1,生成ca的key
openssl genrsa -out ca.key 1024/2048 (with out password protected)
openssl genrsa -des3 -out ca.key 1024/2048 (password protected)
2,根据ca的key,生成顶级证书
openssl req -new -x509 -key ca.key -out ca.pem -days 1095
输入:
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:CA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA
Organizational Unit Name (eg, section) []:CA
Common Name (e.g. server FQDN or YOUR name) []:CA
Email Address []:CA
2,客户端证书 (1)生成客户端的key
openssl genrsa -out server.key 2048
(2)生成客户端证书请求
openssl req -new -key app.key -out app.csr
创建两个目录(需要根据你的openssl.cnf的提示)
mkdir ./demoCA/
mkdir ./demoCA/newcerts
cd ./demoCA/
touch index.txt
echo "01">>serial
cd ..
(3)生成证书
openssl ca -in server.csr -out server.pem -cert ca.pem -keyfile ca.key -days 1826 -policy policy_anything
输入的信息:
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
(4)证书的位置
/demoCA/newcerts/01.pem
3,为了在TLS中使用
需要进行以下几步
(1). 用vim将01.pem打开,删除 —–BEGIN CERTIFICATE—– 之前的内容,保存
(2). 将server.key的内容放到01.pem之后
cat server.key »01.pem
(3). 将ca.pem的内容放到01.pem之后
cat ca.pem »01.pem
(4)讲ca.key的内容放到ca.pem之后
cat ca.key »ca.pem
(4)证书制作完毕,制作dh证书
openssl dhparam -out dh1024.pem 1024
4,所有过程进行完毕