一、生成根证书
- 生成自签名根证书(一级证书):
(1).产生长度为2048的rsa私钥root.key,PEM格式:
openssl genrsa -out root.key 2048
(2).验证私钥root.key:执行结果如下图所示
openssl rsa -in root.key -check
(3).创建根证书签名请求(Certificate Signing Request)文件root2.csr,PEM格式:输入以下命令回车后,需要依次填入相关信息,例子如下,每行的冒号后为需要填写的,若不填写则可直接回车跳过,采用默认值,如下图所示:
openssl req -new -out root2.csr -key root.key
也可以通过增加选项-subj来生成证书签名请求,命令如下:root.csr和root2.csr内容完全一致
openssl req -new -out root.csr -key root.key -subj "/C=cn/ST=beijing/L=haidian/O=FBC/OU=test/CN=fengbingchun/emailAddress=fengbingchun@163.com"
(4).验证root.csr,查看证书签名请求详细信息:执行结果如下图所示
openssl req -text -in root.csr -noout -verify
(5)创建根证书root.crt,PEM格式:执行结果如下图所示
openssl x509 -req -in root.csr -out root.crt -signkey root.key -days 3650
(6).将root.crt由PEM格式转换到DER格式:
LD_LIBRARY_PATH=../lib ./openssl x509 -outform der -in root.crt -out root.der
(7).验证root.crt,查看证书详细信息:执行结果如下图所示
LD_LIBRARY_PATH=../lib ./openssl x509 -text -in root.crt -noout
(8).验证root.key, root.csr, root.crt是否具有相同的公钥:执行结果如下图所示,输出结果一致
LD_LIBRARY_PATH=../lib ./openssl rsa -modulus -in root.key -noout | LD_LIBRARY_PATH=../lib ./openssl sha256
LD_LIBRARY_PATH=../lib ./openssl req -modulus -in root.csr -noout | LD_LIBRARY_PATH=../lib ./openssl sha256
LD_LIBRARY_PATH=../lib ./openssl x509 -modulus -in root.crt -noout | LD_LIBRARY_PATH=../lib ./openssl sha256
二由自签名根证书颁发服务器端证书(二级证书)
(1).产生长度为2048的rsa私钥server.key,PEM格式:
LD_LIBRARY_PATH=../lib ./openssl genrsa -out server.key 2048
(2).验证私钥server.key:
LD_LIBRARY_PATH=../lib ./openssl rsa -in server.key -check
(3).创建服务器端证书签名请求server.csr, PEM格式:CN填写本地测试机的IP或域名
LD_LIBRARY_PATH=../lib ./openssl req -new -out server.csr -key server.key -subj "/C=cn/ST=beijing/L=haidian/O=Spring/OU=server_test/CN=10.4.96.33/emailAddress=Spring@server_test.com"
(4).验证server.csr,查看证书签名请求详细信息:
LD_LIBRARY_PATH=../lib ./openssl req -text -in server.csr -noout -verify
(5).创建服务器端证书server.crt,PEM格式:
LD_LIBRARY_PATH=../lib ./openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA root.crt -CAkey root.key -CAcreateserial -days 3650
(6).验证server.crt,查看证书详细信息:执行结果如下图所示,注意与root.crt的差异
LD_LIBRARY_PATH=../lib ./openssl x509 -text -in server.crt -noout
(7).将server.crt由PEM格式转换到DER格式:
LD_LIBRARY_PATH=../lib ./openssl x509 -outform der -in server.crt -out server.der
(8).验证server.key, server.csr, server.crt是否具有相同的公钥:
LD_LIBRARY_PATH=../lib ./openssl rsa -modulus -in server.key -noout | LD_LIBRARY_PATH=../lib ./openssl sha256
LD_LIBRARY_PATH=../lib ./openssl req -modulus -in server.csr -noout | LD_LIBRARY_PATH=../lib ./openssl sha256
LD_LIBRARY_PATH=../lib ./openssl x509 -modulus -in server.crt -noout | LD_LIBRARY_PATH=../lib ./openssl sha256
(9).使用根证书root.crt来校验服务器端证书server.crt:执行结果如下图所示
LD_LIBRARY_PATH=../lib ./openssl verify -CAfile root.crt server.crt
GitHub:https://github.com//fengbingchun/OpenSSL_Test