自签 CA 和服务器证书命令合集

最后修改于 2021-2-28 ⋅ 共 226 字 ⋅ 1分钟 / #Tutorial / #Ssl, #证书, #自签, #Openssl

旧的自签CA以及服务器证书生成的命令合集:

CA.key+CA.crt #

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
  #服务器端私钥和CA证书生成
  openssl req -x509 -newkey rsa:4096 -new -nodes -sha256 -days 36500 \
  -keyout CA.key  -out CA.crt \
  -subj '/CN=Used for LAN - ROOT/O=Ab' \
  -config <(cat /etc/ssl/openssl.cnf - <<END
  [ x509_ext ]
  basicConstraints = critical,CA:true
  subjectKeyIdentifier = hash
  authorityKeyIdentifier = keyid:always,issuer
END
    ) -extensions x509_ext

server.key+server.csr #

1
2
3
  openssl req -new -out server.csr -keyout server.key \
  -newkey rsa:4096 -nodes -sha256 \
  -subj "/C=US/ST=/L=/O=Ab/OU=/CN=Debian10"

server.crt #

1
2
3
4
5
  openssl x509 -req -days 3650 -CA CA.crt -CAkey CA.key -CAcreateserial \
  -extensions SAN \
  -extfile <(cat /etc/ssl/openssl.cnf \
    <(printf "\n[SAN]\nsubjectAltName=DNS:Debian10,IP:192.168.51.24,IP:192.168.51.112,IP:192.168.51.118")) \
  -in server.csr -out server.crt

server.pfx #

1
2
  # Make a package
  openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CA.crt

Optional: user.key+user.csr–>user.crt+user.pfx #

1
2
3
4
  #客户端生成 生成csr是为了公钥
  openssl req -new -keyout user.key -out user.csr -newkey rsa:4096 -sha256 -nodes -subj '/CN=Used for LAN/O=Ab'
  openssl x509 -req -days 3650 -in user.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out user.crt
  openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile CA.crt