赞
踩
openssl genrsa -aes256 -passout pass:123456 -out root.key 2048
openssl req -new -key root.key -out root.csr
执行命令后,会提示你输入一些内容,请按照提示输入,每一项输入的内容需要自己记住
Enter pass phrase for root.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:XJ
Organizational Unit Name (eg, section) []:XJ
Common Name (eg, your name or your server's hostname) []:LDW XJ
openssl x509 -req -days 365 -sha256 -extfile root.ext -extensions v3_ca -in root.csr -signkey root.key -out root.crt
其中root.ext手动创建,内容如下:
[v3_ca]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
openssl genrsa -out middle.key 4096
openssl req -new -key middle.key -out middle.csr
openssl x509 -req -extfile ca_intermediate.ext -extensions v3_intermediate_ca -days 365 -sha256 -CA root.crt -CAkey root.key -CAcreateserial -CAserial serial -in middle.csr -out middle.crt
中间证书的制作过程与根证书类似,这里直接将命令贴上。
这里涉及到一个ca_intermediate.ext,和root.ext类似,需要手动创建,内容如下
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
openssl verify -CAfile root.crt middle.crt
输出结果应该如下所示
middle.crt: OK
进一步输入一下命令进行验证
openssl x509 -noout -text -in middle.crt
结果中必须包含如下类容
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
中间证书的制作过程与根证书类似,这里直接将命令贴上。
openssl genrsa -aes256 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -extfile server.ext -extensions v3_server -days 365 -sha256 -CA middle.crt -CAkey middle.key -CAserial serial -in server.csr -out server.crt
这里涉及到一个server.ext,这是为了适应现代浏览器SSL证书标准。和root.ext类似,需要手动创建,内容如下
[ v3_server ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
cat middle.crt root.crt > middle-chain.crt
openssl verify -CAfile middle-chain.crt server.crt
执行结果应该和下面一致
server.crt: OK
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。