首页 > 其他 > 详细

openssl 生成自签CA和pkcs12证书

时间:2020-05-29 23:46:26      阅读:166      评论:0      收藏:0      [点我收藏+]

 

基础环境

mkdir Test
cd Test
mkdir -p ./CA/{private,newcerts} 
touch CA/index.txt 
touch CA/serial
touch CA/crlnumber
echo 01 > CA/serial
echo 01 > CA/crlnumber
cp /etc/pki/tls/openssl.cnf ./

# 修改dir为当前CA目录
vim openssl.cnf
  [ CA_default ]
  dir = ./CA

 

生成CA证书


# 生成CA私钥
openssl genrsa -des3 -out ./CA/private/cakey.pem 2048

# 生成ca证书
openssl req -new -x509 -days 365 -key ./CA/private/cakey.pem -out ./CA/cacert.pem -subj "/C=CN/ST=GD/L=SZ/O=organization/OU=dev/CN=organization.com/emailAddress=aa@organization.com"
 

 

生成用户证书

# user私钥
openssl genrsa -out userkey.pem 2048

# 签署请求
openssl req -new -days 365 -key userkey.pem -out userreq.pem -subj "/C=CN/ST=GD/L=SZ/O=organization/OU=dev/CN=organization.com/emailAddress=aa@organization.com"
# 生成user证书
openssl ca
-in userreq.pem -out usercert.pem -extensions v3_req -config openssl.cnf

# 生成pkcs12证书
openssl pkcs12
-export -inkey userkey.pem -in usercert.pem -out user.pfx

# rm ./CA/index.txt && touch ./CA/index.txt 重新生成user证书

 

吊销用户证书

# 吊销user证书
openssl ca -revoke usercert.pem -cert ./CA/cacert.pem -keyfile ./CA/private/cakey.pem

# 生成user证书吊销列表
openssl ca -gencrl -out rootca.crl -cert ./CA/cacert.pem -keyfile ./CA/private/cakey.pem -config openssl.cnf 

 

 

 

 

openssl 生成自签CA和pkcs12证书

原文:https://www.cnblogs.com/tianyuanchen/p/12989683.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!