OpenSSL 生成证书
生成根证书和服务器证书
1、生成根证书RSA密钥对
1
openssl genrsa -out ca.key 2048
2、生成自签名根证书
1
openssl req -new -x509 -days 365 -key a.key -out a.csr
3、转换证书格式(非必须)
1
openssl x509 -in ca.csr -out ca.crt
4、生成服务器证书RSA密钥对:
1
openssl genrsa -out server.key 2048
5、生成服务器证书签名请求
1
openssl req -new -sha256 -key server.key -out server.csr
6、对服务器证书签名
1
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 30 -sha256 -extfile v3.ext
v3.ext 指定域名等信息
1
2
3
4
5
6
7
8
9authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = it.jubaopay.com
DNS.2 = b.jubaopay.com
DNS.3 = oa.jubaopay.com
谷歌浏览器使用SAN (Subject Alternative Name)替代了CN来验证域名,所以必须要这样搞
7、转换证书格式(非必须)
1
openssl x509 -in nginxCert.pem -out nginx.crt
常用命令
证书格式转换
转换证书格式(pem -> crt)
1
openssl x509 -in server.pem -out server.crt
转换证书格式(pem -> key)
1
openssl rsa -in server.pem -out server.key
查看证书内容
查看crt文件内容:
1
openssl x509 -text -in server.crt -noout
查看csr文件内容:
1
openssl req -text -in server.csr -noout