查看生成的私钥内容
$ file privatekey.pem privatekey.pem: PEM RSA private key $ cat privatekey.pem -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA8AWq2V3g4B9fN7Tj37k0Wmut70ylRyziebyE3baA24pgixgu 8wpXztHdF5YixjbOdLvaqGQ3ck1CPRMD+cB3awgfw+/jPJqzdg2ACa9IFkIM5eaH ... Zvib8+BsiAoiqXr4vAi8Lb64TJv3JDwOKEH/dnpXVmsDEt3wKRWX5A== -----END RSA PRIVATE KEY-----另外可以用openssl命令查看私钥的明细
$ openssl rsa -in privatekey.pem -noout -text Private-Key: (2048 bit) modulus: ...查看生成的公钥内容
$ file publickey.pem publickey.pem: ASCII text $ cat publickey.pem -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8AWq2V3g4B9fN7Tj37k0 ... vQIDAQAB -----END PUBLIC KEY-----另外,也可以使用openssl命令查看公钥的明细
$ openssl rsa -pubin -in publickey.pem -noout -text Public-Key: (2048 bit) Modulus: ...查看证书请求文件的内容
$ file csr.pem csr.pem: PEM certificate request $ cat csr.pem -----BEGIN CERTIFICATE REQUEST----- MIICvjCCAaYCAQAweTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkJKMQswCQYDVQQH ... c8L1GiAnIN8bXSWpZT2ZfHcnVbYvz4bgxFGTncA06JwDHw== -----END CERTIFICATE REQUEST-----也可以通过openssl命令查看证书请求文件的明细。
$ openssl req -noout -text -in csr.pem Certificate Request: Data: Version: 0 (0x0) Subject: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=hello/emailAddress=hello@world.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ...这里我们没有CA服务器,所以需要假装生成一个CA服务器
注意这一步和前面第三步的区别,这一步直接生成自签名的证书,而在第三步生成的是证书签名请求,这个证书签名请求是要发给CA生成最终证书的。
查看自签名的CA证书
$ file ca.crt ca.crt: PEM certificate $ openssl x509 -in ca.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 8a:6e:10:c5:f6:18:f7:67 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=ca/emailAddress=ca@world.com Validity Not Before: May 26 00:36:39 2018 GMT Not After : May 26 00:36:39 2019 GMT Subject: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=ca/emailAddress=ca@world.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cf:0c:6b:ed:2a:d7:28:55:a2:54:5a:78:1c:6a: ... cb:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 6E:00:06:26:92:A0:02:66:73:8C:A9:7E:47:DC:EB:A2:3F:91:F7:BC X509v3 Authority Key Identifier: keyid:6E:00:06:26:92:A0:02:66:73:8C:A9:7E:47:DC:EB:A2:3F:91:F7:BC X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption bc:d7:92:12:56:30:10:a8:b3:cf:b0:0d:7c:52:79:7b:22:2a: ... e5:11:28:99查看生成证书内容
$ file crt.pem crt.pem: PEM certificate $ cat crt.pem -----BEGIN CERTIFICATE----- MIIDaTCCAlECCQDzYtuYa7OlUTANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJD ... Zo7/JmQs tCqjMPMc1lPuS3zmHg== -----END CERTIFICATE----- $ openssl x509 -in crt.pem -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: f3:62:db:98:6b:b3:a5:51 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=ca/emailAddress=ca@world.com Validity Not Before: May 26 00:40:35 2018 GMT Not After : May 23 00:40:35 2028 GMT Subject: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=hello/emailAddress=hello@world.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b7:7b:c3:e4:12:65:b9:1d:04:8b:6d:b2:f4:ff: ... e3:bd Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 8e:5f:5e:f3:fa:8a:bf:e4:7f:e1:84:99:24:3d:a6:86:ce:db: ... 4b:7c:e6:1e1
本地测试的话直接用如下
2.使用openssl充当CA权威机构创建私钥(生产不可能使用此方式生成证书,不被互联网CA权威承认的黑户证书) 1 # openssl genrsa -idea -out server.key 2048
3.生成自签证书,同时去掉私钥的密码 2 # openssl req -days 36500 -x509 \ -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
