当前环境
OpenSSL 3.5.1 1 Jul 2025 (Library: OpenSSL 3.5.1 1 Jul 2025)
GmSSL 3.1.2 Dev
本地gmssl命令
powershell
#生成证书公私钥对
gmssl sm2keygen -pass 1234 -out sm2.key -pubout sm2pub.pem
#使用certgen命令生成自签名证书cert.crt
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key sm2.pem -pass 1234 -key_usage "digitalSignature" -key_usage "keyCertSign" -key_usage cRLSign -out cert.crt
#计算HMAC-SM3
echo -n abc | gmssl sm3hmac -key 11223344556677881122334455667788
#解析数字证书
gmssl certparse -in cert.crt证书链
一、根CA自签发证书
powershell
#首先生成CA根证书私钥rootcakey.pem,然后进行自签名,生成根证书rootcacert.pem
gmssl sm2keygen -pass 1234 -out rootcakey.pem
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
#查看生成的自签名证书rootcacert.pem
gmssl certparse -in rootcacert.pem
或者=======================================================================
#首先生成CA根证书私钥rootcakey.key,然后进行自签名,生成根证书rootcacert.crt
gmssl sm2keygen -pass 1234 -out rootcakey.key
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.key -pass 1234 -out rootcacert.crt -key_usage keyCertSign -key_usage cRLSign
#查看生成的自签名证书rootcacert.crt
gmssl certparse -in rootcacert.crt二、根CA签发二级CA证书
powershell
#首先生成二级CA的证书私钥,然后生成证书请求careq.pem,然后由根CA进行签名,生成二级CA的证书cacert.pem
gmssl sm2keygen -pass 1234 -out cakey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass 1234 -out careq.pem
#注意 上面哪行会出现reqgen: illegal option '-days'报错 这里我会去掉这个参数
gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
或者=======================================================================
#首先生成二级CA的证书私钥,然后生成证书请求careq.csr,然后由根CA进行签名,生成二级CA的证书cacert.pem
gmssl sm2keygen -pass 1234 -out cakey.key
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.key -pass 1234 -out careq.csr
#注意 上面哪行会出现reqgen: illegal option '-days'报错 这里我会去掉这个参数
gmssl reqsign -in careq.csr -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.crt -key rootcakey.key -pass 1234 -out cacert.crt三、二级CA签发用户证书
powershell
#首先生成用户私钥,并通过用户私钥生成证书请求encreq.pem,然后由二级CA进行签发,生成用户证书enccert.pem
gmssl sm2keygen -pass 1234 -out enckey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem
gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
#查看生成的用户证书enccert.pem
gmssl certparse -in enccert.pem
#将二级CA的证书和用户证书放在一个文件中,形成完整的用户证书文件certs.pem
cat enccert.pem > certs.pem
cat cacert.pem >> certs.pem
或者====================================================
#首先生成用户私钥,并通过用户私钥生成证书请求encreq.csr,然后由二级CA进行签发,生成用户证书enccert.pem
gmssl sm2keygen -pass 1234 -out enckey.key
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.key -pass 1234 -out encreq.csr
gmssl reqsign -in encreq.csr -days 365 -key_usage keyEncipherment -cacert cacert.crt -key cakey.csr -pass 1234 -out enccert.crt
#查看生成的用户证书enccert.pem
gmssl certparse -in enccert.pem
#将二级CA的证书和用户证书放在一个文件中,形成完整的用户证书文件certs.pem
cat enccert.pem > certs.pem
cat cacert.pem >> certs.pemopenssl生成证书
1、使用 genpkey方式
powershell
#生成RSA密钥对文件(其中包含公钥和私钥)
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem
#查看生成密钥文件
openssl pkey -in private.pem -text -noout -check
openssl rsa -in private.pem -text -noout
#从密钥中提取出公钥信息 (注意:不需要特意来提取公钥文件,一般在生成csr文件或执行其它需要公钥命令时openssl会自动提取公钥信息)
openssl pkey -in private.pem -pubout -out public.pem
#查看公钥内容
openssl rsa -pubin -in public.pem -text -noout2、使用genrsa方式
powershell
#生成密钥对 .key
openssl genrsa -out ca.key 2048
#提取公钥信息
openssl rsa -in ca.key -pubout -out public.key
#生成请求文件 ca.csr
openssl req -new -key ca.key -out ca.csr
或
#通过配置文件cert.conf(下面有文件内容)来创建.csr文件
openssl req -new -key ca.key -out ca.csr -config cert.conf
#查看请求.csr文件 noout后加-verify 代表验证csr文件
openssl req -in cert.csr -text -noout
#生成证书ca.crt
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
===========================================================================================================
#一下生成密钥key和对应的请求文件csr
openssl req -new -newkey rsa:2048 -keyout cert-key.pem -nodes -out cert.csr -subj "/C=CN/ST=Zhe Jiang/L=Hang Zhou/O=GUAN Technologies Inc./OU=IT/CN=guan-example.com/emailAddress=guan@email.com"
#生成crt证书文件
openssl x509 -req -days 365 -in cert.csr -sha256 -signkey cert-key.pem -extfile <(printf "subjectAltName=DNS:guan-example.com,DNS:*.guan-example.com") -out cert.crt
注意这里在windows下可能不支持-extfile <(printf "subjectAltName=DNS:guan-example.com,DNS:*.guan-example.com")方式添加
可以把下面这段内容添加到ext.conf文件中
subjectAltName=DNS:guan-example.com,DNS:*.guan-example.com
然后执行
openssl x509 -req -days 365 -in cert.csr -sha256 -signkey cert-key.pem -extfile ext.conf -out cert.crt
#查看证书.crt文件
openssl x509 -in cert.crt -text -noout生成证书链
1、生成根证书
powershell
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout rootCA-key.pem -subj "/C=CN/ST=Zhe Jiang/L=Hang Zhou/O=GUAN Technologies Inc./OU=IT/CN=guan-example.com/emailAddress=guan@email.com" -out rootCA.crt2、根据根证书生成子证书
powershell
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert-key.pem -CA rootCA.crt -CAkey rootCA-key.pem -subj "/C=CN/ST=Zhe Jiang/L=Hang Zhou/O=GUAN Technologies Inc./OU=IT/CN=guan-example.com/emailAddress=guan@email.com" -addext "subjectAltName=DNS:guan-example.com,DNS:*.guan-example.com" -out cert.crtcert.conf的内容如下
bash
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
C = CN
ST = ZheJiang
L = HangZhou
O = GUAN Technologies Inc.
OU = IT Department
CN = www.guan_example.com
emailAddress = guan@email.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = tls-example.com
DNS.2 = *.tls-example.com想要学习可以查看这两个视频
带你详细了解TLS、HTTPS以及证书的底层原理-上
带你详细了解TLS、HTTPS以及证书的底层原理-下
超级详细,可以深入学习学习