https 协议需要服务器部署证书方可正常工作,本文记录 SSL证书获取方法。
格式 | 含义 |
---|---|
.key | 私有的密钥 |
.csr | 证书签名请求(证书请求文件),含有公钥信息,certificate signing request的缩写 |
.crt | 证书文件,certificate 的缩写 |
.crl | 证书吊销列表,Certificate Revocation List的缩写 |
.pem | 用于导出,导入证书时候的证书的格式,有证书开头,结尾的格式 |
生成CA私钥(.key)–>生成CA证书请求(.csr)–>自签名得到根证书(.crt)(CA给自已颁发的证书)。
在实际的软件开发工作中,往往服务器就采用这种自签名的方式,因为毕竟找第三方签名机构是要给钱的,也是需要花时间的。
# private key
$openssl genrsa -des3 -out server.key 2048
# generate csr
$openssl req -new -key server.key -out server.csr
# generate certificate
$openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
$openssl genrsa -des3 -out client.key 2048
$openssl req -new -key client.key -out client.csr
$openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
有时需要用到pem格式的证书,可以用以下方式合并证书文件(crt)和私钥文件(key)来生成
$cat client.crt client.key> client.pem
$cat server.crt server.key > server.pem
服务端证书:ca.crt, server.key, server.crt, server.pem
客户端证书:ca.crt, client.key, client.crt, client.pem
$openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
时可能会出错:Using configuration from /usr/share/ssl/openssl.cfg I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory
解决方法:
mkdir -p ./demoCA/newcerts
touch demoCA/index.txt
touch demoCA/serial
echo 01 > demoCA/serial
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
Common Name
为证书绑定的域名,必须正确填写,其余可以为空$ openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ipv6.zywvvd.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca_public.crt
openssl genrsa -out server_private.key 2048
openssl genrsa -out server_private.key 2048
openssl req -new -key server_private.key -out server.csr
Common Name
项$ openssl req -new -key server_private.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ipv6.zywvvd.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
openssl x509 -req -days 3650 -CA ca_public.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
days 设置证书有效时间
$ ls
ca.csr ca.key ca_public.crt ca_public.srl server.crt server.csr server_private.key server_public.pem
server.crt
, server_private.key
为需要使用的文件openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout nginx.key -out nginx.crt
Common Name
Generating a RSA private key
...+++++
.....................................+++++
writing new private key to 'nginx.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ipv6.zywvvd.com
Email Address []:
nginx.key nginx.crt
文件openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
然后需要输入如下的信息,Common Name
需要正确填写
Country Name (2 letter code) [AU]: 国家名称
State or Province Name (full name) [Some-State]: 省
Locality Name (eg, city) []: 城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 公司名
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: 网站域名
Email Address []: 邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 这里要求输入密码
An optional company name []:
openssl rsa -in server.key -out server_nopwd.key
openssl x509 -req -days 365 -in server.csr -signkey server_nopwd.key -out server.crt
days 可以设置证书有效时长
server.crt server.key
nginx:SSL: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
事实上我没有成功生成 CA 证书,最终用到还是在百度智能云下载的证书