openSSL使用CA签署https_客户端证书
我需要:openSSL使用CA签署https_客户端证书,ssl,command-line,openssl,Ssl,Command Line,Openssl,我需要: 创建CA证书 创建https\u客户端证书 由CA签署https_客户端证书 通过在Linux-openSUSE上使用命令行。我创建CA证书: # openssl genrsa -out rootCA.key 2048 Generating RSA private key, 2048 bit long modulus ..........................................................+++ ....................
- 创建CA证书
- 创建https\u客户端证书
- 由CA签署https_客户端证书
# openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
# openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
#
# openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
#
# openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
#
很好。然后创建https\u客户端证书:
# openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
# openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
#
# openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
#
# openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
#
很好。现在,当我尝试使用CA签署https_客户端证书时,我在这里遇到了一些错误:
# openssl ca -in client1.pem -out client11.pem
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
139667082016400:error:02001002:system library:fopen:No such file or directory:bss_file.c:404:fopen('./demoCA/private/cakey.pem','re')
139667082016400:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load CA private key
#
我已经试过了:
- 使用绝对路径()
我只使用.key和.pem,因为这在使用XCA工具的Windows上对我有效。。。我正在实际阅读openSSL食谱(),看看我是否犯了什么特别的错误。首先想到,我是否必须使用.csr来签署证书,或者我也可以使用任何其他格式来签署证书?您使用的是“openssl ca”工具,默认情况下使用以下配置文件:/etc/ssl/openssl.cnf。换句话说,您没有尝试使用CA证书进行签名,而是使用该配置文件中的默认值。您还向客户端证书签名请求传递了-x509参数,这导致csr无效 请在下面找到工作生成和签名命令 生成CA密钥和证书:
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.pem \
-subj '/C=AA/ST=AA/L=AA/O=AA Ltd/OU=AA/CN=AA/emailAddress=aa@aa.com'
生成客户端密钥和csr:
openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -out client1.csr \
-subj '/C=BB/ST=BB/L=BB/O=BB Ltd/OU=BB/CN=BB/emailAddress=bb@bb.com'
生成使用CA证书签名的客户端证书:
openssl x509 -req -days 365 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem
当然,您可以将配置文件设置为使用正确的CA文件,然后使用“openssl CA”工具
您可以通过以下方式验证您的证书:
openssl verify -verbose -CAfile rootCA.pem client1.pem
谢谢你到目前为止的回复,我有一个会议,在过去的几个小时内无法处理这个问题。。。我明天一定去看看。谢谢你,非常感谢,先生,这对我来说很有用。。。我使用openssl pkcs12-export-out-client1.p12-inkey-client1.key-in-client1.pem-certfile rootCA.pem转换为.p12。。。我现在要实施这个。出于安全原因,我想我需要设置/更改一些选项。你能再帮我一次吗?我想让我自己创建的rootCA可信。你知道怎么做吗@talamakiTo使您自己生成的ca证书受信任您需要使其可用于将验证用其签名的证书的应用程序。因为您生成了客户机证书,所以您的目标可能是让您的客户机通过某个服务器的身份验证。您需要以某种方式将ca证书导入服务器证书存储。有关opensuse,请参见,例如,您计划分发ca证书的范围越广,您就越需要小心使用您的ca私钥。您可以轻松找到描述如何充当自己的证书颁发机构的web链接,例如和。