一、生成私钥(必须要输入PAM密码,此处输入 password)
[root@localhost /]# openssl genrsa -des3 -out server_decrypt.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for server_decrypt.key:
Verifying - Enter pass phrase for server_decrypt.key:
由于有私钥时,每次reload nginx都要求严重这个PAM密码,故去掉密码(需输入 eisoo.com)
[root@localhost /]# openssl rsa -in server_decrypt.key -out server_decrypt-no-pwd.key
Enter pass phrase for server_decrypt.key:
[root@localhost /]# openssl req -new -key server_decrypt-no-pwd.key -out server_decrypt.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:china
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:EISOO
Organizational Unit Name (eg, section) []:AnyBackup
Common Name (eg, your name or your server's hostname) []:AB
Email Address []:zhou.feng@eisoo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:extra
An optional company name []:eisoo
Signature ok
subject=/C=cn/ST=china/L=shanghai/O=EISOO/OU=AnyBackup/CN=AB/emailAddress=eisoo_it@eisoo.com
Getting Private key
server_decrypt-no-pwd.key 和 server.cer 即为最终可用的证书
业务需要生成v3版的证书,而一般使用OpenSSL生成证书时都是v1版的,不带扩展属性。
方法:
在第4步使用CA证书进行签署证书时加入-exfile和-extensions选项,具体命令如下:
openssl x509 -req -days 3650 -sha256 -extfile openssl.cnf -extensions v3_req -in server_decrypt.csr -signkey server_decrypt-no-pwd.key -out server.cer
[root@localhost /]# openssl genrsa -des3 -out server_decrypt.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for server_decrypt.key:
Verifying - Enter pass phrase for server_decrypt.key:
由于有私钥时,每次reload nginx都要求严重这个PAM密码,故去掉密码(需输入 eisoo.com)
[root@localhost /]# openssl rsa -in server_decrypt.key -out server_decrypt-no-pwd.key
Enter pass phrase for server_decrypt.key:
writing RSA key
[root@localhost /]# openssl req -new -key server_decrypt-no-pwd.key -out server_decrypt.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:china
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:EISOO
Organizational Unit Name (eg, section) []:AnyBackup
Common Name (eg, your name or your server's hostname) []:AB
Email Address []:zhou.feng@eisoo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:extra
An optional company name []:eisoo
三、生成证书文件
[root@localhost /]# openssl x509 -req -days 3650 -sha256 -in server_decrypt.csr -signkey server_decrypt-no-pwd.key -out server.cerSignature ok
subject=/C=cn/ST=china/L=shanghai/O=EISOO/OU=AnyBackup/CN=AB/emailAddress=eisoo_it@eisoo.com
Getting Private key
server_decrypt-no-pwd.key 和 server.cer 即为最终可用的证书
业务需要生成v3版的证书,而一般使用OpenSSL生成证书时都是v1版的,不带扩展属性。
方法:
在第4步使用CA证书进行签署证书时加入-exfile和-extensions选项,具体命令如下:
openssl x509 -req -days 3650 -sha256 -extfile openssl.cnf -extensions v3_req -in server_decrypt.csr -signkey server_decrypt-no-pwd.key -out server.cer
来源:CSDN
作者:snk_xiaoqiang
链接:https://blog.csdn.net/snk_xiaoqiang/article/details/80581733