熟练掌握 openssl 证书命令说明

发布时间:2020-05-10 09:03:43

来源:51CTO

阅读:257

作者:17gongdeng

熟练掌握 openssl 证书命令说明

2、在我电脑建立好一个目录,并启动 terminal ,进入该目录

cd /Users/dhbm/Desktop/ssl/sign20180729

1

3、生成Self Signed证书

1)、生成一个key(我的私钥)

openssl genrsa -des3 -out selfsign.key 4096

结果 (过程中 密码: 123456)

Generating RSA private key, 4096 bit long modulus

...........++

...........................++

e is 65537 (0x10001)

Enter pass phrase for selfsign.key:

Verifying - Enter pass phrase for selfsign.key:

*** 这时应该生成了一个文件:selfsign.key

ls

selfsign.key

2)使用我的私钥(上面生成的key),生成一个自签名请求 certificate signing request (CSR)

openssl req -new -key selfsign.key -out selfsign.csr

结果

Enter pass phrase for selfsign.key:

unable to load Private Key

140735584793480:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:531:

140735584793480:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:488:

Enter pass phrase for selfsign.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:BeiJing

Locality Name (eg, city) []:BeiJing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn

Organizational Unit Name (eg, section) []:dhbm.cn

Common Name (e.g. server FQDN or YOUR name) []:wzh

Email Address []:13501062476@139.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:dhbm.cn

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

*** 这时应该又生成了一个文件 selfsign.csr

ls

selfsign.csr selfsign.key

3)、用以上证书请求文件(selfsign.csr),生成Self Signed证书

openssl x509 -req -days 365 -in selfsign.csr -signkey selfsign.key -out selfsign.crt

结果

Signature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh/emailAddress=13501062476@139.combr/>subject=/C=CN/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh/emailAddress=13501062476@139.comEnter pass phrase for selfsign.key:

*** 这时应该又生成了一个文件 selfsign.crt

ls

selfsign.crt selfsign.csr selfsign.key

1

2

3

4

5

6

7

8

9

10

4、生成自己的CA (Certificate Authority)

1)、生成CA的key,这一步和生成证书一样,也是一个私钥,文件名 叫 ca.key

openssl genrsa -des3 -out ca.key 4096

×××结果:

Generating RSA private key, 4096 bit long modulus

..................................................................................................++

.....................................++

e is 65537 (0x10001)

Enter pass phrase for ca.key:

Verifying - Enter pass phrase for ca.key:

*** 这时应该又生成了一个文件 ca.key

ls

ca.key selfsign.crt selfsign.csr selfsign.key

2)、生成CA的证书请求、证书 (两步合二为一了)

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

结果

Enter pass phrase for ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:BeiJing

Locality Name (eg, city) []:BeiJing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn

Organizational Unit Name (eg, section) []:dhbm.cn

Common Name (e.g. server FQDN or YOUR name) []:wzh

Email Address []:13501062476@139.com

*** 这时应该又生成了 1 个文件 ca.crt (没有 ca.csr?)

ls

ca.crt ca.key selfsign.crt selfsign.csr selfsign.key

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

5、生成服务器证书,由以上自建的 CA 颁发

1)、前面 2 步 和以上一样,生成一个 私钥(key),生成一个证书请求(csr)

生成私钥

openssl genrsa -des3 -out myserver.key 4096

结果:

Generating RSA private key, 4096 bit long modulus

...................................................................++

...............................................................................................................................................++

e is 65537 (0x10001)

Enter pass phrase for myserver.key:

Verifying - Enter pass phrase for myserver.key:

生成证书请求

openssl req -new -key myserver.key -out myserver.csr

结果:

Enter pass phrase for myserver.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:BeiJing

Locality Name (eg, city) []:BeiJing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn

Organizational Unit Name (eg, section) []:dhbm.cn

Common Name (e.g. server FQDN or YOUR name) []:wzh server

Email Address []:13501062476@139.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:dhbm.cn

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

这次和以上不一样,加上了一个中间人 CA ,表示这是由 CA 认可并办法的证书

openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt

结果:

Signature ok

subject=/C=cn/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh server/emailAddress=13501062476@139.com

Getting CA Private Key

Enter pass phrase for ca.key:

*** 到这里,又生成了 3 个文件 myserver.key,myserver.csr,myserver.crt

ls

ca.crt myserver.crt myserver.key selfsign.csr

ca.key myserver.csr selfsign.crt selfsign.key

1

2

3

4

5

6

7

8

9

10

6、查看我的证书情况 (myserver)

1)、查看维生素我的私钥

openssl rsa -noout -text -in myserver.key

结果

Enter pass phrase for myserver.key:

Private-Key: (4096 bit)

modulus:

00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:

0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29

...

2)、查看我的证书请求

openssl req -noout -text -in myserver.csr

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:

0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29:

...

Attributes:

challengePassword :123456

unstructuredName :dhbm.cn

Signature Algorithm: sha256WithRSAEncryption

00:6f:04:6c:30:93:88:34:ee:43:f2:ce:2b:d0:3e:11:20:46:

...

3)、查看我的证书

openssl x509 -noout -text -in myserver.crt

Data:

Version: 1 (0x0)

Serial Number: 1 (0x1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=CN, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh/emailAddress=13501062476@139.com

Validity

Not Before: Jul 29 09:02:55 2018 GMT

Not After : Jul 29 09:02:55 2019 GMT

Subject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:

0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29:

...

4)、验证我的证书

openssl verify -CAfile ca.crt myserver.crt

myserver.crt: OK

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

7、到这里完成了 3 步 ,自建名证书、CA证书、CA颁发 myserver 证书

疑问:什么是服务端用的?什么是客户端用的?

signature=1e627a907c86a2ecea855afa2fce9a87,熟练掌握 openssl 证书命令说明相关推荐

  1. openssl x509 证书命令

    openssl x509命令具以下的一些功能,例如输出证书信息,签署证书请求文件.生成自签名证书.转换证书格式等. openssl x509工具不会使用openssl配置文件中的设定,而是完全需要自行 ...

  2. php OpenSSL工具命令导出.cer证书密钥

    本文主要讲述Windows系统下使用 OpenSSL工具导出.cer证书密钥 1.安装OpenSSL 官方地址:https://www.openssl.org/source/ 2.安装完成,打开 cm ...

  3. 【ssl认证、证书】openssl genrsa 命令详解

    文章目录 一.openssl genrsa 命令介绍 二.openssl genrsa 命令的语法及选项 三.实例 1.生成512位的 RSA 秘钥,输出到屏幕. 2.生成512位 RSA 私钥,输出 ...

  4. OpenSSL常用命令快速上手

    OpenSSL常用命令快速上手 RSA篇 我们的操作流程为: 生成RSA密钥key.pem(也称私钥,密钥对). 从key.pem中导出公钥pubkey.pem. 使用公钥pubkey.pem对文件t ...

  5. fiddler证书生成ca证书命令及抓包配置

    fiddler证书生成ca证书命令 下载OpenSSL fiddler配置https fiddler导出证书 将文件直接放到openssl的bin目录下 执行cmd命令生成ca证书 将证书放到andr ...

  6. OpenSSL证书认证过程

    OpenSSL证书认证过程 游戏服务端这块,之前是很少用SSL的,毕竟游戏里的数据没有什么保密的必要,登录.充值也是传输签名,不涉及密码什么的.不过这几年,HTTPS普及得比较快,H5游戏发展迅速.H ...

  7. linux下 openssl证书签发

    在linux已经集成了openssl组件,因此博主利用例子讲解如何在linux系统下签发证书,因为个人证书时不受谷歌浏览器认可的,所以自签发证书只能在火狐浏览器下测试使用! 1 openssl证书生成 ...

  8. hadoop put命令的格式_工作中需熟练掌握的Hadoop命令

    作者信息 Elesdspline 目前从事NLP与知识图谱相关工作. 工作中需熟练掌握的Hadoop命令 导读 工作中经常要用到一些Hadoop命令,这里简单列举一下,熟悉基本的命令操作,工作效率事半 ...

  9. linux查看openssh和openssl版本命令

    查看openssh版本命令 ssh -V查看openssl版本命令 openssl version

最新文章

  1. ibmmq 通道命令_IBM MQ 使用指南
  2. tail | grep引起的内存升高【对比三天数据】
  3. false例句_false是什么意思_false的翻译_音标_读音_用法_例句_爱词霸在线词典
  4. android shpe 三角形_绘制三角形背景的android
  5. Imagine开源图片压缩程序源码
  6. ant 改变表格数据_React ant design表格导出数据为EXCEL表格数据
  7. 也谈基于Web的含工作流项目的一般开发流程
  8. 用shell把所有文件名修改为小写
  9. 解决ssh登录Host key verification failed
  10. 手机电子书分享:大前研一经典《专业主义》
  11. 掌上电脑是不是微型计算机,《掌上电脑Vs.商务通》的背后
  12. 我的世界玩服务器虚拟内存高崩,服务端崩溃 - 崩溃解答 - MC百科社群 - MC百科|最大的Minecraft中文MOD百科...
  13. Pandas数据可视化怎么做?用实战案例告诉你!
  14. RHCE考试题及讲解(一)
  15. mysql relay log.info_slave_relay_log_info
  16. 4.22 虾皮_小米_度小满
  17. ivm 无法播放 解决
  18. 小程序数据分析(有数)
  19. 基于JAVA学生信息管理和新生报到系统(Springboot框架) 开题报告
  20. 一款免费的WEB视频播放器Flowplayer

热门文章

  1. db2自定义函数能返回几个参数_函数的定义、参数、返回值
  2. 什么是机器视觉技术 ?
  3. Could not find a package; ld returned 1 exit status;error while loading shared libraries
  4. 冒牌网站提供假冒卡巴斯基KIS7.0下载
  5. 数据挖掘算法与现实生活中的应用案例
  6. (swing读书笔记)Swing Look And Feel(1)
  7. 【前沿技术】270多起车祸,特斯拉Autopilot和自动驾驶被诉虚假宣传
  8. InfoPath学习
  9. Unity手游实战:从0开始SLG——本地化篇(二)TMP的优势与缺点
  10. 【等保知识】测评高风险项详解:安全物理环境