美文网首页iOS 功能展示
mac 生成ssl自签证书和CA证书

mac 生成ssl自签证书和CA证书

作者: 一介书生独醉江湖 | 来源:发表于2022-08-19 13:45 被阅读0次
    一、创建自签证书

    1 执行 openssl

    localhost:~ ds$ openssl
    OpenSSL> 
    

    2.执行genrsa -des3 -out server.key 2048 生成server.key私钥文件

    OpenSSL> genrsa -des3 -out server.key 2048    
    Generating RSA private key, 2048 bit long modulus
    .......+++
    .................+++
    e is 65537 (0x10001)
    Enter pass phrase for server.key:
    # 输入密码(例): 123456
    Verifying - Enter pass phrase for server.key:
    # 输入密码(例): 123456
    

    3.执行 req -new -key server.key -out server.csr 创建证书请求,生成server.csr

    OpenSSL> req -new -key server.key -out server.csr
    Enter pass phrase for server.key:
    # 输入密码(例): 123456
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    # 输入信息(例): 
    Country Name (2 letter code) []:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) []:beijing
    Organization Name (eg, company) []:sawl
    Organizational Unit Name (eg, section) []:dev 
    Common Name (eg, fully qualified host name) []:sawl.org
    Email Address []:464226150@qq.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:123456
    # 输入密码(例): 123456
    

    [选]4.删除密码 rsa -in server.key -out server_no_password.key 生成一个新的key

    OpenSSL> rsa -in server.key -out server_no_password.key
    4514786924:error:0DFFF07A:asn1 encoding routines:CRYPTO_internal:first num too large:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/asn1/a_object.c:112:
    Enter pass phrase for server.key:
    # 输入密码(例): 123456
    writing RSA key
    OpenSSL> 
    

    5.生成crt证书 x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt

    OpenSSL> x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt
    Signature ok
    subject=/C=cn/ST=beijing/L=beijing/O=sawl/OU=dev/CN=sawl.org/emailAddress=46***50@qq.com
    Getting Private key
    
    证书:
    执行第四步删除密码的有效证书文件为: server_no_password.key 和 server.crt
    没有执行第四步删除密码的有效证书文件为: server.key 和 server.crt
    
    二、创建ca证书

    1.执行 genrsa -out ca.key 2048

    OpenSSL> genrsa -out ca.key 2048
    Generating RSA private key, 2048 bit long modulus
    .........................................+++
    ......................................................................+++
    e is 65537 (0x10001)
    

    2.执行 req -new -x509 -days 3650 -key ca.key -out ca.pem

    OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) []:beijing
    Organization Name (eg, company) []:sawl
    Organizational Unit Name (eg, section) []:dev
    Common Name (eg, fully qualified host name) []:localhost
    Email Address []:46****50@qq.com
    
    1. 重新生成服务端证书
    1. genrsa -out server.key 2048
    OpenSSL> genrsa -out server.key 2048
    Generating RSA private key, 2048 bit long modulus
    .....................................................................................................................+++
    .................................+++
    e is 65537 (0x10001)
    
    1. req -new -key server.key -out server.csr
    OpenSSL> req -new -key server.key -out server.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) []:beijing
    Organization Name (eg, company) []:sawl
    Organizational Unit Name (eg, section) []:dev
    Common Name (eg, fully qualified host name) []:localhost
    Email Address []:46****50@qq.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:123456
    

    3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
    两次域名一定要写一致,我这里全部写的localhost

    OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
    Signature ok
    subject=/C=cn/ST=beijing/L=beijing/O=sawl/OU=dev/CN=localhost/emailAddress=464226150@qq.com
    Getting CA Private Key
    
    1. 同理重新生成客户端
      1)ecparam -genkey -name secp384r1 -out client.key
    OpenSSL> ecparam -genkey -name secp384r1 -out client.key
    

    2)req -new -key client.key -out client.csr

    OpenSSL> req -new -key client.key -out client.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) []:beijing
    Organization Name (eg, company) []:sawl
    Organizational Unit Name (eg, section) []:dev
    Common Name (eg, fully qualified host name) []:localhost
    Email Address []:46****50@qq.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:123456
    

    3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem

    OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
    Signature ok
    subject=/C=cn/ST=beijing/L=beijing/O=sawl/OU=dev/CN=localhost/emailAddress=46****50@qq.com
    Getting CA Private Key
    
    客户端:client.key ca.pem client.pem
    服务端:server.key ca.pem server.pem
    
    三、生成pfx

    req -newkey rsa:2048 -nodes -keyout template.key -x509 -days 365000 -out template.cer

    localhost:~ ds$ openssl
    OpenSSL> req -newkey rsa:2048 -nodes -keyout template.key -x509 -days 365000 -out template.cer
    Generating a 2048 bit RSA private key
    ...............+++
    ...................................................................................................................+++
    writing new private key to 'template.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) []:beijing
    Organization Name (eg, company) []:sawl
    Organizational Unit Name (eg, section) []:dev
    Common Name (eg, fully qualified host name) []:localhost
    Email Address []:46****50@qq.com
    
    OpenSSL> pkcs12 -export -in template.cer -inkey template.key -out template.pfx
    Enter Export Password:
    Verifying - Enter Export Password:
    

    打包两个文件为一个pfx文件,这个时候你要输入密码,需要记住,这是对私钥加密的一层保障,然后输出pfx文件即可

    pkcs12 -export -in template.cer -inkey template.key -out template.pfx
    # 输入密码(例): 123456
    
    参考:https://www.cnblogs.com/devhg/p/13751770.html
         https://www.cnblogs.com/walt/p/15211773.html
    

    相关文章

      网友评论

        本文标题:mac 生成ssl自签证书和CA证书

        本文链接:https://www.haomeiwen.com/subject/vkojgrtx.html