一、创建自签证书
1 执行 openssl
localhost:~ ds$ openssl
OpenSSL>
2.执行genrsa -des3 -out server.key 2048 生成server.key私钥文件
OpenSSL> genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
# 输入密码(例): 123456
Verifying - Enter pass phrase for server.key:
# 输入密码(例): 123456
3.执行 req -new -key server.key -out server.csr 创建证书请求,生成server.csr
OpenSSL> req -new -key server.key -out server.csr
Enter pass phrase for server.key:
# 输入密码(例): 123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# 输入信息(例):
Country Name (2 letter code) []:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:sawl
Organizational Unit Name (eg, section) []:dev
Common Name (eg, fully qualified host name) []:sawl.org
Email Address []:464226150@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
# 输入密码(例): 123456
[选]4.删除密码 rsa -in server.key -out server_no_password.key 生成一个新的key
OpenSSL> rsa -in server.key -out server_no_password.key
4514786924:error:0DFFF07A:asn1 encoding routines:CRYPTO_internal:first num too large:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/asn1/a_object.c:112:
Enter pass phrase for server.key:
# 输入密码(例): 123456
writing RSA key
OpenSSL>
5.生成crt证书 x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt
OpenSSL> x509 -req -days 365 -in server.csr -signkey server_no_password.key -out server.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=sawl/OU=dev/CN=sawl.org/emailAddress=46***50@qq.com
Getting Private key
证书:
执行第四步删除密码的有效证书文件为: server_no_password.key 和 server.crt
没有执行第四步删除密码的有效证书文件为: server.key 和 server.crt
二、创建ca证书
1.执行 genrsa -out ca.key 2048
OpenSSL> genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
......................................................................+++
e is 65537 (0x10001)
2.执行 req -new -x509 -days 3650 -key ca.key -out ca.pem
OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:sawl
Organizational Unit Name (eg, section) []:dev
Common Name (eg, fully qualified host name) []:localhost
Email Address []:46****50@qq.com
- 重新生成服务端证书
- genrsa -out server.key 2048
OpenSSL> genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................................................................................+++
.................................+++
e is 65537 (0x10001)
- req -new -key server.key -out server.csr
OpenSSL> req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:sawl
Organizational Unit Name (eg, section) []:dev
Common Name (eg, fully qualified host name) []:localhost
Email Address []:46****50@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
两次域名一定要写一致,我这里全部写的localhost
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=sawl/OU=dev/CN=localhost/emailAddress=464226150@qq.com
Getting CA Private Key
- 同理重新生成客户端
1)ecparam -genkey -name secp384r1 -out client.key
OpenSSL> ecparam -genkey -name secp384r1 -out client.key
2)req -new -key client.key -out client.csr
OpenSSL> req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:sawl
Organizational Unit Name (eg, section) []:dev
Common Name (eg, fully qualified host name) []:localhost
Email Address []:46****50@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
3)x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=sawl/OU=dev/CN=localhost/emailAddress=46****50@qq.com
Getting CA Private Key
客户端:client.key ca.pem client.pem
服务端:server.key ca.pem server.pem
三、生成pfx
req -newkey rsa:2048 -nodes -keyout template.key -x509 -days 365000 -out template.cer
localhost:~ ds$ openssl
OpenSSL> req -newkey rsa:2048 -nodes -keyout template.key -x509 -days 365000 -out template.cer
Generating a 2048 bit RSA private key
...............+++
...................................................................................................................+++
writing new private key to 'template.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) []:sawl
Organizational Unit Name (eg, section) []:dev
Common Name (eg, fully qualified host name) []:localhost
Email Address []:46****50@qq.com
OpenSSL> pkcs12 -export -in template.cer -inkey template.key -out template.pfx
Enter Export Password:
Verifying - Enter Export Password:
打包两个文件为一个pfx文件,这个时候你要输入密码,需要记住,这是对私钥加密的一层保障,然后输出pfx文件即可
pkcs12 -export -in template.cer -inkey template.key -out template.pfx
# 输入密码(例): 123456
参考:https://www.cnblogs.com/devhg/p/13751770.html
https://www.cnblogs.com/walt/p/15211773.html
