sh 使用openssl conf从https://gist.github.com/dwallraff/c1ed31291ac7cf19304b创建自签名SSL证书或CSR的命令

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sh 使用openssl conf从https://gist.github.com/dwallraff/c1ed31291ac7cf19304b创建自签名SSL证书或CSR的命令相关的知识,希望对你有一定的参考价值。

##### Commands to generate SSL certs/artifcts

# Download the temp.cnf file using the wget command below
# Edit temp.cnf and add your information
# Run the uncommented out commands to generate a self-signed cert (cert.pem) and private key (keyfile.pem)
wget https://gist.githubusercontent.com/dwallraff/c1ed31291ac7cf19304b/raw/e06feacbb85ac63659e6c1c40c70d5481522b390/temp.cnf

# Generate a new keyfile. A 2048 bit key size is TOTALLY fine. Jack it up to 4096 and wait if you must...
openssl genrsa -out keyfile.key 2048

## Or use elliptic curve instead of RSA. We're just using this to sign certs, so P-256 is just fine.
# openssl ecparam -genkey -out keyfile.key -name prime256v1

## Generate a cert. Expires in 30 days. Get a real cert. Or change the number of days.
openssl req -x509 -new -key keyfile.key -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30



#########################
##### Verify stuffs

## Verify a CSR
# openssl req -text -noout -verify -in csr.csr

## Verify a cert
# openssl x509 -text -noout -in cert.pem

## Verify a key
# openssl rsa -check -in server.key -noout

## Verify a live cert
# openssl s_client -connect <domain>:443

## Verify your keyfile matches your cert. MD5 sums should match.
# openssl x509 -noout -modulus -in server.crt | openssl md5
# openssl rsa -noout -modulus -in server.key | openssl md5

## 'Proper' key/cert verification
# diff  <(openssl x509 -in ssl.crt -pubkey -noout) <(openssl rsa -in ssl.key -pubout)
#
# Or use the 'pkey' sub-module in newer versions of OpenSSL that supports all key types for non-RSA keys
# diff <(openssl x509 -pubkey -in certificate.pem -noout) <(openssl pkey -pubout -in private-key.pem -outform PEM)



#########################
##### Commands involving a CSR

## Generate a new key (2048 rsa) and a CSR - REQUIRES USER INPUT
# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key

## Generate a new key and a CSR using temp.cnf to allow for SANs in the CSR.
# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key -config temp.cnf

## Generate a cert from a CSR. Expires in 30 days. Get a real cert. Or change the number of days.
# openssl req -x509 -new -key keyfile.key -in csr.csr -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30

以上是关于sh 使用openssl conf从https://gist.github.com/dwallraff/c1ed31291ac7cf19304b创建自签名SSL证书或CSR的命令的主要内容,如果未能解决你的问题,请参考以下文章

sh 笔记:OpenSSL生成「自签名」证书,配置Nodejs本地HTTPS服务 - 1

OpenSSL 和读取 openssl.conf 文件时出错

sh 笔记:OpenSSL生成「自签名」证书,配置Nodejs本地HTTPS服务 - 2.生成.csr

sh 从Sourcee编译OpenSSL

sh 笔记:OpenSSL生成「自签名」证书,配置Nodejs本地HTTPS服务 - 5.检查及打印.csr

sh 笔记:OpenSSL生成「自签名」证书,配置Nodejs本地HTTPS服务 - 4.查看.crt文件内容