1. Overview
1.概述
OpenSSL is an open-source command-line tool that allows users to perform various SSL-related tasks.
OpenSSL是一个开源的命令行工具,允许用户执行各种SSL相关的任务。
In this tutorial, we’ll learn how to create a self-signed certificate with OpenSSL.
在本教程中,我们将学习如何用OpenSSL创建一个自签名证书。
2. Creating a Private Key
2.创建一个私钥
First, we’ll create a private key. A private key helps to enable encryption, and is the most important component of our certificate.
首先,我们要创建一个私钥。私钥有助于实现加密,是我们证书中最重要的组成部分。
Let’s create a password-protected, 2048-bit RSA private key (domain.key) with the openssl command:
让我们用openssl命令创建一个受密码保护的2048位RSA私钥(domain.key)。
openssl genrsa -des3 -out domain.key 2048
We’ll enter a password when prompted. The output will look like:
当提示时,我们将输入一个密码。输出结果将看起来像。
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
.........+++++
e is 65537 (0x010001)
Enter pass phrase for domain.key:
Verifying - Enter pass phrase for domain.key:If we want our private key unencrypted, we can simply remove the -des3 option from the command.
如果我们希望我们的私钥不被加密,我们可以简单地从命令中删除-des3选项。
3. Creating a Certificate Signing Request
3.创建一个证书签名请求
If we want our certificate signed, we need a certificate signing request (CSR). The CSR includes the public key and some additional information (such as organization and country).
如果我们要签署我们的证书,我们需要一个证书签署请求(CSR)。CSR包括公开密钥和一些附加信息(如组织和国家)。
Let’s create a CSR (domain.csr) from our existing private key:
让我们从我们现有的私钥创建一个CSR(domain.csr)。
openssl req -key domain.key -new -out domain.csrWe’ll enter our private key password and some CSR information to complete the process. The output will look like:
我们将输入我们的私钥密码和一些CSR信息来完成这个过程。输出结果将看起来像。
Enter pass phrase for domain.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:stateA
Locality Name (eg, city) []:cityA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:companyA
Organizational Unit Name (eg, section) []:sectionA
Common Name (e.g. server FQDN or YOUR name) []:domain
Email Address []:email@email.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
An important field is “Common Name,” which should be the exact Fully Qualified Domain Name (FQDN) of our domain.
一个重要的字段是”通用名称”,这应该是我们的域名的确切全称(FQDN)。
“A challenge password” and “An optional company name” can be left empty.
“一个挑战密码“和”一个可选的公司名称“可以留空。
We can also create both the private key and CSR with a single command:
我们也可以用一个命令同时创建私钥和CSR。
openssl req -newkey rsa:2048 -keyout domain.key -out domain.csrIf we want our private key unencrypted, we can add the -nodes option:
如果我们希望我们的私钥不被加密,我们可以添加-nodes选项。
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr4. Creating a Self-Signed Certificate
4.创建一个自签名的证书
A self-signed certificate is a certificate that’s signed with its own private key. It can be used to encrypt data just as well as CA-signed certificates, but our users will be shown a warning that says the certificate isn’t trusted.
自签名证书是用自己的私钥签名的证书。它可以和CA签署的证书一样用于加密数据,但我们的用户会看到一个警告,说该证书不被信任。
Let’s create a self-signed certificate (domain.crt) with our existing private key and CSR:
让我们用现有的私钥和CSR创建一个自签名证书(domain.crt)。
openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crtThe -days option specifies the number of days that the certificate will be valid.
-days选项指定了证书的有效天数。
We can create a self-signed certificate with just a private key:
我们可以只用私钥来创建一个自签名的证书。
openssl req -key domain.key -new -x509 -days 365 -out domain.crtThis command will create a temporary CSR. We still have the CSR information prompt, of course.
该命令将创建一个临时的CSR。当然,我们仍然有CSR信息提示。
We can even create a private key and a self-signed certificate with just a single command:
我们甚至可以只用一个命令就创建一个私钥和一个自签证书。
openssl req -newkey rsa:2048 -keyout domain.key -x509 -days 365 -out domain.crt5. Creating a CA-Signed Certificate With Our Own CA
5.用我们自己的CA创建CA签名的证书
We can be our own certificate authority (CA) by creating a self-signed root CA certificate, and then installing it as a trusted certificate in the local browser.
我们可以通过创建一个自签名的根CA证书,然后将其作为一个受信任的证书安装在本地浏览器中,从而成为我们自己的证书授权机构(CA)。
5.1. Create a Self-Signed Root CA
5.1.创建一个自签名的根CA
Let’s create a private key (rootCA.key) and a self-signed root CA certificate (rootCA.crt) from the command line:
让我们从命令行创建一个私钥(rootCA.key)和一个自签的根 CA 证书(rootCA.crt)。
openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt5.2. Sign Our CSR With Root CA
5.2.用根CA签署我们的CSR
First, we’ll create a configuration text-file (domain.ext) with the following content:
首先,我们将创建一个配置文本文件(domain.ext),内容如下。
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = domainThe “DNS.1” field should be the domain of our website.
DNS.1“字段应该是我们网站的域名。
Then we can sign our CSR (domain.csr) with the root CA certificate and its private key:
然后我们可以用根 CA 证书及其私钥签署我们的 CSR(domain.csr)。
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in domain.csr -out domain.crt -days 365 -CAcreateserial -extfile domain.extAs a result, the CA-signed certificate will be in the domain.crt file.
因此,CA签名的证书将在domain.crt文件中。
6. View Certificates
6.查看证书
We can use the openssl command to view the contents of our certificate in plain text:
我们可以使用openssl命令来查看纯文本的证书内容。
openssl x509 -text -noout -in domain.crtThe output will look like:
输出将看起来像。
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
64:1a:ad:0f:83:0f:21:33:ff:ac:9e:e6:a5:ec:28:95:b6:e8:8a:f4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = stateA, L = cityA, O = companyA, OU = sectionA, CN = domain, emailAddress = email@email.com
Validity
Not Before: Jul 12 07:18:18 2021 GMT
Not After : Jul 12 07:18:18 2022 GMT
Subject: C = AU, ST = stateA, L = cityA, O = companyA, OU = sectionA, CN = domain, emailAddress = email@email.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a2:6a:2e:a2:17:68:bd:83:a1:17:87:d8:9c:56:
ab:ac:1f:1e:d3:32:b2:91:4d:8e:fe:4f:9c:bf:54:
aa:a2:02:8a:bc:14:7c:3d:02:15:a9:df:d5:1b:78:
17:ff:82:6b:af:f2:21:36:a5:ad:1b:6d:67:6a:16:
26:f2:a9:2f:a8:b0:9a:44:f9:72:de:7a:a0:0a:1f:
dc:67:b0:4d:a7:f4:ea:bd:0e:83:7e:d2:ea:15:21:
6d:8d:18:65:ed:f8:cc:6a:7f:83:98:e2:a4:f4:d6:
00:b6:ed:69:95:4e:0d:59:ee:e8:3f:e7:5a:63:24:
98:d1:4b:a5:c9:14:a5:7d:ef:06:78:2e:08:25:3c:
fd:05:0c:67:ce:70:5d:34:9b:c4:12:e6:e3:b1:04:
6a:db:db:e9:47:31:77:80:4f:09:5e:25:73:75:e4:
57:36:34:f8:c3:ed:a2:21:57:0e:e3:c1:5c:fc:d9:
f2:a3:b1:d9:d9:4f:e2:3e:ad:21:77:20:98:ed:15:
39:99:1b:7e:29:60:14:eb:76:8b:8b:72:16:b1:68:
5c:10:51:27:fa:41:49:c5:b7:c4:79:69:5e:28:a2:
c3:55:ac:e8:05:0f:4b:4a:bd:4b:2c:8b:7d:92:b0:
2d:b3:1a:de:9f:1a:5b:46:65:c6:33:b2:2e:7a:0c:
b0:2f
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
58:c0:cd:df:4f:c1:0b:5c:50:09:1b:a5:1f:6a:b9:9a:7d:07:
51:ca:43:ec:ba:ab:67:69:c1:eb:cd:63:09:33:42:8f:16:fe:
6f:05:ee:2c:61:15:80:85:0e:7a:e8:b2:62:ec:b7:15:10:3c:
7d:fa:60:7f:ee:ee:f8:dc:70:6c:6d:b9:fe:ab:79:5d:1f:73:
7a:6a:e1:1f:6e:c9:a0:ae:30:b2:a8:ee:c8:94:81:8e:9b:71:
db:c7:8f:40:d6:2d:4d:f7:b4:d3:cf:32:04:e5:69:d7:31:9c:
ea:a0:0a:56:79:fa:f9:a3:fe:c9:3e:ff:54:1c:ec:96:1c:88:
e5:02:d3:d0:da:27:f6:8f:b4:97:09:10:33:32:87:a8:1f:08:
dc:bc:4c:be:6b:cc:b9:0e:cf:18:12:55:17:44:47:2e:9c:99:
99:3c:96:60:12:c6:fe:b0:ee:01:97:54:20:b0:13:51:4f:ee:
1d:c0:3d:1a:30:aa:79:30:12:e2:4f:af:13:85:f8:c8:1e:f5:
28:7c:55:66:66:10:f4:0a:69:c0:55:8a:9a:c7:eb:ec:15:f0:
ef:bd:c1:d2:47:43:34:72:71:d2:c3:ff:f0:a3:c1:2c:63:56:
f2:f5:cf:91:ec:a1:c0:1f:5d:af:c0:8e:7a:02:fe:08:ba:21:
68:f2:dd:bd7. Convert Certificate Formats
7.转换证书格式
Our certificate (domain.crt) is an X.509 certificate that’s ASCII PEM-encoded. We can use OpenSSL to convert it to other formats for multi-purpose use.
我们的证书(domain.crt)是一个X.509证书,是ASCII PEM编码的。我们可以使用OpenSSL将其转换为其他格式,以便多用途使用。
7.1. Convert PEM to DER
7.1.将PEM转换为DER
The DER format is usually used with Java. Let’s convert our PEM-encoded certificate to a DER-encoded certificate:
DER格式通常与Java一起使用。让我们把我们的PEM编码的证书转换成DER编码的证书。
openssl x509 -in domain.crt -outform der -out domain.der7.2. Convert PEM to PKCS12
7.2.将PEM转换为PKCS12
PKCS12 files, also known as PFX files, are usually used for importing and exporting certificate chains in Microsoft IIS.
PKCS12文件,也被称为PFX文件,通常用于在微软IIS中导入和导出证书链。
We’ll use the following command to take our private key and certificate, and then combine them into a PKCS12 file:
我们将使用下面的命令来获取我们的私钥和证书,然后将它们合并成一个PKCS12文件。
openssl pkcs12 -inkey domain.key -in domain.crt -export -out domain.pfx8. Conclusion
8.结语
In this article, we learned how to create a self-signed certificate with OpenSSL from scratch, view this certificate, and convert it to other formats. We hope these things help with your work.
在这篇文章中,我们学习了如何从头开始用OpenSSL创建一个自签名证书,查看这个证书,并将其转换成其他格式。我们希望这些东西对你的工作有所帮助。