使用openssl生成自签名证书

使用openssl生成自签名证书

  • [1. 交互式生成](#1. 交互式生成)
  • [2. 一步生成](#2. 一步生成)
  • 参考

1. 交互式生成

自签名 SSL 证书的生成涉及一个简单的 3 步过程:

步骤 1:创建服务器私钥

bash 复制代码
openssl genrsa -out cert.key 2048

步骤 2:创建证书签名请求 (CSR)

bash 复制代码
openssl req -new -key cert.key -out cert.csr
bash 复制代码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TM
Organizational Unit Name (eg, section) []:TM
Common Name (e.g. server FQDN or YOUR name) []:tm.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

步骤 3:使用私钥和 CSR 签署证书

bash 复制代码
openssl x509 -req -days 3650 -in cert.csr -signkey cert.key -out cert.crt
bash 复制代码
Certificate request self-signature ok
subject=C=CN, ST=BJ, L=BJ, O=TM, OU=TM, CN=tm.com

恭喜!您现在拥有有效期为 10 年的自签名 SSL 证书。

2. 一步生成

bash 复制代码
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
    -subj "/C=CN/ST=BJ/L=BJ/O=TM/OU=TM/CN=tm.com" \
    -keyout cert.key -out cert.crt

参考

Generation of a Self Signed Certificate

相关推荐
小小工匠4 个月前
加密与安全_密钥体系的三个核心目标之不可否认性解决方案
安全·签名·数字证书·ca·pki·不可否认性