Apply for a certificate
openssl s_client -connect xingren.com:443
SSL is often used in applications such as authentication and data encryption. To use SSL, our password has its own certificate. Digital certificates generally need to be applied to professional certification companies (such as VeriSign), and they are all charged. In some cases, we just want to use encrypted data communication and don’t care about certification. At this time, we can make a certificate by ourselves. For a certificate, there are two ways, one is Self Signed, the other is to make a CA by yourself, and then this CA will issue the certificate we need. These two methods are described below.
Generate Self Signed Certificate
# Generate a key, your private key, openssl will prompt you to enter a password, you can enter it or not, # If you enter it, you must enter a password every time you use this key in the future. For security reasons, there should still be a password protection > openssl genrsa -des3 -out selfsign.key 4096 # Using the key generated above, generate a certificate signing request (CSR) # If your key is password protected, openssl will first ask your password, then ask you a series of questions, # Among them, Common Name(CN) is the most important, it represents the target that your certificate should represent. If you apply for a certificate for the website, you must add your domain name. > openssl req -new -key selfsign.key -out selfsign.csr # Generate Self Signed certificate selfsign.crt is the certificate we generated > openssl x509 -req -days 365 -in selfsign.csr -signkey selfsign.key -out selfsign.crt # Another relatively simple method is to use the following command to generate the key and certificate at one time > openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Generate your own CA (Certificate Authority)
The CA is the issuer of the certificate. The CA can issue other people's certificates. After adding the CA's certificate to the root certificate trusted by the system, the certificate issued by the CA is also trusted by the system. Therefore, the CA's key must be carefully protected. Generally, They must be encrypted and protected and restricted to read and write with root privileges.
# Generate CA key > openssl genrsa -des3 -out ca.key 4096 # Generate CA certificate > openssl req -new -x509 -days 365 -key ca.key -out ca.crt # The two steps of generating our key and CSR are the same as in Self Signed above > openssl genrsa -des3 -out myserver.key 4096 > openssl req -new -key myserver.key -out myserver.csr # Use ca's certificate and key to generate our certificate # The set_serial here specifies the serial number of the certificate. If the certificate expires (after 365 days), # Or the certificate key is leaked, and you need to add 1 when you need to re-issue the certificate > openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt
View certificates
# View KEY information > openssl rsa -noout -text -in myserver.key # View CSR information > openssl req -noout -text -in myserver.csr # View certificate information > openssl x509 -noout -text -in ca.crt # 验证证书 # 会提示self signed > openssl verify selfsign.crt # 因为myserver.crt 是幅ca.crt发布的,所以会验证成功 > openssl verify -CAfile ca.crt myserver.crt
去掉key的密码保护
有时候每次都要输入密码太繁琐了,可以把Key的保护密码去掉
> openssl rsa -in myserver.key -out server.key.insecure
不同格式证书的转换
一般证书有三种格式:
- PEM(.pem) 前面命令生成的都是这种格式,
- DER(.cer .der) Windows 上常见
- PKCS#12文件(.pfx .p12) Mac上常见
# PEM转换为DER > openssl x509 -outform der -in myserver.crt -out myserver.der # DER转换为PEM > openssl x509 -inform der -in myserver.cer -out myserver.pem # PEM转换为PKCS > openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt -certfile ca.crt # PKCS转换为PEM > openssl pkcs12 -in myserver.pfx -out myserver2.pem -nodes
测试证书
Openssl提供了简单的client和server工具,可以用来模拟SSL连接,做测试使用。
# 连接到远程服务器 > openssl s_client -connect www.google.com.hk:443 # Simulated HTTPS service that can return Openssl related information # -accept is used to specify the listening port number # -cert -key is used to specify the key and certificate to provide the service > openssl s_server -accept 443 -cert myserver.crt -key myserver.key -www # can write key and certificate to the same file > cat myserver.crt myserver.key > myserver.pem # Use only one parameter when you use it > openssl s_server -accept 443 -cert myserver.pem -www # You can save the server's certificate > openssl s_client -connect www.google.com.hk:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > remoteserver.pem # Convert to DER file, you can view it directly under Windows > openssl x509 -outform der -in remoteserver.pem -out remoteserver.cer
Calculate MD5 and SHA1
# MD5 digest > openssl dgst -md5 filename # SHA1 digest > openssl dgst -sha1 filename reference: http://www.cnblogs.com/E7868A/archive/2012/11/16/2772240.html