一般情况下,如果能找到可用的证书,就可以直接使用,只不过会因证书的某些信息不正确或与部署证书的主机不匹配而导致浏览器提示证书无效,但这并不影响使用。
需要手工生成证书的情况有:
- 找不到可用的证书
- 需要配置双向SSL,但缺少客户端证书
- 需要对证书作特别的定制
首先,无论是在Linux下还是在Windows下的Cygwin中,进行下面的操作前都须确认已安装OpenSSL软件包。
1. 创建根证书密钥文件(自己做CA)root.key:
openssl genrsa -des3 -out root.key
输出内容为:
[lenin@archer ~]$ openssl genrsa -des3 -out root.key?
Generating RSA private key, 512 bit long modulus?
……………..++++++++++++?
..++++++++++++?
e is 65537 (0×10001)?
Enter pass phrase for root.key: ← 输入一个新密码?
Verifying – Enter pass phrase for root.key: ← 重新输入一遍密码
2. 创建根证书的申请文件root.csr:
openssl req -new -key root.key -out root.csr
输出内容为:
[lenin@archer ~]$ openssl req -new -key root.key -out root.csr?
Enter pass phrase for root.key: ← 输入前面创建的密码?
You are about to be asked to enter information that will be incorporated?
into your certificate request.?
What you are about to enter is what is called a Distinguished Name or a DN.?
There are quite a few fields but you can leave some blank?
For some fields there will be a default value,?
If you enter ‘.’, the field will be left blank.?
—–?
Country Name (2 letter code) [AU]:CN ← 国家代号,中国输入CN?
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音?
Locality Name (eg, city) []:BeiJing ← 市的全名,拼音?
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名?
Organizational Unit Name (eg, section) []: ← 可以不输入?
Common Name (eg, YOUR name) []: ← 此时不输入?
Email Address []:admin@mycompany.com ← 电子邮箱,可随意填Please enter the following ‘extra’ attributes?
to be sent with your certificate request?
A challenge password []: ← 可以不输入?
An optional company name []: ← 可以不输入
3. 创建一个自当前日期起为期十年的根证书root.crt:
openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.req -out root.crt
输出内容为:
[lenin@archer ~]$ openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt?
Signature ok?
subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./emailAddress=admin@mycompany.com?
Getting Private key?
Enter pass phrase for root.key: ← 输入前面创建的密码
4. 创建服务器证书密钥server.key:
openssl genr
