记录一下最近测试服务自签证书的相关命令
生成根秘钥及根证书:
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha512 -days 36666 -out ca.crt -subj “/C=CN/ST=Beijing/L=Beijing/O=MyTestCA/OU=Security/CN=MyTestRootCA”
使用根证书生成服务端证书
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj “/C=CN/ST=Beijing/L=Beijing/O=MyServer/OU=Security/CN=Server”
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 36665 -sha512
使用根证书生成客户端证书及客户端p12文件
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj “/C=CN/ST=Beijing/L=Beijing/O=MyClient/OU=Security/CN=Client”
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 36665 -sha512
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 -name “MyClientCert”
测试时使用IP证书的输出命令
openssl genrsa -out ipserver.key 4096
openssl req -new -key ipserver.key -out ipserver.csr \
-subj “/C=CN/ST=Beijing/L=Beijing/O=MyServer/OU=Security/CN=1.2.3.4” \
-addext “subjectAltName=IP:1.2.3.4” \
-addext “keyUsage=digitalSignature,keyEncipherment” \
-addext “extendedKeyUsage=serverAuth”
openssl x509 -req -in ipserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out ipserver.crt -days 36665 -sha512 \
-extfile <(printf “subjectAltName=IP:1.2.3.4\nkeyUsage=digitalSignature,keyEncipherment\nextendedKeyUsage=serverAuth”)