Fatal编程技术网
  • openssl/
  • Openssl 如何生成cowboy SSL证书?

Openssl 如何生成cowboy SSL证书?

openssl erlang

Openssl 如何生成cowboy SSL证书?,openssl,erlang,ssl-certificate,cowboy,erlangweb,Openssl,Erlang,Ssl Certificate,Cowboy,Erlangweb,在cowboy的ssl目录中,我看到了3个文件 cowboy-ca.crt,server.crt和server.key。 可能在目录的某个地方有不需要的cowboy-ca.key 我可以猜测,cowboy-ca.crt是某些默认ca的公钥,用于对服务器的密钥对使用csr文件的server.crt进行签名,当客户端连接到cowboy时,它下载并安装server.crt文件以建立到服务器的安全连接,对吗? 问题是如何使用openssl和我自己的CA生成所有这些文件 网上有这方面的教程,但我碰巧有以前

在cowboy的ssl目录中,我看到了3个文件 
cowboy-ca.crt
server.crt
server.key
。 可能在目录的某个地方有不需要的
cowboy-ca.key

我可以猜测,
cowboy-ca.crt
是某些默认ca的公钥,用于对服务器的密钥对使用csr文件的
server.crt
进行签名,当客户端连接到cowboy时,它下载并安装server.crt文件以建立到服务器的安全连接,对吗?
问题是如何使用openssl和我自己的CA生成所有这些文件

网上有这方面的教程,但我碰巧有以前做过的记录。它比您需要的要多得多,但它将向您展示如何实现创建自己的CA和从中签名的证书的基础。我的记录粘贴在下面,创建了一个CA,创建了一个由CA签名的中间CA,最后创建了一个可以在服务器上使用的证书。显然,您不需要中间CA,因此您应该跳过中间位,使用根CA而不是中间CA对最终/结束证书进行签名,因此,例如,在创建end.crt时,使用../root\u CA/rootca.key而不是../inter\u CA/inter.key进行签名,等等

我假设您在这里问的是正确的问题,并且您真正想要的是自签名证书

在创建证书和密钥之后,还有关于配置Apache的指导,以及关于如何使用OpenSSL工具来验证它是否正常工作的说明(在任何SSL TCP连接上,这也适用于Cowboy或其他任何东西)。这将向您显示信任链,尽管您的信任链将是深度1而不是深度2,因为您将省略中间CA

创建一些要使用的目录:

mkdir inter_ca_demo
cd inter_ca_demo
mkdir root_ca inter_ca end_cert
cd root_ca
创建密钥:

openssl genrsa -out rootca.key 2048
输出将类似于:

Generating RSA private key, 2048 bit long modulus
...........................................................+++
.............................+++
e is 65537 (0x10001)

03ed4e37
自行签名以创建根CA证书(您必须输入将编码到证书中的各种信息):

它应该看起来像(在这里你可以看到我输入的内容):

在转到中间证书之前,必须重命名、复制或创建指向根证书的链接,以便通过哈希算法找到它。这是为了确保在CA路径中存在大量受信任证书时不会降低性能。要执行此操作,必须使用以下命令找出哈希值:

openssl x509 -noout -hash -in rootca.pem
输出应该类似于:

Generating RSA private key, 2048 bit long modulus
...........................................................+++
.............................+++
e is 65537 (0x10001)

03ed4e37
然后创建链接,将.0添加到哈希中(作为上一个命令的输出):

现在创建中间CA密钥和CSR(证书签名请求)(您必须输入将编码到证书中的各种信息):

它应该是这样的:

$ openssl genrsa -out inter.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
..............................................................+++
e is 65537 (0x10001)
$ openssl req -new -key inter.key -out inter.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intermediate certificates R US Ltd    
Organizational Unit Name (eg, section) []:               
Common Name (e.g. server FQDN or YOUR name) []:intermediatecasrus.com
Email Address []:ca_admin@intermediatecasrus.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signature ok
subject=/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
Getting CA Private Key

$ openssl genrsa -out end.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
.....................................................+++
e is 65537 (0x10001)
$ openssl req -new -key end.key -out end.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:End User Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecademo-enduser.com
Email Address []:support@intermediatecademo-enduser.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
Signature ok
subject=/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
Getting CA Private Key

SSLCertificateFile       FULL_PATH_TO/inter_ca_demo/end_cert/end.crt
SSLCertificateKeyFile    FULL_PATH_TO/inter_ca_demo/end_cert/end.key

SSLCertificateChainFile  FULL_PATH_TO/inter_ca_demo/inter_ca/inter.crt

SSLCACertificatePath     FULL_PATH_TO/inter_ca_demo/root_ca

verify depth is 5
CONNECTED(00000004)
depth=2 C = GB, ST = London, L = London, O = Method Analysis Ltd, CN = methodanalysis.com, emailAddress = ca_admin@methodanalysis.com
verify return:1
depth=1 C = GB, ST = London, L = London, O = Intermediate certificates R US Ltd, CN = intermediatecasrus.com, emailAddress = ca_admin@intermediatecasrus.com
verify return:1
depth=0 C = GB, ST = London, L = London, O = End User Ltd, CN = intermediatecademo-enduser.com, emailAddress = support@intermediatecademo-enduser.com
verify return:1
---
Certificate chain
 0 s:/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
   i:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
 1 s:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
   i:/C=GB/ST=London/L=London/O=Method Analysis Ltd/CN=methodanalysis.com/emailAddress=ca_admin@methodanalysis.com
---
Server certificate

...
...
...

    Start Time: 1445696823
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
现在创建一个文件(v3x509extensions.txt),其中包含指示这应该是中间CA的数据,然后生成中间证书,使用根CA签名:

echo 'basicConstraints=CA:TRUE' > v3x509extensions.txt
openssl x509 -req -extfile v3x509extensions.txt -in inter.csr -CA ../root_ca/rootca.pem -CAkey ../root_ca/rootca.key -CAcreateserial -out inter.crt -days 200
它应该是这样的:

$ openssl genrsa -out inter.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
..............................................................+++
e is 65537 (0x10001)
$ openssl req -new -key inter.key -out inter.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intermediate certificates R US Ltd    
Organizational Unit Name (eg, section) []:               
Common Name (e.g. server FQDN or YOUR name) []:intermediatecasrus.com
Email Address []:ca_admin@intermediatecasrus.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signature ok
subject=/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
Getting CA Private Key

$ openssl genrsa -out end.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
.....................................................+++
e is 65537 (0x10001)
$ openssl req -new -key end.key -out end.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:End User Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecademo-enduser.com
Email Address []:support@intermediatecademo-enduser.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
Signature ok
subject=/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
Getting CA Private Key

SSLCertificateFile       FULL_PATH_TO/inter_ca_demo/end_cert/end.crt
SSLCertificateKeyFile    FULL_PATH_TO/inter_ca_demo/end_cert/end.key

SSLCertificateChainFile  FULL_PATH_TO/inter_ca_demo/inter_ca/inter.crt

SSLCACertificatePath     FULL_PATH_TO/inter_ca_demo/root_ca

verify depth is 5
CONNECTED(00000004)
depth=2 C = GB, ST = London, L = London, O = Method Analysis Ltd, CN = methodanalysis.com, emailAddress = ca_admin@methodanalysis.com
verify return:1
depth=1 C = GB, ST = London, L = London, O = Intermediate certificates R US Ltd, CN = intermediatecasrus.com, emailAddress = ca_admin@intermediatecasrus.com
verify return:1
depth=0 C = GB, ST = London, L = London, O = End User Ltd, CN = intermediatecademo-enduser.com, emailAddress = support@intermediatecademo-enduser.com
verify return:1
---
Certificate chain
 0 s:/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
   i:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
 1 s:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
   i:/C=GB/ST=London/L=London/O=Method Analysis Ltd/CN=methodanalysis.com/emailAddress=ca_admin@methodanalysis.com
---
Server certificate

...
...
...

    Start Time: 1445696823
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
现在创建您的最终密钥(将用于SSL网站(例如)),从中创建CSR,并使用中间证书对其进行签名,生成新证书:

openssl req -x509 -new -nodes -key rootca.key -days 1024 -out rootca.pem

cd ../inter_ca
openssl genrsa -out inter.key 2048
openssl req -new -key inter.key -out inter.csr

cd ../end_cert
openssl genrsa -out end.key 2048
openssl req -new -key end.key -out end.csr
openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500

cat ../inter_ca/inter.crt end.crt | openssl verify -CApath ../root_ca
它应该是这样的:

$ openssl genrsa -out inter.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
..............................................................+++
e is 65537 (0x10001)
$ openssl req -new -key inter.key -out inter.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intermediate certificates R US Ltd    
Organizational Unit Name (eg, section) []:               
Common Name (e.g. server FQDN or YOUR name) []:intermediatecasrus.com
Email Address []:ca_admin@intermediatecasrus.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signature ok
subject=/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
Getting CA Private Key

$ openssl genrsa -out end.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
.....................................................+++
e is 65537 (0x10001)
$ openssl req -new -key end.key -out end.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:End User Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecademo-enduser.com
Email Address []:support@intermediatecademo-enduser.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
Signature ok
subject=/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
Getting CA Private Key

SSLCertificateFile       FULL_PATH_TO/inter_ca_demo/end_cert/end.crt
SSLCertificateKeyFile    FULL_PATH_TO/inter_ca_demo/end_cert/end.key

SSLCertificateChainFile  FULL_PATH_TO/inter_ca_demo/inter_ca/inter.crt

SSLCACertificatePath     FULL_PATH_TO/inter_ca_demo/root_ca

verify depth is 5
CONNECTED(00000004)
depth=2 C = GB, ST = London, L = London, O = Method Analysis Ltd, CN = methodanalysis.com, emailAddress = ca_admin@methodanalysis.com
verify return:1
depth=1 C = GB, ST = London, L = London, O = Intermediate certificates R US Ltd, CN = intermediatecasrus.com, emailAddress = ca_admin@intermediatecasrus.com
verify return:1
depth=0 C = GB, ST = London, L = London, O = End User Ltd, CN = intermediatecademo-enduser.com, emailAddress = support@intermediatecademo-enduser.com
verify return:1
---
Certificate chain
 0 s:/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
   i:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
 1 s:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
   i:/C=GB/ST=London/L=London/O=Method Analysis Ltd/CN=methodanalysis.com/emailAddress=ca_admin@methodanalysis.com
---
Server certificate

...
...
...

    Start Time: 1445696823
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
在这一点上,您可以通过验证信任链来检查情况是否正常,这里我检查了中间证书和“end”证书,然后仅使用根CA路径来验证它们(请记住,没有中间CA无法验证“end”证书,因此必须使用“end”证书提供):

输出应为:

stdin: OK
例如,如果您将这些密钥用于apache,您可以如下配置它们:

$ openssl genrsa -out inter.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
..............................................................+++
e is 65537 (0x10001)
$ openssl req -new -key inter.key -out inter.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intermediate certificates R US Ltd    
Organizational Unit Name (eg, section) []:               
Common Name (e.g. server FQDN or YOUR name) []:intermediatecasrus.com
Email Address []:ca_admin@intermediatecasrus.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signature ok
subject=/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
Getting CA Private Key

$ openssl genrsa -out end.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
.....................................................+++
e is 65537 (0x10001)
$ openssl req -new -key end.key -out end.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:End User Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecademo-enduser.com
Email Address []:support@intermediatecademo-enduser.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
Signature ok
subject=/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
Getting CA Private Key

SSLCertificateFile       FULL_PATH_TO/inter_ca_demo/end_cert/end.crt
SSLCertificateKeyFile    FULL_PATH_TO/inter_ca_demo/end_cert/end.key

SSLCertificateChainFile  FULL_PATH_TO/inter_ca_demo/inter_ca/inter.crt

SSLCACertificatePath     FULL_PATH_TO/inter_ca_demo/root_ca

verify depth is 5
CONNECTED(00000004)
depth=2 C = GB, ST = London, L = London, O = Method Analysis Ltd, CN = methodanalysis.com, emailAddress = ca_admin@methodanalysis.com
verify return:1
depth=1 C = GB, ST = London, L = London, O = Intermediate certificates R US Ltd, CN = intermediatecasrus.com, emailAddress = ca_admin@intermediatecasrus.com
verify return:1
depth=0 C = GB, ST = London, L = London, O = End User Ltd, CN = intermediatecademo-enduser.com, emailAddress = support@intermediatecademo-enduser.com
verify return:1
---
Certificate chain
 0 s:/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
   i:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
 1 s:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
   i:/C=GB/ST=London/L=London/O=Method Analysis Ltd/CN=methodanalysis.com/emailAddress=ca_admin@methodanalysis.com
---
Server certificate

...
...
...

    Start Time: 1445696823
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Apache现在将提供中间证书和它自己的证书,它允许web客户端使用“openssl验证”执行与上面相同的验证(以及其他检查)

如果您确实在apache中使用了这些证书,并且您创建了一个名为“intermediatecademo enduser.com”的网站以与您创建的“end”证书保持一致,那么您还可以使用openssl从客户端角度验证证书:

openssl s_client -connect intermediatecademo-enduser.com:443 -CApath root_ca -verify 5
输出应该如下所示:

$ openssl genrsa -out inter.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
..............................................................+++
e is 65537 (0x10001)
$ openssl req -new -key inter.key -out inter.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intermediate certificates R US Ltd    
Organizational Unit Name (eg, section) []:               
Common Name (e.g. server FQDN or YOUR name) []:intermediatecasrus.com
Email Address []:ca_admin@intermediatecasrus.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signature ok
subject=/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
Getting CA Private Key

$ openssl genrsa -out end.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
.....................................................+++
e is 65537 (0x10001)
$ openssl req -new -key end.key -out end.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:End User Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecademo-enduser.com
Email Address []:support@intermediatecademo-enduser.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
Signature ok
subject=/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
Getting CA Private Key

SSLCertificateFile       FULL_PATH_TO/inter_ca_demo/end_cert/end.crt
SSLCertificateKeyFile    FULL_PATH_TO/inter_ca_demo/end_cert/end.key

SSLCertificateChainFile  FULL_PATH_TO/inter_ca_demo/inter_ca/inter.crt

SSLCACertificatePath     FULL_PATH_TO/inter_ca_demo/root_ca

verify depth is 5
CONNECTED(00000004)
depth=2 C = GB, ST = London, L = London, O = Method Analysis Ltd, CN = methodanalysis.com, emailAddress = ca_admin@methodanalysis.com
verify return:1
depth=1 C = GB, ST = London, L = London, O = Intermediate certificates R US Ltd, CN = intermediatecasrus.com, emailAddress = ca_admin@intermediatecasrus.com
verify return:1
depth=0 C = GB, ST = London, L = London, O = End User Ltd, CN = intermediatecademo-enduser.com, emailAddress = support@intermediatecademo-enduser.com
verify return:1
---
Certificate chain
 0 s:/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
   i:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
 1 s:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
   i:/C=GB/ST=London/L=London/O=Method Analysis Ltd/CN=methodanalysis.com/emailAddress=ca_admin@methodanalysis.com
---
Server certificate

...
...
...

    Start Time: 1445696823
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
它现在将挂起,等待发送数据。您可以按CTRL+C键退出。

您对证书关系的看法基本正确;有一个服务器证书和私钥,还有一个CA证书

由于它们只用于测试目的,我假设cowboy的作者没有费心包括他用来生成服务器证书的CA私钥

说到SSL证书,牛仔并没有什么特别之处。假设您正在查看,您可以看到中使用的证书

从那里,这些SSL选项被传递到Erlang SSL应用程序,该应用程序已记录在案

文档声明(虽然不是很明显)这些是标准的PEM编码证书和密钥文件。例如,您可以使用OpenSSL生成它们。

Stack Overflow是一个用于编程和开发问题的网站。这个问题似乎离题了,因为它与编程或开发无关。请参见帮助中心中的。也许或者会是一个更好的提问的地方。另见。