精华内容
下载资源
问答
  • openssl自签证书

    2020-04-26 15:13:09
    openssl自签证书 1、自签证书测试 安装nginx yum -y install nginx 检查nginx的ssl模块 [root@ docker ~]# nginx -V nginx version: nginx/1.16.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built ...

    openssl自签证书

    1、自签证书测试
    安装nginx

    yum -y install nginx
    

    检查nginx的ssl模块

    [root@ docker ~]# nginx -V
    nginx version: nginx/1.16.1
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
    built with OpenSSL 1.0.2k-fips  26 Jan 2017
    TLS SNI support enabled
    configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-
    --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module 
    

    2、准备私钥和证书
    创建私钥

    [root@ docker ~]# cd /etc/nginx/
    [root@ docker nginx]# mkdir -p ssl
    [root@ docker nginx]# cd ssl/
    [root@ docker ssl]# openssl genrsa -des3 -out server.key 1024
    Enter pass phrase for server.key:123456
    Verifying - Enter pass phrase for server.key:123456
    [root@ docker ssl]# ll
    total 4
    -rw-r--r-- 1 root root 963 2020-02-26 02:43 server.key
    

    签发证书

    [root@ docker ssl]# openssl req -new -key server.key -out server.csr
    Enter pass phrase for server.key: 123456
    
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:BJ
    Locality Name (eg, city) [Default City]:BJ
    Organization Name (eg, company) [Default Company Ltd]:SDU
    Organizational Unit Name (eg, section) []:BJ
    Common Name (eg, your name or your server's hostname) []:wjj
    Email Address []:602616568@qq.com
    
    A challenge password []:回车
    An optional company name []:回车
    

    删除私钥扣令

    [root@ docker ssl]# cd /etc/nginx/ssl
    [root@ docker ssl]# cp server.key server.key.ori
    [root@ docker ssl]# openssl rsa -in server.key.ori -out server.key
    Enter pass phrase for server.key.ori:123456
    

    生成使用签名请求证书和私钥生成自签证书

    [root@ docker ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    
    Signature ok
    subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=BJ/CN=wjj/emailAddress=602616568@qq.com
    Getting Private key
    Enter pass phrase for server.key:密码
    

    3、开启nginx ssl

    #创建虚拟主机
    [root@ docker conf.d]# mkdir -p /etc/nginx/html
    [root@ docker conf.d]# vim hack.conf
    server {
        listen       443 ssl;
        server_name  www.hack.com;
    
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;
    
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    
        location / {
        #定义站点目录
            root    /etc/nginx/html;
        }
    
        error_page 404 /404.html;
            location = /40x.html {
        }
    
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
    
    [root@ docker conf.d]# nginx -t
    [root@ docker conf.d]# nginx -s reload
    

    绑定window的hosts,然后用浏览器访问https://www.hack.com/hack.html

    10.0.0.41 www.hack.com
    

    在这里插入图片描述

    此时,你会发现,http://www.hack.com/hack.html,浏览器访问不了了(注意浏览器缓存),这时就需要将80端口重定向到443端口。

    4、rewrite跳转

    以上配置有个不好的地方,如果用户忘了使用https或者443端口,那么网站将无法访问,因此需要将80端口的访问转到443端口并使用ssl加密访问。只需要增加一个server段,使用301永久重定向。

    [root@ docker conf.d]# vim hack.conf
    server {
        listen 80;
        server_name www.hack.com;
        rewrite ^(.*) https://$server_name$1 permanent;
    }
    
    server {
        listen       443 ssl;
        server_name  www.hack.com;
    
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;
    
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    
        location / {
        #定义站点目录
            root    /etc/nginx/html;
        }
    
        error_page 404 /404.html;
            location = /40x.html {
        }
    
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
    
    [root@ docker conf.d]# nginx -t
    [root@ docker conf.d]# nginx -s reload
    

    这时,浏览器访问http://www.hack.com/hack.html,nginx会将请求跳转到https://www.hack.com/hack.html,详细可以查看nginx日志。

    展开全文
  • openssl 自签证书

    2021-07-26 17:00:37
    // 生成CA 证书 openssl req \ -outform pem -out ca-cert.pem \ -key ca-key.pem -new -x509 \ -days 3650 \ -subj "/CN=trend.com/O=Example Co./OU=Engineering/L=Boston/ST=MA/C=US" //如果没有...

    //生成CA 密钥

    openssl  genrsa -out ca-key.pem 2048
    

    // 生成CA 证书

    openssl req \
        -outform pem -out ca-cert.pem \
        -key  ca-key.pem  -new  -x509 \
        -days 3650 \
        -subj "/CN=trend.com/O=Example Co./OU=Engineering/L=Boston/ST=MA/C=US"
    

    //如果没有"basicConstraints=CA:TRUE",可以手动加入

    openssl req \
        -addext basicConstraints=CA:TRUE \
        -outform pem -out ca-cert.pem \
        -key ca-key.pem -new -x509 \
        -days "360" \
        -subj "/CN=trend.com/O=Example Co./OU=Engineering/L=Boston/ST=MA/C=US"
    

    //生成server证书 密钥

    openssl  genrsa -out server-key.pem 2048
    

    //生成server 证书请求文件

    openssl req \
        -out server-req.csr \
        -key  server-key.pem  -new \
        -subj "/CN=example.com/O=Example Co./OU=Engineering/L=Boston/ST=MA/C=US"
    

    //使用ca签名

    openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
    

    //查看证书内容

    openssl x509 -inform PEM -in server-cert.crt -text
    

    确认证书

    openssl verify -CAfile ca-cert.pem server-cert.pem
    
    展开全文
  • OpenSSL自签证书

    2020-06-05 17:45:25
    安装openssl 1.生成私钥 openssl genrsa -out server.key 2048 2.生成证书请求文件SCR openssl req -new -key server.key -out server.csr 然后根据提示输入一些信息 Common Name这里,要填写成使用SSL证书(即:...

    安装openssl
    1.生成私钥

    openssl genrsa -out server.key 2048
    

    2.生成证书请求文件SCR

    openssl req -new -key server.key -out server.csr
    然后根据提示输入一些信息
    Common Name这里,要填写成使用SSL证书(即:https协议)的域名或主机名,否则浏览器会认为不安全。例如:如果以后打算用https://aimuti/xxx 这里就填写aimuti
    

    3.完成CA的证书

    openssl req -new -x509 -days 3650 -key server.key -out ca.crt
    

    4.用CA证书给自己颁发一个证书

    openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -passin pass:123456 -CAcreateserial -out server.crt
    

    最后生成的server.crt就是我们需要的证书。

    展开全文
  • Openssl自签证书

    千次阅读 2015-12-30 16:13:38
    1. 创立根证书密钥文件(自己做CA)root.key: openssl genrsa -des3 -out root.key 2. 创立根证书的申请文件root.csr: ...3. 创立一个目前日期起为期十年的根证书root.crt: openssl x509 -req -days
    1. 创立根证书密钥文件(自己做CA)root.key:
    openssl genrsa -des3 -out root.key


    2. 创立根证书的申请文件root.csr:
    openssl req -new -key root.key -out root.csr


    3. 创立一个自目前日期起为期十年的根证书root.crt:
    openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt


    4. 创立服务器证书密钥server.key:
    openssl genrsa –des3 -out server.key 2048


    5.创立服务器证书的申请文件server.csr:
    openssl req -new -key server.key -out server.csr


    6. 创立自目前日期起管用期为期两年的服务器证书server.crt:
    openssl x509 -req -days 730 -md5 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt





    1. 创立根证书密钥文件(自己做CA)root.key:
    openssl genrsa -des3 -out root.key


    输出内容为:
    [lenin@archer ~]$ openssl genrsa -des3 -out root.key
    Generating RSA private key, 512 bit long modulus
    ……………..++++++++++++
    ..++++++++++++
    e is 65537 (0×10001)
    Enter pass phrase for root.key: ← 输入一个新密码
    Verifying – Enter pass phrase for root.key: ← 重新输入一遍密码


    2. 创立根证书的申请文件root.csr:
    openssl req -new -key root.key -out root.csr


    输出内容为:
    [lenin@archer ~]$ openssl req -new -key root.key -out root.csr
    Enter pass phrase for root.key: ← 输入前面创立的密码
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.whflsc.com’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:CN ← 国度代号,中国输入CN
    State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音
    Locality Name (eg, city) []:BeiJing ← 市的全名,拼音
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 
    公司英文名


    Organizational Unit Name (eg, section) []: ← 能够不输入
    Common Name (eg, YOUR name) []: ← 此刻不输入
    Email Address []:admin@mycompany.com ← 电子邮箱,可容易填
    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []: ← 能够不输入
    An optional company name []: ← 能够不输入


    3. 创立一个自目前日期起为期十年的根证书root.crt:
    openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt


    输出内容为:
    [lenin@archer ~]$ openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
    Signature ok
    subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./emailAddress=admin@
    mycompany.com


    Getting Private key
    Enter pass phrase for root.key: ← 输入前面创立的密码


    4. 创立服务器证书密钥server.key:
    openssl genrsa –des3 -out server.key 2048


    输出内容为:
    [lenin@archer ~]$ openssl genrsa -out server.key 2048
    Generating RSA private key, 2048 bit long modulus
    ….+++
    …………………………………………..+++
    e is 65537 (0×10001)
    运行时会提醒输入密码,此密码用于加密key文件(参数des3便是指加密算法,
    当然也能够拨取其他你感受平安的算法.),尔后每当需读取此文件(穿越openssl
    供给的号召或API)都需输入口令.万一感受不得体,也能够肃清这个口令,
    但定然要批准其他的防御措施!


    肃清key文件口令的号召:
    openssl rsa -in server.key -out server.key


    5.创立服务器证书的申请文件server.csr:
    openssl req -new -key server.key -out server.csr


    输出内容为:
    [lenin@archer ~]$ openssl req -new -key server.key -out server.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:CN ← 国度名目,中国输入CN
    State or Province Name (full name) [Some-State]:BeiJing ← 省名,拼音
    Locality Name (eg, city) []:BeiJing ← 市名,拼音
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 
    公司英文名


    Organizational Unit Name (eg, section) []: ← 能够不输入
    Common Name (eg, YOUR name) []:om ← 
    服务器主机名,若填写不准确,博览器会报告证书无效,但并不波及利用


    Email Address []:admin@mycompany.com ← 电子邮箱,可容易填
    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []: ← 能够不输入
    An optional company name []: ← 能够不输入


    6. 创立自目前日期起管用期为期两年的服务器证书server.crt:
    openssl x509 -req -days 730 -md5 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt


    输出内容为:
    [lenin@archer ~]$ openssl x509 -req -days 730 -md5 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt








    使用opensll工具来生证书过程如下:
    一 )  首先创建CA根证书


    1) 生成RSA private key 给CA (3 DES 加密, PEM 格式):


    $ openssl genrsa -des3 -out rootca.key 1024


    2) 产生一个X509结构,PEM格式的自签名证书(当然也可以由CA机构签名)


    $ openssl req -new -x509 -days 365 -key rootca.key -out rootca.crt


    3) 查看该根证书的详细内容


    $ openssl x509 -noout -text -in rootca.crt


    4) 验证证书有效性


    $ openssl verify -CAfile rootca.crt rootca.crt


    第一个为根证书,第二个为需要验证的子证书,由于是自签名,相当于自己给自己颁发的?
    な椤?


     


    二 )  用根证书颁发子证书


    1) 生成一个3DES 加密,PEM格式的RSA private KEY .


     $ openssl genrsa -des3 -out user.key 1024


    2) 产生证书签名请求文件(PEM格式)


    $ openssl req -new -key user.key -out user.csr


    3) 使用CA根证书签名


    A 生成配置文件如下ca.config :
    [ ca ]         
    default_ca=CA_own         
    [ CA_own ]         
    dir=C:/openssl/bin         
    certs=C:/openssl/bin                 
    new_certs_dir=C:/openssl/bin         //生成子证书的目录
    database=C:/openssl/bin/index.txt    //生成子证书后会更新内容到此文件     
    serial=C:/openssl/bin/serial.txt     //子证书的序列号从此文件读取
    certificate=C:/openssl/bin/rootca.crt   //根证书      
    private_key=C:/openssl/bin/rootca.key   //根证书的私钥
    default_days=365         
    default_crl_days=30         
    default_md=md5         
    preserve=no         
    policy=policy_anything         
    [ policy_anything ]         
    countryName=optional         
    stateOrProvinceName=optional         
    localityName=optional         
    organizationName=optional         
    organizationalUnitName=optional         
    commonName=supplied         
    emailAddress=optional      


    B 执行如下命令来签名
      openssl ca -config ca.config -out user.crt -infiles user.csr


    4) 验证证书有效性
      openssl verify -CAfile rootca.crt user.crt


      用rootca.crt的公钥验证user.crt的签名是否合法。









    ################################################################ 
    # penssl example configuration file. 
    # This is mostly used for generation of certificate requests. 
    ################################################################# 
    [ ca ] 
    default_ca= CA_default          # The default ca section 
    ################################################################# 
     
    [ CA_default ] 
     
    dir=/home/lqy/WorkShop/openssl_install/CA # Where everything is kept 
    certs=$dir/certs                       # Where the issued certs are kept 
    crl_dir= $dir/crl                 # Where the issued crl are kept 
    database= $dir/index.txt         # database index file 
    new_certs_dir= $dir/newcerts     # default place for new certs 
    certificate=$dir/root.crt     # The CA certificate 
    serial= $dir/serial               # The current serial number 
    crl= $dir/crl.pem                 # The current CRL 
    private_key= $dir/private/root.key   # The private key 
    RANDFILE= $dir/.rand             # private random number file 
    default_days= 365                 # how long to certify for 
    default_crl_days= 30             # how long before next CRL 
    default_md= md5                   # which message digest to use 
    preserve= no                     # keep passed DN ordering 
     
    # A few different ways of specifying how closely the request should 
    # conform to the details of the CA 
     
    policy= policy_match            # For the CA policy 


    [ policy_match ]  
    countryName= match 
    stateOrProvinceName= match 
    organizationName= match 
    organizationalUnitName= optional 
    commonName= optional
    emailAddress= optional 
     
    # For the `anything' policy 
    # At this point in time, you must list all acceptable `object' 
    # types 
     
    [ policy_anything ] 
    countryName = optional 
    stateOrProvinceName= optional 
    localityName= optional 
    organizationName = optional 
    organizationalUnitName = optional 
    commonName= optional 
    emailAddress= optional 
     
    [ req ] 
    default_bits = 1024 
    default_keyfile= privkey.pem 
    distinguished_name = req_distinguished_name 
    attributes = req_attributes 
     
    [ req_distinguished_name ] 
    countryName= Country Name (2 letter code) 
    countryName_min= 2 
    countryName_max = 2 
    stateOrProvinceName= State or Province Name (full name) 
    localityName = Locality Name (eg, city) 
    organizationName = Organization Name (eg, company) 
    organizationalUnitName  = Organizational Unit Name (eg, section) 
    commonName = Common Name (eg. YOUR name) 
    commonName_max = 64 
    emailAddress = Email Address 
    emailAddress_max = 40 
     
    [ req_attributes ] 
    challengePassword = A challenge password 
    challengePassword_min = 4 
    challengePassword_max = 20 
    unstructuredName= An optional company name 

    展开全文
  • 本实例是在centos7下进行。 mkdir /opt/ssl 首先要创建一个RSA私钥 ...openssl genrsa -des3 -out server.key 2048 ...说明:使用des3算法,2048位密钥强度,server.key...最后要创建签名证书 openssl x509 -req..
  • openssl自签证书和查看证书

    千次阅读 2020-04-14 14:28:01
    1. 生成客户端私钥 openssl genrsa用于生成RSA私钥....2.以客户端的密钥和客户端自身的信息(国家、机构、域名、邮箱等)为输入,生成证书请求文件。 openssl req -new -x509 -key server.key -out c...
  • 一、在windows下生成OpenSSL自签证书 准备 编译好的OpenSSL下载地址: http://slproweb.com/products/Win32OpenSSL.html 此文下载的是64位的:Win64 OpenSSL v1.1.1k.EXE 安装openssl到E盘,路径为:E:\openssl ...
  • openssh及openssl自签证书

    千次阅读 2018-05-11 09:19:16
    -x509:专用于CA生成自签证书 -key:生成请求时用到的私钥文件 -days n:证书有效期限 -out /path/to /somecertfile:证书的保存路径 创建需要的文件: # touch index.txt serial crlnumber #echo 01 > ...
  • openssl自签证书(https)

    2020-04-27 17:14:13
    openssl自签证书 自签证书测试 1. 安装nginx [root@ c7-47 ~]# yum -y install make zlib zlib-devel gcc-c++ libtool openssl openssl-devel wget pcre pcre-devel [root@ c7-47 ~]# wget ...
  • openssl.cnf # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # ...
  • 安装openssl到E盘,路径为:E:\openssl 打开cmd.exe, cd到E:\openssl\bin下面: 首先,生成服务器端的私钥(key文件): openssl genrsa -des3 -out server.key 1024   输入密码:在些输入的...
  • 在使用自签证书的时候,对于ios与android的移动端配置时,如果这里配置的是准确的访问域名而不是随意填写的字段,那么可以不需要去填写重写验证主机如android: // SSL OK_HTTP配置 开始 HttpsUtils.SSLParams ...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 8,496
精华内容 3,398
关键字:

openssl自签证书