OpenSSL 申请证书
SSL 证书会涉及到的几类文件:
privkey.key the private key for your certificate.
identity.csr the Certificate Signing Request.
certificate.crt the certificate file used in most server software.
certificate.pfx the PKCS#12 format is an archival file that stores both the certificate and the private key.
By default, OpenSSL generates keys and CSRs using the PEM format (the raw).
1,Generating a new Private Key
openssl genrsa -out private.key 2048
2, Creating Your domain CSR
Creating Your domain CSR for an existing private key
openssl req -new -key private.key -out identity.csr \
-subj "/C=US/ST=Utah/L=Lehi/O=CREAST, Inc./OU=IT/CN=yourdomain.com"
or Creating CSR with One command:
openssl req --new \
-newkey rsa:4096 -sha256 –nodes --keyout private.key \
-out identity.csr \
-subj "/CN=Bitwarden IdentityServer" -days 10950
Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in CAcertif.crt -out identity.csr -signkey private.key
Verifying CSR info
openssl req -text -in identity.csr -noout --verify
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = hostone.myners.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
3, Generate a self-signed certificate
自签名证书主要在内网环境下使用:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt
openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout private.key \
-out certificate.crt -subj "/CN=Bitwarden IdentityServer" -days 10950
4, Sending the CSR to the CA
Viewing Certificate Information
openssl x509 -text -in CAcertif.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:be:c0:3c:1a:6e:c2:79:56:f6:3d:a5:26:63:51:fe:68:2c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: May 22 14:11:15 2020 GMT
Not After : Aug 20 14:11:15 2020 GMT
Subject: CN = hostone.myners.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
5,Verifying Your Keys Match
To verify that your public and private keys match, use the -modulus switch to generate a hash of the output for all three files (private key, CSR, and certificate).
// Verifying private key
openssl rsa -modulus -in private.key -noout | openssl sha256(stdin)= 5a07ccd5d1208a7f4e445414b841d100b85ac3138d47554be333fbd18d42a89c
// Verifying CSR
openssl req -modulus -in identify.csr -noout | openssl sha256
(stdin)= 5a07ccd5d1208a7f4e445414b841d100b85ac3138d47554be333fbd18d42a89c
// Verifying certificate
openssl x509 -modulus -in certificate.crt -noout | openssl sha256
(stdin)= 81c6258063b5d2a7403f5ad6d3c490c79261402f9269f6a304e95f1ffde1eb04
If the output of each command matches, then the keys for each file are the same.
if there is any mismatch, then the keys are not the same and the certificate cannot be installed.
Key mismatch errors are typically caused by installing a certificate on a machine different from the one used to generate the CSR.
6,Converting Certificate Formats
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -name "yourdomain-digicert-(expiration date)" \
-inkey privateKey.key -in certificate.crt -certfile CAcertifi.crt \
-passout pass:IDENTITY_CERT_PASSWORD
openssl pkcs12 -export -name "yourdomain-digicert-(expiration date)" \
-out yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt
// Verifying PKCS#12 file
openssl pkcs12 -info -in keyStore.pfx
