怎样用openssl制作自签名证书

用户bPcOcF9

How to use OpenSSL to create self signed certificate

Method 1

Procedure:

  1. Create a no-password private key,
  2. Create the certificate.
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out unencrypted-private.key

  • genpkey
    generate a private key.
  • -algorithm rsa
    use RSA algorithm.
  • -pkeyopt rsa_keygen_bits:2048
    the key's length is 2048.
  • -out
    output filename.
openssl req -x509 -key unencrypted-private.key -out new.crt
  • req
    openssl's subcommand, used to create and process CSR(certificate signing request).
  • -509
    do not create a CSR, but create a certificate.
  • -key
    the private key used to sign the certificate
  • -out
    the output certificate.

Method 2

Procedure:

  1. Create a certificate and a password-protected rivate key in a single step,
  2. Extract the no-password private key.
openssl req -x509 -newkey rsa:2048 -keyout encrypted-private.key -out new.crt
  • req
    openssl's subcommand, used to create and process CSR.
  • -x509
    do not create a CSR, but create a certificate.
  • -newkey
    create a new private key, use RSA algorithm, 2048 bits.
  • -keyout
    the output private key.
  • -out
    the output certificate.
openssl rsa -in encrypted-private.key -out unencrypted-private.key
  • rsa
    openssl's subcommand, used to process RSA private key.
  • -in
    the input password protected private key.
  • -out
    the output no-password private key.

Method 3

Procedure:

  1. Create a no-password private key.
  2. Create a CSR(certificate signing request).
  3. Convert the CSR to a certificate.
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out unencrypted-private.key
  • genpkey
    generate a private key.
  • -algorithm rsa
    use RSA algorithm.
  • -pkeyopt rsa_keygen_bits:2048
    the private key's length is 2048.
  • -out
    output private key filename.
openssl req -new -key unencrypted-private.key -out new.csr
  • req
    openssl's subcommand, used to create and process CSR.
  • -new
    create a new CSR.
  • -key
    the private key used to sign the CSR.
  • -out
    the output CSR filename.
openssl x509 -req -in new.csr -out new.crt -signkey unencrypted-private.key
  • x509
    openssl's subcommand, used to process certificate.
  • -req
    By default, the file specified by '-in' is expected to be a certificate, with this option a certificate request is expected instead.
    我们默认 -in 后面指示的文件是一个证书,有了 -req 后,我们认为 -in 后面指示的文件是一个证书请求。
  • -in
    the input CSR filename.
  • -out
    the output certificate filename.
  • -signkey
    the private key used to sign the certificate
    用于为证书签名的私钥。
阅读 63

高线概的Linux操作笔记
高线概的Linux笔记。
3 声望
0 粉丝
0 条评论
你知道吗?

3 声望
0 粉丝
宣传栏