Openssl 生成自签名证书, self-signed cert

1
2
3
4

# Create two directories for all certs and root private key that you will generate
mkdir certs private
# Generate the elliptic curve private key
openssl ecparam -out private/ca-key.pem -name prime256v1 -genkey

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

[ ca ]
default_ca = ca_default

[ ca_default ]
dir           = /home/user_0/path/to/tls
database      = $dir/index.txt
serial        = $dir/serial
new_certs_dir = $dir/certs


default_days  = 365
default_md    = sha256
policy        = policy

# Policy dictates what these values in any certificate signed by your root certificate should be.
[ policy ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

############################################################################################

[ req ]
prompt              = no
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = CN
stateOrProvinceName             = Liaoning
localityName                    = Dalian
0.organizationName              = org_0
organizationalUnitName          = unit_0
commonName                      = *.wiloon.com
emailAddress                    = wiloon@email.com

[ v3_ca ]
subjectKeyIdentifier      = hash
authorityKeyIdentifier    = keyid:always,issuer
basicConstraints          = critical,CA:true
keyUsage                  = critical,digitalSignature,keyCertSign
nsComment                 = "OpenSSL Generated Certificate"

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

touch index.txt
echo 01 > serial

# Generate the CA certificate using the command below —
# Generate the root certificate from the private key and the configs
openssl req -new -x509 -days 3650 -config foo.cnf -extensions v3_ca -key private/ca-key.pem -out certs/ca-cert.pem

# Add this cert to your trust store (for Ubuntu 22.04)
sudo cp certs/ca-cert.pem /usr/local/share/ca-certificates/ca-cert.crt
sudo update-ca-certificates

# remove from Ubuntu
sudo rm /usr/local/share/ca-certificates/ca-cert.crt
sudo update-ca-certificates --fresh

# add the CA certificate to your browser’s trust store.

# Generate the private key for one domain
openssl ecparam -out wiloon.key -name prime256v1 -genkey

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

[ ca ]
default_ca = ca_default

[ ca_default ]
dir           = /home/wiloon/path/to/tls
certs         = $dir/certs
database      = $dir/index.txt
new_certs_dir = $dir/certs
serial        = $dir/serial

default_days  = 365
default_md    = sha256
policy        = ca_policy

[ ca_policy ]
countryName            = supplied
stateOrProvinceName    = optional
organizationName       = supplied
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

############################################################################################

[ req ]
prompt              = no
distinguished_name  = req_distinguished_name
req_extensions      = v3_req
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = CN
stateOrProvinceName             = Liaoning
localityName                    = Dalian
0.organizationName              = org_0
organizationalUnitName          = unit_0
commonName                      = *.wiloon.com
emailAddress                    = wiloon@email.com

[ v3_req ]
basicConstraints     = critical,CA:false
keyUsage             = critical,digitalSignature
extendedKeyUsage     = serverAuth
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1       = wiloon.com
DNS.2       = www.wiloon.com
DNS.3       = mail.wiloon.com
DNS.4       = ftp.wiloon.com
DNS.5       = localhost
DNS.6       = localhost.localdomain
IP.1        = 127.0.0.1
IP.2        = 10.0.2.2 # localhost IP from Android emulators. Only for Android Developers.

1
2
3
4
5
6
7

# Create Certificate Signing Request
openssl req -new -key wiloon.key -out wiloon.csr -sha256 -config wiloon.cnf -extensions v3_req

# Generate Signed Certificate using the private key, configs and the CSR. 
# You also need to specify the root private key and root certifcate for signing.
openssl ca -keyfile private/ca-key.pem -cert certs/ca-cert.pem -in wiloon.csr -out wiloon.crt -config wiloon.cnf -extensions v3_req

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# ist all available curves
openssl ecparam -list_curves

# read ec key
openssl ec -in key.pem -text -noout
# generates a Certificate Signing Request 
# with subj: openssl req -new -sha256 -key key.pem -subj "/CN=devops/C=BM/ST=Bermudian/L=Bermudian/O=Org/OU=IT" -out csr.csr

# read csr
openssl req -in csr.csr -text -noout 

openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate will stop working in 2017! You must update OpenSSL to generate a widely-compatible certificate"
openssl x509 -noout -text -in certificate.pem

# check crt of web site
openssl s_client -connect site.domain:443

1
2

# To check just created root certificate:
openssl x509 -in rootCA.pem -text -noout

1
2
3

# To verify that the certificate is built correctly:
openssl verify -CAfile rootCA.pem -verify_hostname console.kyma.local tls.crt

1

1
2
3

# 查看证书请求文件的内容
openssl req -text -noout -in server.csr

1
2

# 查看默认的 OpenSSL 配置目录
openssl version -d