学习 openssl 证书命令
20180729 学习 openssl 证书命令
1、参考
https://blog.csdn.net/madding/article/details/26717963
2、在我电脑建立好一个目录,并启动 terminal ,进入该目录
cd /Users/dhbm/Desktop/ssl/sign20180729
3、生成Self Signed证书
1)、生成一个key(我的私钥)
openssl genrsa -des3 -out selfsign.key 4096结果 (过程中 密码: 123456)
Generating RSA private key, 4096 bit long modulus
...........++
...........................++
e is 65537 (0x10001)
Enter pass phrase for selfsign.key:
Verifying - Enter pass phrase for selfsign.key:*** 这时应该生成了一个文件:selfsign.key
ls
selfsign.key2)使用我的私钥(上面生成的key),生成一个自签名请求 certificate signing request (CSR)
openssl req -new -key selfsign.key -out selfsign.csr
结果
Enter pass phrase for selfsign.key:
unable to load Private Key
140735584793480:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:531:
140735584793480:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:488:Enter pass phrase for selfsign.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn
Organizational Unit Name (eg, section) []:dhbm.cn
Common Name (e.g. server FQDN or YOUR name) []:wzh
Email Address []:13501062476@139.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:dhbm.cn
*** 这时应该又生成了一个文件 selfsign.csr
ls
selfsign.csr selfsign.key
3)、用以上证书请求文件(selfsign.csr),生成Self Signed证书
openssl x509 -req -days 365 -in selfsign.csr -signkey selfsign.key -out selfsign.crt
结果
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh/emailAddress=13501062476@139.com
Getting Private key
Enter pass phrase for selfsign.key:
*** 这时应该又生成了一个文件 selfsign.crtlsselfsign.crt selfsign.csr selfsign.key
4、生成自己的CA (Certificate Authority)
1)、生成CA的key,这一步和生成证书一样,也是一个私钥,文件名 叫 ca.key
openssl genrsa -des3 -out ca.key 4096结果:
Generating RSA private key, 4096 bit long modulus
..................................................................................................++
.....................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
*** 这时应该又生成了一个文件 ca.key
ls
ca.key selfsign.crt selfsign.csr selfsign.key2)、生成CA的证书请求、证书 (两步合二为一了)
openssl req -new -x509 -days 365 -key ca.key -out ca.crt结果
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn
Organizational Unit Name (eg, section) []:dhbm.cn
Common Name (e.g. server FQDN or YOUR name) []:wzh
Email Address []:13501062476@139.com
*** 这时应该又生成了 1 个文件 ca.crt (没有 ca.csr?)lsca.crt ca.key selfsign.crt selfsign.csr selfsign.key
5、生成服务器证书,由以上自建的 CA 颁发
1)、前面 2 步 和以上一样,生成一个 私钥(key),生成一个证书请求(csr)
### 生成私钥
openssl genrsa -des3 -out myserver.key 4096
结果:
Generating RSA private key, 4096 bit long modulus
...................................................................++
...............................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for myserver.key:
Verifying - Enter pass phrase for myserver.key:
### 生成证书请求
openssl req -new -key myserver.key -out myserver.csr
结果:
Enter pass phrase for myserver.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dhbm.cn
Organizational Unit Name (eg, section) []:dhbm.cn
Common Name (e.g. server FQDN or YOUR name) []:wzh server
Email Address []:13501062476@139.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:dhbm.cn
这次和以上不一样,加上了一个中间人 CA ,表示这是由 CA 认可并办法的证书
openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt
结果:
Signature ok
subject=/C=cn/ST=BeiJing/L=BeiJing/O=dhbm.cn/OU=dhbm.cn/CN=wzh server/emailAddress=13501062476@139.com
Getting CA Private Key
Enter pass phrase for ca.key:
*** 到这里,又生成了 3 个文件 myserver.key,myserver.csr,myserver.crt
ls
ca.crt myserver.crt myserver.key selfsign.csr
ca.key myserver.csr selfsign.crt selfsign.key
6、查看我的证书情况 (myserver)
1)、查看我的私钥 openssl rsa -noout -text -in myserver.key结果Enter pass phrase for myserver.key:Private-Key: (4096 bit)modulus:00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29...2)、查看我的证书请求openssl req -noout -text -in myserver.csrCertificate Request:Data:Version: 0 (0x0)Subject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (4096 bit)Modulus:00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29:...Attributes:challengePassword :123456unstructuredName :dhbm.cnSignature Algorithm: sha256WithRSAEncryption00:6f:04:6c:30:93:88:34:ee:43:f2:ce:2b:d0:3e:11:20:46:...
3)、查看我的证书openssl x509 -noout -text -in myserver.crtData:Version: 1 (0x0)Serial Number: 1 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh/emailAddress=13501062476@139.comValidityNot Before: Jul 29 09:02:55 2018 GMTNot After : Jul 29 09:02:55 2019 GMTSubject: C=cn, ST=BeiJing, L=BeiJing, O=dhbm.cn, OU=dhbm.cn, CN=wzh server/emailAddress=13501062476@139.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (4096 bit)Modulus:00:b7:cb:ad:ad:37:bd:e9:3d:a2:36:10:1b:e6:8e:0c:b7:83:09:3d:3e:09:94:a0:85:b2:2a:c6:68:29:...4)、验证我的证书openssl verify -CAfile ca.crt myserver.crtmyserver.crt: OK
7、到这里完成了 3 步 ,自建名证书、CA证书、CA颁发 myserver 证书
疑问:什么是服务端用的?什么是客户端用的?
学习 openssl 证书命令相关推荐
- signature=1e627a907c86a2ecea855afa2fce9a87,熟练掌握 openssl 证书命令说明
熟练掌握 openssl 证书命令说明 发布时间:2020-05-10 09:03:43 来源:51CTO 阅读:257 作者:17gongdeng 熟练掌握 openssl 证书命令说明 2.在我电 ...
- 通过openssl学习ssl证书。
通过抓包学习ssl:https://www.cnblogs.com/xiaxveliang/p/13183175.html 通过openssl学习ssl:http://3ms.huawei.com/k ...
- openssl x509 证书命令
openssl x509命令具以下的一些功能,例如输出证书信息,签署证书请求文件.生成自签名证书.转换证书格式等. openssl x509工具不会使用openssl配置文件中的设定,而是完全需要自行 ...
- php OpenSSL工具命令导出.cer证书密钥
本文主要讲述Windows系统下使用 OpenSSL工具导出.cer证书密钥 1.安装OpenSSL 官方地址:https://www.openssl.org/source/ 2.安装完成,打开 cm ...
- 【ssl认证、证书】openssl genrsa 命令详解
文章目录 一.openssl genrsa 命令介绍 二.openssl genrsa 命令的语法及选项 三.实例 1.生成512位的 RSA 秘钥,输出到屏幕. 2.生成512位 RSA 私钥,输出 ...
- 硬盘mdr转换成gdp linux,Linux 命令学习神器!命令看不懂直接给你解释!
原标题:Linux 命令学习神器!命令看不懂直接给你解释! 转自: 良许Linux 大家都知道,Linux 系统有非常多的命令,而且每个命令又有非常多的用法,想要全部记住所有命令的所有用法,恐怕是一件 ...
- fiddler证书生成ca证书命令及抓包配置
fiddler证书生成ca证书命令 下载OpenSSL fiddler配置https fiddler导出证书 将文件直接放到openssl的bin目录下 执行cmd命令生成ca证书 将证书放到andr ...
- linux下 openssl证书签发
在linux已经集成了openssl组件,因此博主利用例子讲解如何在linux系统下签发证书,因为个人证书时不受谷歌浏览器认可的,所以自签发证书只能在火狐浏览器下测试使用! 1 openssl证书生成 ...
- [原创]Saltstack学习笔记:命令参数详解以及配置文件说明
很久没有更新saltstack的文章了,今天还是来更新一点,又开始对saltstack复习了一下. 前边写了一点<saltstack入门概述(1)>以及<Saltstack如何安装( ...
- OpenSSL常用命令快速上手
OpenSSL常用命令快速上手 RSA篇 我们的操作流程为: 生成RSA密钥key.pem(也称私钥,密钥对). 从key.pem中导出公钥pubkey.pem. 使用公钥pubkey.pem对文件t ...
最新文章
- MySQL count sum 条件查询
- python学习路线-Python最佳学习路线
- new,delete和malloc,free以及allocatorT
- 学习笔记——深拷贝与浅拷贝
- SpringBoot项目启动提示:An attempt was made to call the method org.apache.coyote.AbstractProtocol.setAccept
- Matlab 矩阵计算例子
- filco蓝牙不好用_800元和300元的机械键盘差多少,Filco圣手104晒单
- windows环境wampserver3 切换 php7
- Go udp 的高性能优化
- css --- flex:n的解析
- scala使用java类_使用Java和Scala将Play Framework 2应用程序部署到Openshift
- 力控批量添加变量_力控变量.ppt
- oracle创建用户、创建表空间、授权、建表
- 北斗如何帮助电动车精细管理?北斗高精度定位显神威
- NAT地址转换顺序:inside→outside先路由再转换;outside→inside先转换再路由
- JS 如何清除页面缓存
- 乡村振兴公益基金启动暨古茶树非遗保护公益行发布
- 计算机桌面进入安全模式,win7安全模式无法入桌面怎么办?无法进入桌面解法...
- 揭秘清道夫轮巡码制作流程
- Python 爬虫实战入门——爬取汽车之家网站促销优惠与经销商信息