主页

索引

模块索引

搜索页面

证书创建-配置文件

基本文件

有prompt的:

[ req ]

# default_bits                   = 1024
# default_keyfile    = keyfile.pem

distinguished_name = req_distinguished_name
req_extensions = v3_req

# attributes             = req_attributes
# output_password = mypass


[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ShangHai
localityName = Locality Name (eg, city)
localityName_default = ShangHai
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64




[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names



[ alt_names ]
DNS.1 = abc.example.com
DNS.2 = dfe.example.org
DNS.3 = ex.abcexpale.net
DNS.4 = localhost

没有prompt的:

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt                           = no

[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = BJ
localityName = BJ
organizationalUnitName = Organizational Unit
commonName = Wei64

# C                           = GB
# ST                         = Test State or Province
# L                            = Test Locality
# O                           = Organization Name
# OU                        = Organizational Unit Name
# CN                         = Common Name
# emailAddress                = test@email.address

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names



[ alt_names ]
DNS.1 = abc.example.com
DNS.2 = dfe.example.org
DNS.3 = ex.abcexpale.net
DNS.4 = localhost

基本命令

  1. 前提:

    mkdir -p CA/{certs,crl,newcerts,private}
touch CA/index.txt
echo 00 > CA/serial

  2. 生成 ca.key 并自签署:

    openssl req -new -x509 -days 3650 -keyout ca.key -out ca.crt -config openssl.conf

  3. 生成 server.key:

    openssl genrsa -out server.key 2048

  4. 生成证书签名请求:

    openssl req -new -key server.key -out server.csr -config openssl.conf
注: Common Name 这个写主要域名就好了 (注意:这个域名也要在 openssl.cnf 的 DNS.x 里)

  5. 查看请求文件:

    openssl req -text -noout -in server.csr

  6. 使用自签署的 CA,签署 server.scr:

    openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -extensions v3_req -config openssl.conf
注: #输入第一步设置的密码,一直按 y 就可以了
再注:这一步执行失败,原因未定

  7. 生成个人证书:

    openssl pkcs12 -export -inkey xxx.key -in xxx.crt -out xxx.p12

主页

索引

模块索引

搜索页面