生成SSL证书

· by 二三 · Read in about 2 min · (281 words)

本文操作平台windows,安装 TortoiseGit后,在其 git bash中执行 openssl。

0x1 ca 根证书,生成 ca.crt

openssl genrsa -out ca.pem 2048
openssl ecparam -genkey -name secp384r1 -out ca.pem
openssl req -config conf/ca.cnf -newkey rsa:2048 -x509 -days 3650 -key ca.pem -out ca.crt 
conf/ca.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]   
countryName            = CN
stateOrProvinceName    = Beijing                  
localityName           = Beijing                  
postalCode             = 100022                   
streetAddress          = GuoMaoSanQi              
organizationName       = apfelboymschule          
organizationalUnitName = Support_CA               
emailAddress           = http.bj@qq.com  
0.commonName           = localhost 
[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

0x2 server 服务端生成 server.key,server.crt (添加了extfile.cnf)

openssl genrsa -out server.key 2048
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -config conf/server.cnf -new -key server.key -out server_reqout.txt 
openssl x509 -req -in server_reqout.txt -days 3650 -sha1 -CAcreateserial -CA ca.crt -CAkey ca.pem -out server.crt -extfile conf/extfile.cnf
conf/extfile.cnf
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
IP.2 = 192.168.10.51
DNS.1 = localhost
conf/server.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
countryName            = CN                             
stateOrProvinceName    = Beijing                       
localityName           = Beijing                        
postalCode             = 100022                        
streetAddress          = GuoMaoSanQi                  
organizationName       = apfelboymschule               
organizationalUnitName = Support_Server                  
emailAddress           = http.bj@qq.com  
0.commonName           = localhost 

[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

0x3 client 客户端生成 client.key,client.crt

openssl genrsa -out client.key 2048
openssl ecparam -genkey -name secp384r1 -out client.key
openssl req -config conf/client.cnf -new -key client.key -out client_reqout.txt 
openssl x509 -req -in client_reqout.txt -days 3650 -sha1 -CAcreateserial -CA ca.crt -CAkey ca.pem -out client.crt
conf/client.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
countryName            = CN                             
stateOrProvinceName    = Beijing                       
localityName           = Beijing                        
postalCode             = 100022                        
streetAddress          = GuoMaoSanQi                  
organizationName       = apfelboymschule               
organizationalUnitName = `"Support_Client"'                  
emailAddress           = http.bj@qq.com  
0.commonName           = localhost 

[ v3_req ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth

以上ca.cnf,client.cnf,server.cnf 中的内容可以为同一个。在本示例中只是修改了 organizationalUnitName