标签:Name Windows ca server key 签证 认证 生成 out
生成服务端证书与客户端证书
1. 生成根证书
根证书(Root Certificate)是属于根证书颁发机构(CA)的公钥证书。用来验证它所签发的证书(服务端、客户端)
(1)打开openssl
执行openssl
(2)生成根证书私钥文件
执行 genrsa -out ca.key 2048,生成ca.key私钥文件
(3)生成根证书公钥文件
执行 req -new -x509 -days 3650 -key ca.key -out ca.pem ,生成ca.pem公钥文件
注:此步骤生成时Common Name填写localhost
以上执行命令如下所示:
#(1)打开openssl
E:\Program Files\OpenSSL-Win64\bin>openssl
#(2)生成根证书私钥文件
OpenSSL> genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
......................................................................................+++++
e is 65537 (0x010001)
#(3)生成根证书公钥文件
OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tracy
Organizational Unit Name (eg, section) []:tracy
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:2. 生成服务端证书
(1)生成服务端私钥文件
执行 genrsa -out server.key 2048 ,生成server.key私钥文件
(2)请求创建服务端证书
执行 req -new -key server.key -out server.csr ,生成server.csr证书文件
若出现以下错误,打开一个新窗囗再执行命令 
注:此步骤生成时Common Name填写localhost
(3)生成服务端公钥文件
执行 x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem ,根据server.csr签发生成server.pem公钥文件
以上执行命令如下所示:
E:\Program Files\OpenSSL-Win64\bin>openssl
#(1)生成服务端私钥文件
OpenSSL> genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................+++++
.............+++++
e is 65537 (0x010001)
#(2)请求创建服务端证书
OpenSSL> req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tracy
Organizational Unit Name (eg, section) []:tracy
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#(3)生成服务端公钥文件
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
Signature ok
subject=C = cn, ST = beijing, L = beijing, O = tracy, OU = tracy, CN = localhost
Getting CA Private Key3. 生成客户端证书
(1)生成客户端私钥文件
执行 ecparam -genkey -name secp384r1 -out client.key ,生成client.key私钥文件
(2)请求创建客户端证书
执行 req -new -key client.key -out client.csr ,生成client.csr证书文件
注:此步骤生成时Common Name填写localhost
(3)生成客户端公钥文件
执行 x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem,根据client.csr签发生成client.pem公钥文件
以上执行命令如下所示:
E:\Program Files\OpenSSL-Win64\bin>openssl
#(1)生成客户端私钥文件
OpenSSL> ecparam -genkey -name secp384r1 -out client.key
#(2)请求创建客户端证书
OpenSSL> req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tracy
Organizational Unit Name (eg, section) []:tracy
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#(3)生成客户端公钥文件
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
Signature ok
subject=C = cn, ST = beijing, L = beijing, O = tracy, OU = tracy, CN = localhost
Getting CA Private Key参考视频:
标签:Name,Windows,ca,server,key,签证,认证,生成,out 来源: https://blog.csdn.net/ling1998/article/details/122054367
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。