制作自签名证书(无用户名密码保护)
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt -days 3650 -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=localhost\emailAddress=admin@localhost.com"
制作自签名证书(有用户名密码保护)
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
openssl req -new -key server.key -out server.csr -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=localhost\emailAddress=admin@localhost.com"
openssl x509 -req -sha256 -days 3650 -in server.csr -signkey server.key -out server.crt
制作CA根证书并为第三方颁发证书
openssl genrsa -out ca.key 2048
openssl req -new -x509 -nodes -days 3650 -key ca.key -out ca.crt -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=ca.example.com\emailAddress=admin@ca.com"
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server.key -out server.csr -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=server.example.com\emailAddress=admin@server.com"
openssl x509 -req -in server.csr -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client.key -out client.csr -subj "//C=CN\ST=Chongqing\L=Chongqing\O=org\OU=OrgUnit\CN=client.example.com\emailAddress=admin@client.com"
openssl x509 -req -in client.csr -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
#颁发泛域名证书
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout example.key -out example.csr -subj /C=CN/ST=Chongqing/L=Chongqing/O=org/OU=OrgUnit/CN=*.example.com/emailAddress=admin@example.com
cat << EOF > v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.example.com
DNS.2 = example.com
IP.1 = 192.168.1.100
IP.2 = 192.168.1.200
EOF
openssl x509 -req -in example.csr -days 3650 -CA ca.crt -CAkey ca.key -set_serial 100 -out example.crt -extfile v3.ext
#转p12格式
openssl pkcs12 -chain -CAfile ca.crt -export -in example.crt -inkey example.key -out example.p12 -name example.com
获取服务器上的证书
openssl s_client -servername baidu.com -connect baidu.com:443 \
< /dev/null 2>/dev/null \
| openssl x509 -outform pem \
> baidu.com.crt
ubuntu 上安装证书
sudo su -
cp baidu.com.crt /usr/local/share/ca-certificates/baidu.com.crt
update-ca-certificates
centos 上安装证书
cp baidu.com.crt /etc/pki/ca-trust/source/anchors/baidu.com.crt
update-ca-trust
java 中安装证书
cd $JAVA_HOME
#导入证书
./jre/bin/keytool -keystore jre/lib/security/cacerts -importcert -alias baidu.com -file baidu.com.crt -storepass changeit
#查看证书
./jre/bin/keytool -list -keystore jre/lib/security/cacerts -storepass changeit | grep baidu.com
./jre/bin/keytool -keystore jre/lib/security/cacerts -delete -alias baidu.com
最后编辑于 :
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。
