long blogs

进一步有进一步惊喜


  • Home
  • Archive
  • Tags
  •  

© 2025 long

Theme Typography by Makito

Proudly published with Hexo

OpenSSL生成SSL证书

Posted at 2021-03-26 linux 

OpenSSL生成证书

.key格式:私有的密钥

.csr格式:证书签名请求(证书请求文件),含有公钥信息,certificate signing request的缩写

.crt格式:证书文件,certificate的缩写

.crl格式:证书吊销列表,Certificate Revocation List的缩写

.pem格式:用于导出,导入证书时候的证书的格式,有证书开头,结尾的格式

CA根证书的生成步骤

生成CA私钥(.key)–>生成CA证书请求(.csr)–>自签名得到根证书(.crt)(CA给自已颁发的证书)。

1
2
3
4
5
6
# Generate CA private key 
openssl genrsa -out ca.key 2048 
# Generate CSR 
openssl req -new -key ca.key -out ca.csr
# Generate Self Signed certificate(CA 根证书)
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

出现错误:

1
Can't load ./.rnd into RNG 10504:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto\rand\randfile.c:98:Filename=./.rnd

解决办法:

进入/etc/ssl/openssl.cnf将下面的内容注释掉

1
RANDFILE = $ENV::HOME/.rnd

注释掉之后:

1
#RANDFILE = $ENV::HOME/.rnd

用户证书的生成步骤

Common Name以外可以为空,Common Name必须为服务器的ip或域名

生成私钥(.key)–>生成证书请求(.csr)–>用CA根证书签名得到证书(.crt)

服务器端用户证书:

1
2
3
4
5
6
# private key
openssl genrsa -des3 -out server.key 1024 
# generate csr
openssl req -new -key server.key -out server.csr
# generate certificate
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

出现错误:

1
2
3
Using configuration from /usr/lib/ssl/openssl.cnf
ca: ./demoCA/newcerts is not a directory
./demoCA/newcerts: No such file or directory

新建文件夹demoCA/newcerts,在文件夹demoCA文件夹下新建

index.txt文件,文件为空。serial文件,写入01。

客户端用户证书:

1
2
3
openssl genrsa -des3 -out client.key 1024 
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key

生成pem格式证书
有时需要用到pem格式的证书,可以用以下方式合并证书文件(crt)和私钥文件(key)来生成

1
2
cat client.crt client.key> client.pem
cat server.crt server.key > server.pem

结果:
服务端证书:ca.crt, server.key, server.crt, server.pem
客户端证书:ca.crt, client.key, client.crt, client.pem

不需要生成Ca,直接生成,证书链第一层

1
2
3
4
5
6
7
# Generate server private key 
openssl genrsa -out server.key 2048 
# Generate CSR 
openssl req -new -key server.key -out server.csr
# Generate Self Signed certificate(CA 根证书)
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Https请求的时候会加入server.crt,如果证书不对客户端会reset.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
-----BEGIN CERTIFICATE-----
MIIDbzCCAlcCFE6b8yotCNZccECHIjYymilDYSIgMA0GCSqGSIb3DQEBCwUAMHQx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCU1oxDDAKBgNVBAoM
A0xRWDEMMAoGA1UECwwDTFFYMRIwEAYDVQQDDAkxMjcuMC4wLjExGzAZBgkqhkiG
9w0BCQEWDDExODY0QHFxLmNvbTAeFw0yMTAzMjYwOTE1MjBaFw0yMjAzMjYwOTE1
MjBaMHQxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCU1oxDDAK
BgNVBAoMA0xRWDEMMAoGA1UECwwDTFFYMRIwEAYDVQQDDAkxMjcuMC4wLjExGzAZ
BgkqhkiG9w0BCQEWDDExODY0QHFxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMDsby+XK25Gb2mFwfhOVUsGNurnGi1tYQT2wMtlV6KoYwVoFZUv
ivDU9xq3PfhMK7ggggggggggggggggggggggjZ+Sxd7+HbrEIvLakXvuUmbmpnUZ
2IOHn6IyqLaC/ZZfffffffffffffffffffffZVrChIo6hB8ROaEk3D4P3PBP6HKe
5nTSTmBdp5qDnCRsKqcOhxeTcxp14gh4FSUw2GT1GeZrcg0fZpx7PmAmUHzLKiIc
Qb5+WP4VcC2PC6K2h0AQCWo95DipucyJQjPmEJrDdkGLc2CtjveEMju7aNGJOrDM
8mF8QRs/WmYBIWhEMPiVFoxdKcmitXIlXDcCAwEAATANBgkqhkiG9w0BAQsFAAOC
AQEAeqyZmimlu4KE29nHbjAwpkeC6G5a+yk/7rVmPhMXU4MBPBGsdFEid0lgkTue
BzV2BvMTm+joap1F/qg2EylVn2YXsATa7jHAZnbomxplu2yCIxHM4YOKfYab7yJc
5MM7eeNiLe2wTjtRP23/+RDRevIW/UjrhO9lFHvsRr98l7kegYb/6cKb4YyCDr5g
e8yAUz9Z7mmdyH2mHy3CAIAk2dLTFd76Rs39V2U2ZeizBiIH80xA2sV4s+R2fm2l
Ash9ecgsUa/3PMlo1A+zsYyiuVaB+u4OR1c03+Gzp5zcFGsEAlP7t8sgV2zkAH33
7YCkRG4+DWekxrOEyqIVOZiQAQ==
-----END CERTIFICATE-----

Share 

 Previous post: go-net Next post: 图像处理FFmpeg一把梭 

© 2025 long

Theme Typography by Makito

Proudly published with Hexo