1、创建根证书
#创建密钥
openssl genrsa -out root.key 2048
#生成证书并自签名,nodes是不用密码
openssl req -sha256 -new -nodes -x509 -days 3650 -key root.key -out root.crt -subj "/CN=wx"
2、创建域名证书
使用openssl配置文件
vim openssl.conf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = wx
organizationalUnitName = unit
commonName = 192.168.6.120
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
#域名
#DNS.1 = unit.com
#DNS.2 = branch.org
#ip
IP.1 = 192.168.6.120
#IP.2 = 192.168.6.205
创建密钥
openssl genrsa -out unit.key 2048
创建请求文件
openssl req -new -key unit.key -out unit.csr -config openssl.conf
生成证书并用根证书签名
#crt
openssl x509 -req -in unit.csr -CA root.crt -CAkey root.key -CAcreateserial -days 3560 -out unit.crt -extfile openssl.conf -extensions v3_req
#pem
openssl x509 -req -in unit.csr -CA root.crt -CAkey root.key -CAcreateserial -days 3560 -out unit.pem -extfile openssl.conf -extensions v3_req
3、不使用根证书生成签名
openssl genrsa -out unit.key 2048
openssl req -new -key unit.key -out unit.csr -config openssl.conf
openssl x509 -req -days 3650 -in unit.csr -signkey unit.key -out unit.crt -extensions v3_req -extfile openssl.conf
crt转p12
openssl pkcs12 -export -in unit.crt -inkey unit.key -out unit.p12 -name "bt" -password pass:"111111"
crt转pem
openssl x509 -req-days 3650 -in unit.csr -signkey unit.key -out unit.pem
pem转p12
openssl pkcs12 -export -out unit.p12 -in unit.pem -inkey unit.key
请将证书导入Java 密钥库
keytool -import -alias bt -keystore driver.trust -file unit.crt -storepass 111111
查看证书信息
# 查看KEY信息
openssl rsa -noout -text -in unit.key
# 查看CSR信息
openssl req -noout -text -in unit.csr
# 查看证书信息
openssl x509 -noout -text -in unit.crt
windows打开证书管理
windows+r
certmgr.msc
