“CA证书”的版本间的差异
来自qingwei personal wiki
(创建页面,内容为“== 生成root根证书 == <source lang="shell"> #确保系统中安装了OpenSSL,若没安装,可以通过以下命令安装: sudo yum install openssl #定位…”) |
(→pem转crt) |
||
| (未显示同一用户的4个中间版本) | |||
| 第27行: | 第27行: | ||
# 生成根证书私钥(pem文件) | # 生成根证书私钥(pem文件) | ||
openssl genrsa -aes256 -out private/cakey.pem 1024 | openssl genrsa -aes256 -out private/cakey.pem 1024 | ||
| + | |||
| + | # 生成根证书签发申请文件(csr文件) | ||
| + | openssl req -new -key private/cakey.pem -out private/ca.csr -subj \ | ||
| + | "/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname" | ||
| + | |||
| + | # 自签发根证书(cer文件) | ||
| + | openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey \ | ||
| + | private/cakey.pem -in private/ca.csr -out certs/ca.cer | ||
| + | </source> | ||
| + | |||
| + | == 用根证书签发server端证书 == | ||
| + | <source lang="shell"> | ||
| + | # 生成服务端私钥 | ||
| + | openssl genrsa -aes256 -out private/server-key.pem 1024 | ||
| + | |||
| + | # 生成证书请求文件 | ||
| + | openssl req -new -key private/server-key.pem -out private/server.csr -subj \ | ||
| + | > "/C=CN/ST=Shanghai/L=Shanghai/O=CABU/CN=qingwyan.cisco.com" | ||
| + | |||
| + | # 使用根证书签发服务端证书 | ||
| + | openssl x509 -req -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem \ | ||
| + | -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer | ||
| + | </source> | ||
| + | == cmd == | ||
| + | === 查看pem === | ||
| + | <source lang="shell"> | ||
| + | openssl x509 -noout -subject -in /opt/tyk-gateway/cert.pem | ||
| + | </source> | ||
| + | === pem转crt === | ||
| + | <source lang="shell"> | ||
| + | openssl x509 -outform der -in cert.pem -out cert.crt | ||
</source> | </source> | ||
2018年5月29日 (二) 09:53的最新版本
生成root根证书
#确保系统中安装了OpenSSL,若没安装,可以通过以下命令安装:
sudo yum install openssl
#定位一下OpenSSL的配置文件openssl.cnf
locate openssl.cnf
#修改配置文件,修改其中的dir变量,重新设置SSL的工作目录:
vi /etc/pki/tls/openssl.cnf
#dir = /etc/pki/CA # Where everything is kept
dir = /home/qingwyan/ca # Where everything is kept
# 创建需要的文件
[qingwyan@qingwyan ca]$ mkdir certs
[qingwyan@qingwyan ca]$ mkdir newcerts
[qingwyan@qingwyan ca]$ mkdir private
[qingwyan@qingwyan ca]$ mkdir crl
[qingwyan@qingwyan ca]$ touch index.txt
[qingwyan@qingwyan ca]$ echo 01>serial
[qingwyan@qingwyan ca]$ ls
certs crl index.txt newcerts private serial
# 生成证书之前,需要先生成一个随机数:
openssl rand -out private/.rand 1000
# 生成根证书私钥(pem文件)
openssl genrsa -aes256 -out private/cakey.pem 1024
# 生成根证书签发申请文件(csr文件)
openssl req -new -key private/cakey.pem -out private/ca.csr -subj \
"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"
# 自签发根证书(cer文件)
openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey \
private/cakey.pem -in private/ca.csr -out certs/ca.cer
用根证书签发server端证书
# 生成服务端私钥
openssl genrsa -aes256 -out private/server-key.pem 1024
# 生成证书请求文件
openssl req -new -key private/server-key.pem -out private/server.csr -subj \
> "/C=CN/ST=Shanghai/L=Shanghai/O=CABU/CN=qingwyan.cisco.com"
# 使用根证书签发服务端证书
openssl x509 -req -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem \
-CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
cmd
查看pem
openssl x509 -noout -subject -in /opt/tyk-gateway/cert.pem
pem转crt
openssl x509 -outform der -in cert.pem -out cert.crt
