一般自签名证书

OpenSSL生成的自签名证书,携带密钥用法:

具体的操作步骤如下:

涉及到命令:

openssl genrsa -out root.key 1024

openssl req -new -out root-req.csr -key root.key -keyform PEM

openssl x509 -req   -extfile /etc/ssl/openssl.cnf  -extensions v3_req  -in root-req.csr -out root-cert.cer -signkey root.key -CAcreateserial -days 3650

涉及到自签名的配置:/etc/ssl/openssl.cnf

 

服务器自签名证书:

1 生成服务器端的私钥(key文件)

openssl genrsa -des3 -out server.key 1024

  1. 说明:生成rsa私钥,des3算法,2048位强度,server.key是秘钥文件名。
  2. 注意:生成私钥,需要提供一个至少4位的密码,,此密码用于加密key文件(参数des3是加密算法,也可以选用其他安全的算法),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果不要口令,则可用以下命令去除口令:openssl rsa -in server.key -out server.key

2 生成服务器端证书签名请求文件(csr文件)

 openssl req -new -key server.key -out server.csr

  1. 说明:需要依次输入国家,地区,城市,组织,组织单位,Common Name和Email。其中Common Name,可以写自己的名字或者域名,如果要支持https,Common Name应该与域名保持一致,否则会引起浏览器警告。如下:

 生成CA证书文件:server.csr与client.csr文件必须有CA的签名才可形成证书.

3.1首先生成CA的key文件:

openssl genrsa -des3 -out ca.key 1024

3.2 生成CA自签名证书:

openssl req -new -x509 -key ca.key -out ca.crt -days 3650 

  1. 注明:需要依次输入国家,地区,城市,组织,组织单位,Common Name和Email。其中Common Name,可以写自己的名字或者域名,如果要支持https,Common Name应该与域名保持一致,否则会引起浏览器警告。如下:

    2. 此处的描述最好跟生成server.csr时一样,避免不必要的麻烦

4.利用CA证书对服务端请求文件进行签名

    4.1 # 建立 CA 目录结构

mkdir -p ./demoCA/{private,newcerts}
       touch ./demoCA/index.txt
       echo 01 > ./demoCA/serial

   4.2 生成服务端证书文件 

     openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

5. 附录,具体操作命令

root@Fkali:~# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.................................................+++++
....+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
root@Fkali:~# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Jiangsu
Locality Name (eg, city) []:Fiona
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fiona
Organizational Unit Name (eg, section) []:Fiona
Common Name (e.g. server FQDN or YOUR name) []:Fiona
Email Address []:fionatest@gami.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Gm123456
An optional company name []:Fiona
root@Fkali:~# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........+++++
...........+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
root@Fkali:~# openssl req -new -x509 -key ca.key -out ca.crt -days 3650
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Suzhou
Locality Name (eg, city) []:Suzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fiona
Organizational Unit Name (eg, section) []:Fiona
Common Name (e.g. server FQDN or YOUR name) []:Fiona
Email Address []:fiona@gamai.com
root@Fkali:~# mkdir -p ./demoCA/newcerts
root@Fkali:~# touch ./demoCA/index.txt
root@Fkali:~# echo 01 > ./demoCA/serial
root@Fkali:~# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ca.key:
unable to load CA private key
140069843444928:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570:
140069843444928:error:0906A065:PEM routines:PEM_do_header:bad decrypt:../crypto/pem/pem_lib.c:461:
root@Fkali:~# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
The stateOrProvinceName field is different between
CA certificate (Suzhou) and the request (Jiangsu)
root@Fkali:~# ls
'am--tamper=space2comment'   ca.key   Desktop     Downloads                        log.txt   Music      Public          root.key       server.csr   Templates   TouchFile.class
 ca.crt                      demoCA   Documents   fastjson-1.2.47-RCE-master.zip   logtxt    Pictures   root-cert.cer   root-req.csr   server.key   tmp         Videos
root@Fkali:~#

参考:https://blog.csdn.net/nklinsirui/article/details/89432430?utm_medium=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.channel_param&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-OPENSEARCH-1.channel_param

 

Logo
Linux

更多推荐

Linux虚拟文件系统之文件系统卸载(sys_umount())

Linux中卸载文件系统由umount系统调用实现,入口函数为sys_umount()。较于文件系统的安装较为简单,下面是具体的实现。1. /*sys_umont系统调用*/2. SYSCALL_DEFINE2(umount, char __user *, name, int, flags)3. {4.struct path path;

avatar Linux

网卡速率和双工模式的配置

http://linux.chinaitlab.com/system/792187.html1、mii-tool 配置网络设备协商方式的工具;    1.1 mii-tool 介绍;    mii-tool - view, manipulate media-independent interface status (mii-tool 是查看,管理介质的网络接口的状态)

avatar Linux

Linux系统下超级终端Minicom的使用方法(例如:连接交换机,路由器等)转http://baike.baidu.com/view/2911642.htm?fr=ala0_1

<br />  Linux系统下超级终端Minicom的使用方法 <br />  Linux下的Minicom的功能与下的超级终端功能相似,适于在通过超级终端对设备的管理以及对嵌入操作系统的升级,现写出Minicom的使用手册: <br />  1. 启动minicom <br />  以root权限登录系统 <br />  使用命令 <br />  minicom –s 则minicom启动,屏

avatar Linux