Openssl证书生成.docx
文本预览下载声明
1) 生成RSA private key 给CA (3 DES 加密, PEM 格式):$ openssl genrsa -des3 -out ca.key 1024???????2) 查看生成KEY的详细内容????????$ openssl rsa -noout -text -in ca.key???????3) 将该KEY改成不加密,PEM格式$ openssl rsa -in ca.key -out ca.key.unsecure4) 产生一个X509结构,PEM格式的自签名证书$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt5) 查看该根证书的详细内容$ openssl x509 -noout -text -in ca.crt?二?)? 产生CLIENT端证书?1) 生成一个3DES 加密,PEM格式的RSA private KEY .?$ openssl genrsa -des3 -out server.key 10242) 查看其内容$ openssl rsa -noout -text -in server.key3) 将该文件改为不加密的PEM格式$ openssl rsa -in server.key -out server.key.unsecure4) 产生证书签名请求文件(PEM格式)$ openssl req -new -key server.key -out server.csr5) 查看生成的CSR文件内容$ openssl req -noout -text -in server.csr6) 使用CA证书签名A 生成配置文件如下ca.config :[ ca ]????????default_ca=CA_own????????[ CA_own ]????????dir=/etc/ssl????????certs=/etc/ssl/certs????????new_certs_dir=/etc/ssl/ca.db.certs????????database=/etc/ssl/ca.db.index????????serial=/etc/ssl/ca.db.serial????????RANDFILE=/etc/ssl/ca.db.rand????????certificate=/etc/ssl/ca.crt????????private_key=/etc/ssl/ca.key????????default_days=365????????default_crl_days=30????????default_md=md5????????preserve=no????????policy=policy_anything????????[ policy_anything ]????????countryName=optional????????stateOrProvinceName=optional????????localityName=optional????????organizationName=optional????????organizationalUnitName=optional????????commonName=supplied????????emailAddress=optional???????????? B 执行如下命令来签名? ? openssl ca -config ca.config -out server.crt -infiles server.csr??? 检查已签名证书的内容:?????openssl verify -CAfile /etc/ssl/ca.crt server.crtIOS证书:openssl pkcs12 -export -clcerts –in clien.crt -inkey client.key –out client.p12Andriod证书:keytool -importcert -v -trustcacerts -keystore tclient.bks -file server.crt -storetype BKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ./bcprov-jdk15on-146.jar -storepass 123456keytool -import -alias trustClient -file server.crt -keystore serverTruststore.keystore -storepass 123456 ke
显示全部