使用openssl生成单CN的自签名证书

说明

注意:[host]是自定义证书CN(如IP地址,域名,主机名等)

生成CA密钥

1
openssl genrsa -aes256 -out ca-key.pem 4096

输出

Generating RSA private key, 4096 bit long modulus
....................................................................................++
...........................................................................++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

自签署CA证书

1
2
openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca-cert.pem
#按照步骤填写需要的信息,包括国家代码,省份,城市,公司机构名等

输出

Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GZ
Locality Name (eg, city) [Default City]:ZY
Organization Name (eg, company) [Default Company Ltd]:Com Ltd
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:[host]
Email Address []:ca@domain.com

生成服务端密钥

1
openssl genrsa -out server-key.pem 4096

输出

Generating RSA private key, 4096 bit long modulus
....................................................................++
.................................................................................................................................................................................................++
e is 65537 (0x10001)

生成服务端证书签发请求

1
openssl req -subj "/CN=[host]" -sha256 -new -key server-key.pem -out server.csr

签署服务端证书

1
openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca-cert.pem -CAkey ca-key.pem  -CAcreateserial -out server-cert.pem

输出

Signature ok
subject=/CN=[host]
Getting CA Private Key
Enter pass phrase for ca-key.pem:

生成客户端密钥

1
openssl genrsa -out client-key.pem 4096

输出

Generating RSA private key, 4096 bit long modulus
...........................................................................................++
....................................................................................................++
e is 65537 (0x10001)

生成客户端证书签发请求

1
openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr

签署客户端证书

1
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem

输出

Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

检查证书

1
2
3
4
5
6
7
#检查服务端证书
openssl x509 -in server-cert.pem -text -noout
openssl verify -CAfile ca-cert.pem server-cert.pem

#检查客户端证书
openssl x509 -in client-cert.pem -text -noout
openssl verify -CAfile ca-cert.pem client-cert.pem

测试单向认证

1
2
3
openssl s_server -accept 10001 -key server-key.pem -cert server-cert.pem
openssl s_client -connect localhost:10001
openssl s_client -connect localhost:10001 -CAfile ca-cert.pem

测试双向认证

1
2
3
openssl s_server -accept 10001 -key server-key.pem -cert server-cert.pem -Verify 5
openssl s_client -connect localhost:10001
openssl s_client -connect localhost:10001 -cert client-cert.pem -key client-key.pem