1、生成服务器私钥
openssl genrsa -out server.key 2048
2、根据服务器私钥文件生成证书请求文件,这个文件中会包含申请人的一些信息,所以执行下面这行命令过程中需要用户在命令行输入一些用户信息,随便填写,一路回车即可
openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Hunan Locality Name (eg, city) [Default City]:Changsha Organization Name (eg, company) [Default Company Ltd]:company Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:synology Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3、生成CA机构的私钥,命令和生成服务器私钥一样,只不过这是CA的私钥
openssl genrsa -out ca.key 1024
4、生成CA机构自己的证书申请文件
openssl req -new -key ca.key -out ca.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Hunan Locality Name (eg, city) [Default City]:Changsha Organization Name (eg, company) [Default Company Ltd]:company Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:synology Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
5、生成自签名证书,CA机构用自己的私钥和证书申请文件生成自己签名的证书,俗称自签名证书,这里可以理解为根证书
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
6、根据CA机构的自签名证书ca.crt或者叫根证书生、CA机构的私钥ca.key、服务器的证书申请文件server.csr生成服务端证书,-days指定证书有效期,若不指定默认为一个月
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt -days 3650
7、使用openssl命令验证证书有效性
openssl verify -CAfile ca.crt -purpose sslserver server.crt
8、检查已创建的证书
openssl x509 -noout -text -in server.crt
9、一键生成服务器证书
openssl genrsa -out server.key 1024 openssl req -new -x509 -days 3650 -key server.key -out server.crt -subj "/C=[Country Name]/ST=[State or Province Name]/L=[City]/O=[company]/OU=[Organizational Unit Name]/CN=domain1/CN=domain2/CN=domain3"
参考链接:
https://cloud.tencent.com/developer/article/1548350?ivk_sa=1024320u # 使用openssl创建https证书
https://www.cnblogs.com/littleatp/p/5878763.html # 使用 openssl 生成证书
https://www.win-acme.com/
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip # 使用easy-rsa工具创建证书