OpenSSL 申请证书

SSL 证书会涉及到的几类文件:

privkey.key     the private key for your certificate.
identity.csr     the Certificate Signing Request.
certificate.crt    the certificate file used in most server software.
certificate.pfx   the PKCS#12 format is an archival file that stores both the certificate and the private key.

By default, OpenSSL generates keys and CSRs using the PEM format (the raw).


1,Generating a new Private Key

openssl genrsa -out private.key 2048


2, Creating Your domain CSR

Creating Your domain CSR for an existing private key

openssl req -new -key private.key -out identity.csr \
    -subj "/C=US/ST=Utah/L=Lehi/O=CREAST, Inc./OU=IT/"

or Creating CSR with One command:

openssl req --new \
   -newkey rsa:4096 -sha256 –nodes --keyout private.key \
    -out identity.csr \
   -subj "/CN=Bitwarden IdentityServer" -days 10950

Generate a certificate signing request based on an existing certificate

openssl x509 -x509toreq -in CAcertif.crt -out identity.csr -signkey private.key

Verifying CSR info

openssl req -text -in identity.csr -noout --verify

verify OK
Certificate Request:
         Version: 1 (0x0)
         Subject: CN =
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 RSA Public-Key: (4096 bit)

3, Generate a self-signed certificate


openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt

openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout private.key \
    -out certificate.crt -subj "/CN=Bitwarden IdentityServer" -days 10950


4, Sending the CSR to the CA

Viewing Certificate Information

openssl x509 -text -in CAcertif.crt -noout

         Version: 3 (0x2)
         Serial Number:
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
             Not Before: May 22 14:11:15 2020 GMT
             Not After : Aug 20 14:11:15 2020 GMT
         Subject: CN =
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 RSA Public-Key: (2048 bit)


5,Verifying Your Keys Match

To verify that your public and private keys match, use the -modulus switch to generate a hash of the output for all three files (private key, CSR, and certificate).

Use the following commands to generate a hash of each file's modulus:

// Verifying private key

openssl rsa -modulus -in private.key -noout | openssl sha256

(stdin)= 5a07ccd5d1208a7f4e445414b841d100b85ac3138d47554be333fbd18d42a89c

// Verifying CSR

openssl req -modulus -in identify.csr -noout | openssl sha256

(stdin)= 5a07ccd5d1208a7f4e445414b841d100b85ac3138d47554be333fbd18d42a89c

// Verifying certificate
openssl x509 -modulus -in certificate.crt -noout | openssl sha256

(stdin)= 81c6258063b5d2a7403f5ad6d3c490c79261402f9269f6a304e95f1ffde1eb04


If the output of each command matches, then the keys for each file are the same.

if there is any mismatch, then the keys are not the same and the certificate cannot be installed.

Key mismatch errors are typically caused by installing a certificate on a machine different from the one used to generate the CSR.


6,Converting Certificate Formats

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -name "yourdomain-digicert-(expiration date)"  \
-inkey privateKey.key -in certificate.crt -certfile CAcertifi.crt \


openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \
-out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt


// Verifying PKCS#12 file
openssl pkcs12 -info -in keyStore.pfx


Bitwarden 配置 Let’s Encrypt 证书

由于在内网环境部署的Bitwarden,不能通过安装脚本自动申请 Let’s Encrypt 的证书。 起初我用了一个自签名证书,发现特别不好使,虽然在firefox 跟 chrome 内核的浏览器上都能通过插件访问,但必须添加信任才行,特别是用Bitwarden Desktop 客户端连的时候,一直报错,可能是不认自签名证书。 于是琢磨了下怎么手动申请Let’s Encrypt的证书用于内网,对过程简单梳理如下。 自签名证书 | Self-Signed Certificate 如果你在内网环境只需要自签名证书,可以参考Bitwarden的帮助文档( Installing and depoying )进行设置: 1、生成自签名证书: //一条命创建私钥和证书: openssl req -x509 -newkey rsa:4096 -sha256 –nodes -days 10950 \    -keyout privite.key -out identity.crt \    -subj "/C= US /ST= New York /L= New York /O= Company Name /OU= CREAST /CN= " 将生成的文件放到 /ssl 目录下: privite.key     ~/bwdata/ssl/ identity.crt      ~/bwdata/ssl/ 2、生成.pfx格式证书文件: //一条命令将前面生成的私钥和证书打包成需要的pfx格式文件 openssl pkcs12 -export -out ./ identity.pfx -inkey privite.key \    -in identity.crt -certfile identity.crt -passout pass: IDENTITY_CERT_PASSWORD 注意 IDENTITY_CERT_PASSWORD 跟./env/global.override.e