openssl 인증서 생성

5824 단어

오류 요약


1. SSL: error:0906406D:PEM routines:PEM_def_callback:problems getting password error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
openssl rsa -in original.key -out unencripted.key

1. IIS 생성 ssl 인증서


1.1 루트 인증서 생성에 개인 키 추가

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config openssl.cnf
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mintcode
Organizational Unit Name (eg, section) []:Forstmourne
Common Name (e.g. server FQDN or YOUR name) []:115.29.179.22
Email Address []:[email protected]

1.2 관련 문서 생성(openssl.cnf 관련 설정)

mkdir demoCA
touch demoCA/index.html
touch demoCA/serial
vim demoCA/serial
1000

1.3 인증서 신청에 따라 인증서 생성

openssl ca -in certreq.txt -out server.pem -cert cacert.pem -keyfile cakey.pem
Enter pass phrase for cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
        Validity
            Not Before: Jul 24 02:07:43 2015 GMT
            Not After : Jul 23 02:07:43 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Zhejiang
            organizationName          = Mintcode
            organizationalUnitName    = Forstmourne
            commonName                = 115.29.179.22
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                A3:72:4C:6D:5D:F9:64:C9:02:13:11:13:CF:C3:34:C1:DE:0B:BF:57
            X509v3 Authority Key Identifier:
                keyid:81:40:30:DB:57:2C:D0:E8:9B:B1:51:D7:D5:71:F1:6C:16:E8:5A:DB

Certificate is to be certified until Jul 23 02:07:43 2016 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

1.4 iis 생성에 인증서 필요

openssl x509 -in server.pem -out server.cer

1.5 자바 생성에 필요한 키스토어

keytool -import -file server.cer -keystore server.keystore

2. openssl 생성 ssl 인증서


2.1 루트 인증서 생성에 개인 키 추가

openssl req -new -x509 -days 365000 -keyout cakey.key -out cacert.crt -config openssl.cnf
Generating a 2048 bit RSA private key
.....................................+++
..............+++
writing new private key to 'cakey.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mintcode
Organizational Unit Name (eg, section) []:Forstmourne
Common Name (e.g. server FQDN or YOUR name) []:bell
Email Address []:[email protected]

2.2 ssl 인증서 생성에 개인 키 추가

openssl req -new -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
..............................................................................+++
.......+++
writing new private key to 'server.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mintcode
Organizational Unit Name (eg, section) []:Forstmourne
Common Name (e.g. server FQDN or YOUR name) []:bell
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mintcode
An optional company name []:mintcode

2.3 준비 작업

mkdir demoCA
cd demoCA
mkdir newcerts
touch index.txt
echo '01' > serial
cd ..

2.4 자체 서명

openssl ca -in server.csr -out server.crt -cert cacert.crt -keyfile cakey.key -config openssl.cnf

2.5 자바 생성에 필요한 키스토어

keytool -import -file server.crt -keystore server.keystore

2.6crt가pem로 변환

openssl x509 -in server.crt -out server.pem -outform PEM

좋은 웹페이지 즐겨찾기