目录
三、Centos OpenSSL生成Https服务端网站证书
4、服务端 OpenSSl生成pem证书、cer证书、key秘钥操作步骤
5、客户端 OpenSSl生成pem证书、cer证书、key秘钥操作步骤
一、前言
网站开发(一)http和https的区别 http是什么?http协议的特性 http与https网站通信协议两者的有什么不同呢?_Benjamin CSDN博客-CSDN博客
通过上文学习到HTTP和HTTPS的区别多了一层SSLorTLS层,本文主要讲解该层证书如何生成。在实际的软件开发工作中往往服务器就采用这种自签名的方式,因为找第三方签名机构是流程稍显复杂。
二、Http与Https网站示例
1、Http网站示例
大多常规web网站开发基于Http开发,是否支持Http或Https常再网关层设置路由
2、Https网站 颁发机构认证证书 示例
由信任颁发机构颁发的“合法有效”SSL证书,本信任认可的。
3、Https网站 个人生成SSL证书 示例
办证,掌握了设置方法后自己也可处理,只是私自发证不被认可,浏览器认为是你办的是假证,未通过认证的机构去办理。该方法仅供测试使用。
三、Centos OpenSSL生成Https服务端网站证书
1、什么是x509证书链
2、OpenSSL中有如下后缀名的文件
3、Centos系统 OpenSSL环境安装
安装命令
yum -y install openssl openssl-devel安装结果
...
...
Total download size: 3.2 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): openssl-1.0.2k-24.el7_9.x86_64.rpm | 494 kB 00:00:01
(2/3): openssl-devel-1.0.2k-24.el7_9.x86_64.rpm | 1.5 MB 00:00:03
(3/3): openssl-libs-1.0.2k-24.el7_9.x86_64.rpm | 1.2 MB 00:00:02
-------------------------------------------------------------------------------------------
...
...
86_64
Verifying : 1:openssl-1.0.2k-19.el7.x86_64
Verifying : 1:openssl-devel-1.0.2k-19.el7.x86_64
Verifying : 1:openssl-libs-1.0.2k-19.el7.x86_64
Updated:
openssl.x86_64 1:1.0.2k-24.el7_9
openssl-devel.x86_64 1:1.0.2k-24.el7_9
Dependency Updated:
openssl-libs.x86_64 1:1.0.2k-24.el7_9
Complete!
4、服务端 OpenSSl生成pem证书、cer证书、key秘钥操作步骤
4.1 CA根证书的生成步骤
4.2 创建ssl文件夹并切换
[root@localhost ~]# mkdir ssl
[root@localhost ~]# cd ssl/4.3 第一步 生成CA私钥(.key)
执行命令
openssl genrsa -out ca.key 2048命令执行情况如下
[root@localhost ssl]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
............................................................................................+++
..........................+++
e is 65537 (0x10001)
[root@localhost ssl]# ls
ca.key
4.4 第二步 生成CA证书请求(.csr)
执行命令
openssl req -new -key ca.key -out ca.csr命令执行情况如下(记得输入证书相关信息并回车键确认)
[root@localhost ssl]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]#
[root@localhost ssl]#
[root@localhost ssl]#
[root@localhost ssl]# ls
ca.csr ca.key
4.5 第三步 自签名得到根证书(.crt)
执行命令
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
命令执行情况如下
[root@localhost ssl]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
[root@localhost ssl]#
[root@localhost ssl]# ls
ca.crt ca.csr ca.key
4.6 第四步 生成pem格式证书
执行命令
cat ca.crt ca.key > ca.pem命令执行情况如下
[root@localhost ssl]# cat ca.crt ca.key > ca.pem
[root@localhost ssl]#
[root@localhost ssl]# ls
ca.crt ca.csr ca.key ca.pem5、客户端 OpenSSl生成pem证书、cer证书、key秘钥操作步骤
生成私钥(.key)-->生成证书请求(.csr)-->用CA根证书签名得到证书(.crt)
服务器端用户证书:
客户端用户证书:
生成pem格式证书:
最终产物
注意:
Using configuration from /usr/share/ssl/openssl.cfg I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory
解决方法:
1)mkdir -p ./demoCA/newcerts
2)touch demoCA/index.txt
3)touch demoCA/serial
4)echo 01 > demoCA/serial
