1. 安装 openssl 后可以执行如下命令来生成私钥和对应的证书请求文件
ca openssl req -new -keyout private.key -out for_request.csr Generating a 2048 bit RSA private key .............+++ ....................................................................................................+++ writing new private key to 'private.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Verify failure Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:CN State or Province Name (full name) []:sichuan Locality Name (eg, city) []:chengdu Organization Name (eg, company) []:zchd Organizational Unit Name (eg, section) []:Dev Common Name (eg, fully qualified host name) []:zchd.ltd Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ➜ ca ls for_request.csr private.key ➜ ca cat for_request.csr -----BEGIN CERTIFICATE REQUEST----- MIICyjCCAbICAQAwgYQxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdzaWNodWFuMRAw DgYDVQQHDAdjaGVuZ2R1MQ0wCwYDVQQKDAR6Y2hkMQwwCgYDVQQLDANEZXYxETAP BgNVBAMMCHpjaGQubHRkMSEwHwYJKoZIhvcNAQkBFhJ6Y2hkLmx0ZEBnbWFpbC5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCng+pbIhGhTHoNiCtG jL75cF8aWre255+zMzVCYAqsQKUAG57MdRA4rgwIvJ9bkXDtEEjA4+a+o8xwp1od BvsyPNPYmc5Bp5dCLKypnmGI18VzzJRu6wxrYNAMdv2DfrlHK+bD4KVr1PeoYbsh YKEL125eIM9+Xr79fY+VWhZqbfgK5X1HWakx4CvOCzWwjGoobkKHJJgyJpxN9Y87 cAkP5q62f/b0VHTI1h83cbvQCKgL3J2P0ZtKhHMFPCmFkz27aL9hmfzw95iifbYb XST8gfcBnGWv/P5pk5wdDoiTuC/QqHuozqc3TKFjLP3oTUgXMPURYWgwLvAJYna9 f9vdAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAcXoWDs4B0hfvoARErsFv43/Z B6xX9fCwiTOQQea2gb2AXGY6I5dj9QIU8/q/tPoFWGxAw3phkJN7vC1qnOaqv5DX upwHp3zIDZCwioDwAedIpbV5sJomDapzVY0ww2MC44sf6YnZGZIUO4q5DGpMBNVf x8bhStKmkk90QrNFHD6V2REuw9Y/+hDdan2WJaj1i/bkIadXnNjBYjSr98K6XXjf EG25lftuDXL4ykKL8gu4kdM8X86TMXFB7fTuZBrvN6S3aw88RiECw8FCEBDRzuAx e2gqRdihsLe6oWFhzs/TlCK81CMXH9CrnZnAGbx+nFBfXcKvCYYm1oTxXmJIjw== -----END CERTIFICATE REQUEST----- ➜ ca openssl req -in for_request.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=CN, ST=sichuan, L=chengdu, O=zchd, OU=Dev, CN=zchd.ltd/emailAddress=[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a7:83:ea:5b:22:11:a1:4c:7a:0d:88:2b:46:8c: be:f9:70:5f:1a:5a:b7:b6:e7:9f:b3:33:35:42:60: 0a:ac:40:a5:00:1b:9e:cc:75:10:38:ae:0c:08:bc: 9f:5b:91:70:ed:10:48:c0:e3:e6:be:a3:cc:70:a7: 5a:1d:06:fb:32:3c:d3:d8:99:ce:41:a7:97:42:2c: ac:a9:9e:61:88:d7:c5:73:cc:94:6e:eb:0c:6b:60: d0:0c:76:fd:83:7e:b9:47:2b:e6:c3:e0:a5:6b:d4: f7:a8:61:bb:21:60:a1:0b:d7:6e:5e:20:cf:7e:5e: be:fd:7d:8f:95:5a:16:6a:6d:f8:0a:e5:7d:47:59: a9:31:e0:2b:ce:0b:35:b0:8c:6a:28:6e:42:87:24: 98:32:26:9c:4d:f5:8f:3b:70:09:0f:e6:ae:b6:7f: f6:f4:54:74:c8:d6:1f:37:71:bb:d0:08:a8:0b:dc: 9d:8f:d1:9b:4a:84:73:05:3c:29:85:93:3d:bb:68: bf:61:99:fc:f0:f7:98:a2:7d:b6:1b:5d:24:fc:81: f7:01:9c:65:af:fc:fe:69:93:9c:1d:0e:88:93:b8: 2f:d0:a8:7b:a8:ce:a7:37:4c:a1:63:2c:fd:e8:4d: 48:17:30:f5:11:61:68:30:2e:f0:09:62:76:bd:7f: db:dd Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 71:7a:16:0e:ce:01:d2:17:ef:a0:04:44:ae:c1:6f:e3:7f:d9: 07:ac:57:f5:f0:b0:89:33:90:41:e6:b6:81:bd:80:5c:66:3a: 23:97:63:f5:02:14:f3:fa:bf:b4:fa:05:58:6c:40:c3:7a:61: 90:93:7b:bc:2d:6a:9c:e6:aa:bf:90:d7:ba:9c:07:a7:7c:c8: 0d:90:b0:8a:80:f0:01:e7:48:a5:b5:79:b0:9a:26:0d:aa:73: 55:8d:30:c3:63:02:e3:8b:1f:e9:89:d9:19:92:14:3b:8a:b9: 0c:6a:4c:04:d5:5f:c7:c6:e1:4a:d2:a6:92:4f:74:42:b3:45: 1c:3e:95:d9:11:2e:c3:d6:3f:fa:10:dd:6a:7d:96:25:a8:f5: 8b:f6:e4:21:a7:57:9c:d8:c1:62:34:ab:f7:c2:ba:5d:78:df: 10:6d:b9:95:fb:6e:0d:72:f8:ca:42:8b:f2:0b:b8:91:d3:3c: 5f:ce:93:31:71:41:ed:f4:ee:64:1a:ef:37:a4:b7:6b:0f:3c: 46:21:02:c3:c1:42:10:10:d1:ce:e0:31:7b:68:2a:45:d8:a1: b0:b7:ba:a1:61:61:ce:cf:d3:94:22:bc:d4:23:17:1f:d0:ab: 9d:99:c0:19:bc:7e:9c:50:5f:5d:c2:af:09:86:26:d6:84:f1: 5e:62:48:8f
生成过程中需要输入地理位置、组织、通用名等信息。生成的私钥和 csr 文件默认以 PEM 格式存储,内容为 base64 编码。
需要注意,用户自行生成私钥情况下,私钥文件一旦丢失,CA 方由于不持有私钥信息,无法进行恢复,意味着通过该证书中公钥加密的内容将无法被解密。