$ cd /etc/pki
# 创建 CA 证书 (ca-key.pem, ca.pem)
$ openssl genrsa 4096 > ca-key.pem
$ openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca.pem
# 创建服务端证书 (ser-key.pem, ser-req.pem, ser-cert.pem)
$ openssl req -newkey rsa:4096 -nodes -days 365 -keyout ser-key.pem -out ser-req.pem
$ openssl rsa -in ser-key.pem -out ser-key.pem
$ openssl x509 -req -in ser-req.pem -days 365 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out ser-cert.pem
# 创建客户端证书 (cli-key.pem, cli-req.pem, cli-cert.pem) - 方法跟以上完全一样
$ openssl req -newkey rsa:4096 -nodes -days 365 -keyout cli-key.pem -out cli-req.pem
$ openssl rsa -in cli-key.pem -out cli-key.pem
$ openssl x509 -req -in cli-req.pem -days 365 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out cli-cert.pem
# 向颁发 SSL 证书的机构 (CA) 买 SSL 证书, 需要生成申请证书 ser-req.csr 交上
$ openssl req -new -newkey rsa:4096 -nodes -keyout ser-key.pem -out ser-req.csr
# 验证
$ openssl verify -CAfile ca.pem ser-cert.pem cli-cert.pem
ser-cert.pem: OK
cli-cert.pem: OK
-nodes 代表私钥不加密, -new 代表生成新的申请证书, -newkey 代表生成新的私钥
# SSL 证书格式转换
PEM -> CRT / CER / DER
$ openssl x509 -outform der -in cert.pem -out cert.der/.cer/.crt
CRT / CER / DER -> PEM
$ openssl x509 -inform der -outform pem -in cert.der/.cer/.crt -out cert.pem
PEM -> PFX / P12
$ openssl pkcs12 -export -in cert.pem -out cert.pfx -inkey ser-key.pem
或
$ openssl pkcs12 -export -in cert.pem -out cert.p12 -inkey ser-key.pem
PFX -> PEM
# 验证
$ openssl verify -CAfile ca.pem ser-cert.pem cli-cert.pem
ser-cert.pem: OK
cli-cert.pem: OK
-nodes 代表私钥不加密, -new 代表生成新的申请证书, -newkey 代表生成新的私钥
# SSL 证书格式转换
PEM -> CRT / CER / DER
$ openssl x509 -outform der -in cert.pem -out cert.der/.cer/.crt
CRT / CER / DER -> PEM
$ openssl x509 -inform der -outform pem -in cert.der/.cer/.crt -out cert.pem
PEM -> PFX / P12
$ openssl pkcs12 -export -in cert.pem -out cert.pfx -inkey ser-key.pem
或
$ openssl pkcs12 -export -in cert.pem -out cert.p12 -inkey ser-key.pem
PFX -> PEM
$ openssl pkcs12 -nodes -nocerts -in cert.pfx -out ser-key.pem
$ openssl pkcs12 -nodes -in cert.pfx -out cert.pem
P12 -> PEM
$ openssl pkcs12 -nodes -nocerts -in cert.p12 -out ser-key.pem
$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
$ openssl pkcs12 -nodes -in cert.pfx -out cert.pem
P12 -> PEM
$ openssl pkcs12 -nodes -nocerts -in cert.p12 -out ser-key.pem
$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out cert.pem
没有评论:
发表评论