利用Openssl制作自签名证书

利用Openssl制作自签名证书

在

apache

或者

nginx

启用

HTTPS

后，需要加密证书才能正常工作。我们现在可以利用

OpenSSL

工具简单快速的创建一个自签名证书。

1 安装Openssl

在配置好

yum

源的情况下，可以使用

yum

方式快速安装

openssl

包。

首先检测当前系统是否安装

openssl

，然后查看

openssl

包的信息：

4000

[root@Centos7 R4 ~]#rpm -ql openssl
package openssl is not installed
[root@Centos7 R4 ~]#yum info openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
Name        : openssl
Arch        : x86_64
Epoch       : 1
Version     : 1.0.1e
Release     : 60.el7
Size        : 713 k
Repo        : CDRom
Summary     : Utilities from the general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/ License     : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications between
: machines. OpenSSL includes a certificate management tool and shared
: libraries which provide various cryptographic algorithms and
: protocols.

开始安装

[root@Centos7 R4 ~]#yum install openssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-60.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================
Package           Arch             Version                      Repository       Size
=======================================================================================
Installing:
openssl           x86_64           1:1.0.1e-60.el7              CDRom           713 k

Transaction Summary
=======================================================================================
Install  1 Package

Total download size: 713 k
Installed size: 1.5 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:openssl-1.0.1e-60.el7.x86_64                                      1/1
Verifying  : 1:openssl-1.0.1e-60.el7.x86_64                                      1/1

Installed:
openssl.x86_64 1:1.0.1e-60.el7

Complete!

Openssl

安装完成，会在

/etc/pki

目录下生成如下文件：

[root@Centos7 R4 ~]#rpm -ql openssl |grep '/etc/pki'
/etc/pki/CA
/etc/pki/CA/certs
/etc/pki/CA/crl
/etc/pki/CA/newcerts
/etc/pki/CA/private
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name

2 创建自签名证书

我们可以根据前面生成的

/etc/pki/tls/certs/Makefile

利用

make

命令生成自签名证书，但是要注意的是，使用

make

命令，需要先进入

Makefile

文件所在的路径

/etc/pki/tls/certs/

。

[root@Centos7 R4 certs]#ls
ca-bundle.crt  ca-bundle.trust.crt  make-dummy-cert  Makefile  renew-dummy-cert

现在我们开始使用

make

命令创建自签名证书：

[root@Centos7 R4 certs]#make ../private/httpd.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > ../private/httpd.key
Generating RSA private key, 2048 bit long modulus
............................................................+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key ../private/httpd.key -x509 -days 365 -out ../private/httpd.crt -set_serial 0
Enter pass phrase for ../private/httpd.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:Wuhan
Organization Name (eg, company) [Default Company Ltd]:WUT
Organizational Unit Name (eg, section) []:IT Dept
Common Name (eg, your name or your server's hostname) []:test.com
Email Address []:abc@whut.edu.cn

make ../private/httpd.crt

表示在

../private/

目录下创建证书，并命令为

httpd.crt

。命令执行过程中，上面的各个条目具体意义如下：

Country Name (2 letter code)    使用国际标准组织(ISO)国码格式，填写2个字母的国家代号
State or Province Name (full name)  省份
Locality Name (eg, city)    城市
Organization Name (eg, company) 组织单位
Organizational Unit Name (eg,section)   部门
Common Name (eg, your websites domain name) 行使 SSL 加密的网站地址
Email Address   邮件地址，可以不填

证书创建完成。

[root@Centos7 R4 certs]#ls /etc/pki/tls/private/
httpd.crt  httpd.key

3 去除私钥文件加密密码

安装上述方式创建证书要求我们设置密码，以后每次读取证书的信息时，都需要密码验证，我们可以使用

cat

命令查看生成的私钥文件验证这一点：

[root@Centos7 R4 certs]#cat /etc/pki/tls/private/httpd.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,E4F0636EF2E6E3FB37A2485B72646490

yPP9T3CcZA9M3wE3JPWywfBuvOZdXl1k7Jt+UuznxyrpYuQTv+DvMDoLmof+RutR
bGNvNgSzf+OnXjf+JNSlPXv7c3MU63cRiaagX5s+SZMwWmgtIg3kTkEGowrpfdKw
1nEhrASSD1Y4+WpLE+do/U0TsjZKkPb+9bId65r8cMiVIDPqWQZzZfJkl3uNEJWk
aVhd3IwkT/tKSJxo0oAhd5BCJrh7Bgwrc9QK5J70JEArpnpWjF4zv4ZFgADu5LjC
…… ……

信息头

ENCRYPTED

表示。由于是自用的自签名证书，我们可以将密码去掉。去掉的的方法很简单，

[root@Centos7 R4 certs]#mv ../private/httpd.key ../private/httpd.key
[root@Centos7 R4 certs]#openssl rsa -in ../private/httpd.key.bak -out ../private/httpd.key
Enter pass phrase for ../private/httpd.key.bak:
writing RSA key

密码去掉时，需要验证我们在最开始创建自签名证书时设定的密码。现在再来看看私钥文件信息头：

[root@Centos7 R4 certs]#cat ../private/httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAsTzazQWnabUdgf89YRmGa2MapDYMRxaGuducOhjpJvp8Xpg5
hq4VBw2gE5pxIIDBY+2DNXvT31RVxoHAxXnKMz4vCR8BHnkNnqHVfAm5dF+uyB+4
7y1mpSpRfgzOiZyoRMZQ+GIa5ktoDBzW1Jy1lMztSgo1GpLrrEmK/4CDQzYP96Wm
fdVVKysSf6VL6Xz28bYtQe8HSeLgi9GEJxqO4RTjg9dbQAFkewJCNYfAXTsScG78
…… ……

此时，私钥文件的加密信息头已经消失，密码去除完成。