轻松地生成和签署TSL证书

尼耳多
80 阅读1分钟

[

](#certctl)certctl

轻松地管理证书。

[

](#download)下载

wget -O certctl https://github.com/chenzhiwei/certctl/releases/latest/download/certctl
chmod +x certctl
./certctl version
sudo mv certctl /usr/local/bin/

[

](#generate-ca-or-self-signed-certificate)生成CA或自签名的证书

certctl generate --subject "C=CN/ST=Beijing/L=Haidian/O=Any Corp/CN=Any Root" \
    --key ca.key --cert ca.crt --days 36500 --size 4096

certctl generate --subject "C=CN/ST=Beijing/L=Haidian/O=Any Corp/CN=anycorp.com" \
    --san *.anycorp.com,localhost,127.0.0.1 \
    --key anycorp.com.key --cert anycorp.com.crt --days 365 --size 4096

certctl generate --subject "C=CN/ST=Beijing/L=Haidian/O=Any Corp/CN=anycorp.com" \
    --san *.anycorp.com,localhost,127.0.0.1 \
    --key anycorp.com.key --cert anycorp.com.crt --days 365 --size 4096 \
    --usage digitalSignature,keyEncipherment \
    --extusage serverAuth,clientAuth,emailProtection

certctl help generate

一个完整的关键用途清单是。

  • 数字签名(digitalSignature
  • 内容承诺
  • 密钥加密
  • 数据加密
  • 密钥协议
  • 许可证签署
  • cRLSign
  • 仅限加密
  • 仅限解密

扩展密钥使用的完整列表是。

  • 任何
  • serverAuth
  • 客户端认证
  • 代码签名
  • 电子邮件保护
  • IPSEC终端系统
  • IPSECTunnel
  • IPSEC用户
  • 时间戳
  • OCSPSigning
  • netscapeServerGatedCrypto
  • microsoftServerGatedCrypto
  • microsoftCommercialCodeSigning
  • microsoftKernelCodeSigning

[

](#sign-certificate-with-ca)与CA签署证书

certctl sign --ca-key ca.key --ca-cert ca.crt --subject "CN=my.anycorp.com" \
    --san www.my.anycorp.com,localhost,127.0.0.1 \
    --key my.anycorp.com.key --cert my.anycorp.com.crt

certctl sign --ca-key ca.key --ca-cert ca.crt --is-ca \
    --subject "CN=my.anycorp.com" \
    --key my.anycorp.com.key --cert my.anycorp.com.crt \
    --usage digitalSignature,keyEncipherment,keyCertSign \
    --extusage serverAuth,codeSigning

certctl help sign

[

](#show-certificatecsr-from-file)显示文件中的证书/CSR

certctl show cert-filepath.crt
certctl show csr-filepath.csr

GitHub

github.com/chenzhiwei/…

avatar
文章
阅读
粉丝