利用Openssl制作自签名证书
2017-11-12 18:49
375 查看
利用Openssl制作自签名证书
在apache或者
nginx启用
HTTPS后,需要加密证书才能正常工作。我们现在可以利用
OpenSSL工具简单快速的创建一个自签名证书。
1 安装Openssl
在配置好yum源的情况下,可以使用
yum方式快速安装
openssl包。
首先检测当前系统是否安装
openssl,然后查看
openssl包的信息:
4000
[root@Centos7 R4 ~]#rpm -ql openssl package openssl is not installed [root@Centos7 R4 ~]#yum info openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Available Packages Name : openssl Arch : x86_64 Epoch : 1 Version : 1.0.1e Release : 60.el7 Size : 713 k Repo : CDRom Summary : Utilities from the general purpose cryptography library with TLS implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications between : machines. OpenSSL includes a certificate management tool and shared : libraries which provide various cryptographic algorithms and : protocols.
开始安装
[root@Centos7 R4 ~]#yum install openssl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package openssl.x86_64 1:1.0.1e-60.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================= Package Arch Version Repository Size ======================================================================================= Installing: openssl x86_64 1:1.0.1e-60.el7 CDRom 713 k Transaction Summary ======================================================================================= Install 1 Package Total download size: 713 k Installed size: 1.5 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 1:openssl-1.0.1e-60.el7.x86_64 1/1 Verifying : 1:openssl-1.0.1e-60.el7.x86_64 1/1 Installed: openssl.x86_64 1:1.0.1e-60.el7 Complete!
Openssl安装完成,会在
/etc/pki目录下生成如下文件:
[root@Centos7 R4 ~]#rpm -ql openssl |grep '/etc/pki' /etc/pki/CA /etc/pki/CA/certs /etc/pki/CA/crl /etc/pki/CA/newcerts /etc/pki/CA/private /etc/pki/tls/certs/Makefile /etc/pki/tls/certs/make-dummy-cert /etc/pki/tls/certs/renew-dummy-cert /etc/pki/tls/misc/CA /etc/pki/tls/misc/c_hash /etc/pki/tls/misc/c_info /etc/pki/tls/misc/c_issuer /etc/pki/tls/misc/c_name
2 创建自签名证书
我们可以根据前面生成的/etc/pki/tls/certs/Makefile利用
make命令生成自签名证书,但是要注意的是,使用
make命令,需要先进入
Makefile文件所在的路径
/etc/pki/tls/certs/。
[root@Centos7 R4 certs]#ls ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
现在我们开始使用
make命令创建自签名证书:
[root@Centos7 R4 certs]#make ../private/httpd.crt umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > ../private/httpd.key Generating RSA private key, 2048 bit long modulus ............................................................+++ .......................+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase: umask 77 ; \ /usr/bin/openssl req -utf8 -new -key ../private/httpd.key -x509 -days 365 -out ../private/httpd.crt -set_serial 0 Enter pass phrase for ../private/httpd.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HuBei Locality Name (eg, city) [Default City]:Wuhan Organization Name (eg, company) [Default Company Ltd]:WUT Organizational Unit Name (eg, section) []:IT Dept Common Name (eg, your name or your server's hostname) []:test.com Email Address []:abc@whut.edu.cn
make ../private/httpd.crt表示在
../private/目录下创建证书,并命令为
httpd.crt。命令执行过程中,上面的各个条目具体意义如下:
Country Name (2 letter code) 使用国际标准组织(ISO)国码格式,填写2个字母的国家代号 State or Province Name (full name) 省份 Locality Name (eg, city) 城市 Organization Name (eg, company) 组织单位 Organizational Unit Name (eg,section) 部门 Common Name (eg, your websites domain name) 行使 SSL 加密的网站地址 Email Address 邮件地址,可以不填
证书创建完成。
[root@Centos7 R4 certs]#ls /etc/pki/tls/private/ httpd.crt httpd.key
3 去除私钥文件加密密码
安装上述方式创建证书要求我们设置密码,以后每次读取证书的信息时,都需要密码验证,我们可以使用cat命令查看生成的私钥文件验证这一点:
[root@Centos7 R4 certs]#cat /etc/pki/tls/private/httpd.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,E4F0636EF2E6E3FB37A2485B72646490 yPP9T3CcZA9M3wE3JPWywfBuvOZdXl1k7Jt+UuznxyrpYuQTv+DvMDoLmof+RutR bGNvNgSzf+OnXjf+JNSlPXv7c3MU63cRiaagX5s+SZMwWmgtIg3kTkEGowrpfdKw 1nEhrASSD1Y4+WpLE+do/U0TsjZKkPb+9bId65r8cMiVIDPqWQZzZfJkl3uNEJWk aVhd3IwkT/tKSJxo0oAhd5BCJrh7Bgwrc9QK5J70JEArpnpWjF4zv4ZFgADu5LjC …… ……
信息头
ENCRYPTED表示。由于是自用的自签名证书,我们可以将密码去掉。去掉的的方法很简单,
[root@Centos7 R4 certs]#mv ../private/httpd.key ../private/httpd.key [root@Centos7 R4 certs]#openssl rsa -in ../private/httpd.key.bak -out ../private/httpd.key Enter pass phrase for ../private/httpd.key.bak: writing RSA key
密码去掉时,需要验证我们在最开始创建自签名证书时设定的密码。现在再来看看私钥文件信息头:
[root@Centos7 R4 certs]#cat ../private/httpd.key -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAsTzazQWnabUdgf89YRmGa2MapDYMRxaGuducOhjpJvp8Xpg5 hq4VBw2gE5pxIIDBY+2DNXvT31RVxoHAxXnKMz4vCR8BHnkNnqHVfAm5dF+uyB+4 7y1mpSpRfgzOiZyoRMZQ+GIa5ktoDBzW1Jy1lMztSgo1GpLrrEmK/4CDQzYP96Wm fdVVKysSf6VL6Xz28bYtQe8HSeLgi9GEJxqO4RTjg9dbQAFkewJCNYfAXTsScG78 …… ……
此时,私钥文件的加密信息头已经消失,密码去除完成。
相关文章推荐
- openssl如何制作自签名的CA证书,及利用CA签发证书
- openssl 制作证书和签名java方法
- Windows下安装OpenSSL+用openssl命令制作生成证书和自签名
- openssl keytool 制作签名证书
- 使用OpenSSL建立根CA及自签名证书制作过程 [转载]
- Windows下用openssl命令制作生成证书和自签名
- openssl自签名根证书服务端和客户端证书制作
- 使用OpenSSL建立根CA及自签名证书制作过程
- webserver服务器+matrixssl搭建+openssl产生自签名证书
- openssl制作证书全过程(windows) + 部分修改
- 用OpenSSL做自签名的证书(by quqi99)
- 使用OpenSSL生成IIS可用的SHA-256自签名证书
- Tomcat配置SSL,使用openssl制作证书
- OpenSSL与公钥私钥证书签名的千丝万缕
- 利用openssl管理证书及SSL编程第2部分:在Windows上编译 openssl
- 利用OpenSSL生成证书文件的总结
- C# RSA算法实现 - 利用openssl生成的证书 - 加密解密
- Openssl自签名证书
- linux下利用openssl来实现证书的颁发(详细步骤)
- CAB文件打包以及制作证书签名