证书签发全流程:https://blog.51cto.com/dek701/1976267
1、生成 CA 根证书私钥:
openssl genrsa -out ca/ca.key 1024
2、生成 CA 根证书:
openssl req -new -x509 -key ca/ca.key -out ca/ca.pem
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:sz
Organization Name (eg, company) [Default Company Ltd]:zlj
Organizational Unit Name (eg, section) []:zlj1
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:zlj@11.com
# 查看一下生成的证书信息
openssl x509 -in ca/ca.pem -noout -text
# 证书的公钥和私钥提取的公钥是一样的
3、生成服务器证书私钥:
- 和前面生成 CA 私钥一样,文件后缀名随意:
openssl genrsa -out web/web.key 1024
4、生成服务器证书请求文件
- 注意:这里是请求文件,而不是证书 ```shell openssl req -new -key web/web.key -out web/web.csr
查看证书请求文件
openssl req -noout -text -in web/web.csr
查看 csr 文件的公钥
openssl req -noout -pubkey -in web/web.csr
1、国家、省要与上面CA证书一致,否则签署时必然要失败。
<br />2、 Common Name 此时相当重要,请输入你需要SSL支持的域名,如 localhost(域名只能一个),否则浏览器提示证书错误。
```shell
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:sz
Organization Name (eg, company) [Default Company Ltd]:zljweb
Organizational Unit Name (eg, section) []:zljweb1
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:zljweb@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5、签署服务器证书
openssl x509 -req -in web/web.csr -out web/web.crt -signkey ca/ca.key -days 3650
# 提取证书的公钥
openssl x509 -pubkey -noout -in web/web.crt
openssl x509 -in demoCA/certs/server.crt -noout -text
cd ..
openssl ca -in web/web.crt -out web/web2.crt
各种文件说明:
https://blog.51cto.com/wushank/1915795
key:密钥,公钥或者私钥
对于 RSA 来说,并不区分所谓的公钥和私钥,生成的一对密钥是对等的。
只不过,我们一般的“私钥”,则包含了附加信息:模数、公共指数等等
所以我们可以从“私钥”中提取/计算出公钥,而公钥因为没有附近信息,所以只是公钥
# 查看私钥
cat private/cakey.pem
# 查看私钥的其他信息
# 因为实际上的“私钥”,其实包含了很多附加信息
# 根据这些附加信息,就可以算出公钥
openssl rsa -text -in private/cakey.pem
# 从私钥中,提取公钥
openssl rsa -pubout -in private/cakey.pem
# 获取证书中的公钥:
openssl x509 -pubkey -noout -in xxx
双向认证:
客户端保存私钥+证书,服务器保存公钥:
- 客户端将 client.pem 发送,即可 ```shell [root@localhost demoCA]# cat ca/* ——-BEGIN RSA PRIVATE KEY——- MIICWwIBAAKBgQDCNnd8Esza9zeF4hKsWP5Zfhdq4o2Jg/0cuOfiL9YqOVk+ipTD moPlAcShyJf1U1UmJiSmAqGpTqrpGjZR2EAxA7hiGKSvWDUTdcZ0gFF4y6hwUZSo +TAFka4PFUIGB0IVt9HALJVdWWR62uTDDGreKbFW3IOPPKPMcB3FVo38+QIDAQAB AoGAUeEAsvCCKXa8k9diJANJCJXebZOiNG3PEoLqUDP2yMpw06s9WNIV9UCvk72s QyOk7HZ8UPkfCvA9ohUI/ax8MvHfFCvKsPx45oUFOQe/ul0bWry+Unv6UOBhNTeC b0B7j8k2sGghn0/IMRheKyxB55RXRSQtZKTcMxJOHamb5HkCQQDjjwfWJPIS7Nv+ ib360/Qc0BnSpuBUch7CdOkhYFq3m/eDMET34f2O8gLxJVRJn5Dt1ltRzfon/a7H BYPlm4PTAkEA2nx/uHTpB3JT1joxPZDrNHjCMdTxABcU1T6xUITl5XYME1OxgusC FlDiA5YTn6GzuWRpAdGmCKbbk2covhNYgwJAIejgfBLJV/Sf29Be1Q/coqaIEpH3 f935o3SUgPrAyfed7Ji2zlGI3VJHCfRMGSSEDk0REqGlE2yELPgvbXm9LQJAJtQf YqmsTD1+NsFKxPU/R6j6Yh7E4c44TpmAq52iub/b74ddMbYQPeUL9bUzMZhsN1Nn 8gHPLxRwS2b276jCfwJAJFmB70ZhHVwsq9+NmAUyVdXmn+/kB0QJ6r0OWObmWgNw efDg/amrhYlH5lmRLNkKHo5pnIBQUpmCXeDt5p9iqQ== ——-END RSA PRIVATE KEY——- ——-BEGIN CERTIFICATE——- MIICzDCCAjWgAwIBAgIJAJNKYLPoHJRrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAmNuMQswCQYDVQQIDAJnZDELMAkGA1UEBwwCc3oxDDAKBgNVBAoMA3psajEN MAsGA1UECwwEemxqMTEeMBwGA1UEAwwVemxoLmNvbRtbRBtbRBtbRBtbRAhqMRkw FwYJKoZIhvcNAQkBFgp6bGpAcXEuY29tMB4XDTIyMDMxNzEwMDY1OFoXDTIyMDQx NjEwMDY1OFowfzELMAkGA1UEBhMCY24xCzAJBgNVBAgMAmdkMQswCQYDVQQHDAJz ejEMMAoGA1UECgwDemxqMQ0wCwYDVQQLDAR6bGoxMR4wHAYDVQQDDBV6bGguY29t G1tEG1tEG1tEG1tECGoxGTAXBgkqhkiG9w0BCQEWCnpsakBxcS5jb20wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAMI2d3wSzNr3N4XiEqxY/ll+F2rijYmD/Ry4 5+Iv1io5WT6KlMOag+UBxKHIl/VTVSYmJKYCoalOqukaNlHYQDEDuGIYpK9YNRN1 xnSAUXjLqHBRlKj5MAWRrg8VQgYHQhW30cAslV1ZZHra5MMMat4psVbcg488o8xw HcVWjfz5AgMBAAGjUDBOMB0GA1UdDgQWBBRQUD3BX+H3AKSoOSXUfjJqho3aQTAf BgNVHSMEGDAWgBRQUD3BX+H3AKSoOSXUfjJqho3aQTAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBCwUAA4GBAFQOL5UVERyB4JWbr8bOYF8/IhK4CdYgDdTCWI7Vp6Pu 0UY3WcKgc6iobr6qCoSEjugI4d/oMLV0tOviu4fQoiixTmQ4IIVxvZQSrxYCvSVC 1oCuLHW7k0S9tpGrHoBgHi5AnmgyNqgvKBicEpn6azgAg+TVzxwOt0YFcBsZV/Rm ——-END CERTIFICATE——- [root@localhost demoCA]#
```
若有收获,就点个赞吧
0 人点赞
