ubuntu创建自签名证书

系统版本:

Ubuntu 17.04。首先生成一个RSA私钥:

$
$ mkdir private
$  
$ openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
.......................................................................................................................................+++
.......................................................+++
e is 65537 (0x10001)
$ 

接下来,使用以上的私钥生成CA证书:

$ 
$ openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:Development
Email Address []:sec@test.com
$ 
$ 
$ ls
cacert.pem  private
$ 

可使用以下命令查看证书内容:

$ openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9410302713013285385 (0x82981c75a60d3209)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=BJ, O=Test, OU=Security, CN=Development/emailAddress=sec@test.com
        Validity
            Not Before: Nov 18 06:20:55 2019 GMT
            Not After : Dec 18 06:20:55 2019 GMT
        Subject: C=CN, ST=BJ, L=BJ, O=Test, OU=Security, CN=Development/emailAddress=sec@test.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
		...

以下操作用于生成名称为test.crt的自签名证书。首先生成test的私钥:

$  
$ openssl genrsa -out test.key 2048     
Generating RSA private key, 2048 bit long modulus
....+++
......+++
e is 65537 (0x10001)
$ 

接下来,使用test的私钥生成证书请求:

$ 
$ openssl req -new -key test.key -out test.csr      
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:NJ
Locality Name (eg, city) []:^C
$ openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:Development
Email Address []:sec@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:
$ 
$ 
$ ls
cacert.pem  private  test.csr  test.key
$ 

创建自签名需要用到的目录demoCA/newcerts,以及文件index.txt和serial。

$ 
$ mkdir -p  demoCA/newcerts
$ 
$ touch demoCA/index.txt
$ 
$ echo 01 > demoCA/serial
$ 

以下对test的证书请求,使用开始时生成的CA证书和私钥进行签名,生成test的自签名证书test.crt。

$ 
$ openssl ca -in test.csr -cert cacert.pem -keyfile private/cakey.pem -days 365 -out test.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 18 06:25:34 2019 GMT
            Not After : Nov 17 06:25:34 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = Test
            organizationalUnitName    = Security
            commonName                = Development
            emailAddress              = sec@test.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B7:AF:39:DC:E2:05:DB:05:DA:D2:90:53:A8:34:A0:77:FD:80:5D:08
            X509v3 Authority Key Identifier: 
                keyid:67:BF:09:FC:58:01:FC:D7:D4:9D:47:93:07:00:8C:DF:FF:BE:36:B9

Certificate is to be certified until Nov 17 06:25:34 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
$ 
$ 
$ ls
cacert.pem  demoCA  private  test.crt  test.csr  test.key
$ 

最后以及test的私钥生成test的公钥:

$ 
$ openssl rsa -in test.key -pubout -out test.pub.key    
writing RSA key
$ 

END

已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页