr 17 22:46 server.key
-rw-r--r--. 1 root root 4597 Apr 17 22:59 server.pem
You have new mail in /var/spool/mail/root
如果遇到/etc/pki/CA/index.txt 不存在 执行 touch /etc/pki/CA/index.txt
如果遇到 /etc/pki/CA/serial 不存在错误执行:echo 00 > /etc/pki/CA/serial
证书格式转换
openssl x509 -in example_cert.pem -out cert.der -outform DER
openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
证书转换为pks12格式
openssl pkcs12 -export -clcerts -in /root/ca/users/client.crt -inkey /root/ca/users/client.key -out /root/ca/users/client.p12
openssl pkcs12 -export -clcerts -in client.pem -inkey client.key -out client.p12
Enter Export Password:
Verifying - Enter Export Password:
[root@localhost certs]# ll
查看证书内容
openssl x509 -text -in example_cert.pem -noout
openssl req -inexample_csr.pem noout -text
[root@localhost certs]# openssl x509 -text -in server.pem -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cn, ST=bj, L=bj, O=pcitc, OU=pcitc, CN=192.168.195.10
Validity
Not Before: Apr 17 14:59:30 2022 GMT
Not After : Apr 17 14:59:30 2023 GMT
Subject: C=cn, ST=bj, O=pcitc, OU=pictc, CN=192.168.195.10
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
jks证书转pem
jks 是java证书转换格式需要借助java的keytool,具体步骤如下
– keytool将jks转化为pkcs12格式,期间需要输入jks密码 并设置pkcs12密码
keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.keystore.p12 -srcstoretype jks -deststoretype pkcs12
–通过openssl将pkcs12转为pem
openssl pkcs12 -nodes -in server.keystore.p12 -out server.keystore.pem
server.keystore.pem 中包含了 私钥和证书
对加密的私钥进行解密
采用如下命令会对已加密的key值进行解密,某些应用必须配置解密后的明文私钥。解密过程中需要输入加密用的密钥
openssl rsa -in kfpt.key -out kfpt.key.insec
验证证书和私钥有效性
通过如下命令使用指定的证书和私钥在服务器上启动一个tls服务
再通过openssl s_client 去连接该服务,如果公钥私钥正常那么 服务端能够打印出 客户端发送的消息
openssl s_server -msg -verify -tls1_2 -state -cert kfpt.crt -key kfpt.key -accept 18444
openssl s_client -msg -verify -tls1_2 -state -showcerts -cert kfpt.crt -key kfpt.key -connect localhost:18444
