在Linux下,我们进行下面的操作前都须确认已安装OpenSSL软件包。

1.创建根证书密钥文件root.key:

[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out root.key 1024

Generating RSA private key, 1024 bit long modulus

...............................................................++++++

..........++++++

e is 65537 (0x10001)

Enter pass phrase for root.key:    <--输入一个密码

Verifying - Enter pass phrase for root.key:    <--再次输入密码

2.创建根证书的申请文件root.csr:

[root@mrlapulga:/etc/pki/CA]#openssl req -new -key root.key -out root.csr

Enter pass phrase for root.key:    <--输入前面创建的密码

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN    <--输入国家名

State or Province Name (full name) []:BeiJing    <--输入省份

Locality Name (eg, city) [Default City]:haidian    <--输入城市名

Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名

Organizational Unit Name (eg, section) []:    <--可不输入

Common Name (eg, your name or your server's hostname) []:    <--可不输入

Email Address []:mrlapulga@126.com    <--输入邮件地址

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:    <--可不输入

An optional company name []:    <--可不输入

3.创建一个为期十年的根证书root.crt:

[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey private/root.key -in root.csr -out root.crt

Signature ok

subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com

Getting Private key

Enter pass phrase for private/root.key:    <--输入之前创建的密码

4.创建服务器证书密钥server.key:

[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 2014 bit long modulus

............+++

................................................+++

e is 65537 (0x10001)

Enter pass phrase for server.key:    <--输入一个密码

Verifying - Enter pass phrase for server.key:    <--再次输入密码

5.创建服务器证书的申请文件server.csr:

[root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/server.key -out server.csr

Enter pass phrase for private/server.key:    <--输入前面创建的密码

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN    <--输入国家名

State or Province Name (full name) []:BeiJing    <--输入省份

Locality Name (eg, city) [Default City]:haidian    <--输入城市名

Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名

Organizational Unit Name (eg, section) []:    <--可不输入

Common Name (eg, your name or your server's hostname) []:    <--可不输入

Email Address []:mrlapulga@126.com    <--输入邮件地址

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:    <--可不输入

An optional company name []:    <--可不输入

6.创建一个为期一年的服务器证书server.crt:

[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in server.csr -out server.crt
Signature ok

subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com

Getting CA Private Key

Enter pass phrase for private/root.key:    <--输入之前创建的密码

7.创建客户端证书密钥文件client.key:

[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out client.key 1024

Generating RSA private key, 1024 bit long modulus

..............................++++++

..................................................++++++

e is 65537 (0x10001)

Enter pass phrase for client.key:    <--输入一个密码

Verifying - Enter pass phrase for client.key:   <--再次输入密码

8.创建客户端证书的申请文件client.csr:

[root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/client.key -out client.csr

Enter pass phrase for private/client.key:    <--输入前面创建的密码

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN    <--输入国家名

State or Province Name (full name) []:BeiJing    <--输入省份

Locality Name (eg, city) [Default City]:haidian    <--输入城市名

Organization Name (eg, company) [Default Company Ltd]:mrlapulga    <--输入公司名  

Organizational Unit Name (eg, section) []:    <--可不输入

Common Name (eg, your name or your server's hostname) []:    <--可不输入

Email Address []:mrlapulga@126.com    <--输入邮件地址

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:    <--可不输入

An optional company name []:    <--可不输入

9.创建一个有效期为一年的客户端证书client.crt:

[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in client.csr -out client.crt

Signature ok

subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com

Getting CA Private Key

Enter pass phrase for private/root.key:    <--输入之前创建的密码

10.现在可将客户端证书文件client.crt和客户端证书密钥文件client.key合并为客户端的client.pfx安装包文件:

[root@mrlapulga:/etc/pki/CA]#openssl pkcs12 -export -in client.crt -inkey private/client.key -out client.pfx

Enter pass phrase for private/client.key:    <--输入之前创建的密码

Enter Export Password:    <--创建一个新密码

Verifying - Enter Export Password:    <--确认密码

client.pfx是配置双向SSL时需要客户端安装的证书文件。

最新文章

  1. c# .Net并行和多线程编程之Task学习记录!
  2. Spring中文文档
  3. kkjcre1p: unable to spawn jobq slave process, slot 0, error 1089(Linux x86_64)补丁
  4. 转自coolshell--vim的基本操作
  5. JavaScript 总结几个提高性能知识点
  6. loj 1038(dp求期望)
  7. .net学习总结
  8. Cisco IOS debug command reference Command A through D
  9. jquerymobile使用技巧
  10. 在CheckBox中,仅仅允许选择一项
  11. POJ 2240 Arbitrage(SPFA+邻接矩阵)
  12. Spring Boot 整合 Elasticsearch,实现 function score query 权重分查询
  13. vue.js移动端app实战3:从一个购物车入门vuex
  14. 利用Struts拦截器限制上传图片的格式和大小
  15. angularjs i18n
  16. FCC-js算法题解题笔记
  17. django rest_framework 序列化组件详解
  18. Docker 安装redis(四)
  19. 6-15 给任务排序 uva10305
  20. qtftp 客户端

热门文章

  1. spring中对象的注入方式
  2. RAC之常用方法-----新手入门
  3. async/await与promise(nodejs中的异步操作问题)
  4. Linux CentOS下MySQL的安装配置之浅谈
  5. 解决新建maven项目速度慢的问题
  6. Python 正则表达式(字符)详解
  7. smarty实例登陆、显示、分页
  8. 中文分词工具thulac4j正式发布
  9. wemall app商城源码中android按钮的三种响应事件
  10. yii2的变量是如何注入到视图中去的?