OpenSSL生成https服务器端数字证书
2017-12-22 16:10
856 查看
1. 下载安装OpenSSL
可以从OpenSSL官网下载源码编译,也可以直接下载安装文件,地址:http://download.csdn.net/download/nicholas_lin/10169024
//20180125修改
注意:使用这个安装包后我经常出现蓝屏错误,昨天卸载后暂时正常。
srv.sys
PAGE_FAULT_IN_NONPAGED_AREA
2. 配置OpenSSL
打开bin/openssl.cfg文件,修改以下内容:# 使用安装包的需要修改dir [ CA_default ] dir = ./PEM/demoCA # Where everything is kept # 确保req下存在以下2行(默认第一行是有的,第2行被注释了) [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req # 确保req_distinguished_name下没有 0.xxx 的标签,有的话把0.xxx的0. 去掉 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Fujian localityName = Locality Name (eg, city) localityName_default = FuZhou organizationName = Organization Name (eg, company) organizationName_default = Some Company Co., Ltd # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Some department commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 # 新增最后一行内容 subjectAltName = @alt_names(前2行默认存在) [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names # 新增 alt_names,注意括号前后的空格,DNS.x 的数量可以自己加 [ alt_names ] DNS.1 = abc.example.com DNS.2 = dfe.example.org IP.1 = 127.0.0.1 IP.2 = 188.188.188.188
//20180118修改
注意: 客户端是Win7时,如果SAN中既配置了DNS又配置了IP,则只有DNS生效。客户端是Win10没有问题。
3. 生成自签名CA证书
命令行定位到bin目录,输入openssl
生成CA密钥对
OpenSSL> genrsa -out ./demoCA/cakey.pem 2048
自签名CA生成根证书
OpenSSL> req -new -x509 -key ./demoCA/cakey.pem -out ./demoCA/cacert.pem -config openssl.cfg -days 730
导出CA根证书为DER格式
OpenSSL> x509 -outform der -in ./demoCA/cacert.pem -out ./demoCA/cacert.der
4. 生成服务器端证书
生成服务器端密钥对OpenSSL> genrsa -out ./demoCA/server.key 2048
生成PKCS证书签名请求(请求中会包含alt_names的内容)
OpenSSL> req -new -key ./demoCA/server.key -out ./demoCA/server.csr -config openssl.cfg
签发服务器端证书
OpenSSL> ca -in ./demoCA/server.csr -out ./demoCA/server.crt -cert ./demoCA/cacert.pem -keyfile ./demoCA/cakey.pem -extensions v3_req -days 730 -config openssl.cfg
导出服务器端证书和密钥
OpenSSL> pkcs12 -export -in ./demoCA/server.crt -inkey ./demoCA/server.key -out ./demoCA/server.pfx
5. 导出服务器端证书库供Tomcat使用
打开命令行导入根证书
CMD> keytool -importcert -v -file ./demoCA/cacert.pem -keystore ./demoCA/server.keystore
导入服务器端证书和密钥
CMD> keytool -importkeystore -v -srckeystore ./demoCA/server.pfx -srcstoretype PKCS12 -destkeystore ./demoCA/server.keystore
6. 配置Tomcat
/conf/server.xml<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/conf/server.keystore" keystorePass="12345678" truststoreFile="/conf/server.keystore" truststorePass="12345678" />
7. 参考文章
使用openssl为ssl证书增加“使用者备用名称(DNS)相关文章推荐
- openssl生成https证书 (转)
- 基于 openssl 生成用于 SSL 和 TLS 的数字证书
- Ubuntu使用OpenSSL生成数字证书详解
- java安全架构____openssl生成数字证书
- openssl生成数字证书
- openssl 生成证书的流程和原理|什么是数字证书?
- 使用VS编译好的Openssl库生成数字证书
- 用Keytool和OpenSSL生成和签发数字证书
- OpenSSL使用1(用OpenSSL生成自签名证书在IIS上搭建Https站点)(用于iOS的https访问)
- openssl生成pem数字证书
- openssl生成https证书
- 用Keytool和OpenSSL生成和签发数字证书
- 最新Https请求原理、OPenssl生成证书、nginx的https配置
- 使用OpenSSL生成自签名证书(IIS)搭建Https站点
- openssl生成https证书 (转)
- openssl生成https证书
- 采用OpenSSL生成Https的证书CA
- openssl命令生成公私钥、证书方法,apache/tomcat支持https的证书配置
- openssl生成https证书
- 用Keytool和OpenSSL生成和签发数字证书