交互式 生成 X.509证书
(1)Root CA
生成CA的私钥
openssl genrsa -out ca/ca-prikey.pem 2048
生成CA的公钥
openssl rsa -in ca/ca-prikey.pem -pubout -out ca/ca-pubkey.pem
生成CA的根证书
openssl req -new -out ca/ca-req.csr -key ca/ca-prikey.pem
Organization Name ( eg, company) : XXX
Common Name ( eg, YOUR name) [ ] : root
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-prikey.pem -days 3650
openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-prikey.pem -out ca/ca.p12
(2)使用根证书生成 一个node(即服务器)的证书
生成node的私钥
openssl genrsa -out ca/node-prikey.pem 2048
生成node的公钥
openssl rsa -in ca/node-prikey.pem -pubout -out ca/node-pubkey.pem
使用根证书生成node的证书
openssl req -new -out ca/node-req.csr -key ca/node-prikey.pem
Organization Name ( eg, company) : CMCC
Common Name ( eg, YOUR name) [ ] : 127.0 .0.1
openssl x509 -req -in ca/node-req.csr -out ca/node-cert.pem -CA ca/ca-cert.pem -CAkey ca/ca-prikey.pem -CAcreateserial -days 3650
openssl pkcs12 -export -clcerts -in ca/node-cert.pem -inkey ca/node-prikey.pem -out ca/node.p12
(3)使用根证书生成 一个客户端的证书
生成client的私钥
openssl genrsa -out ca/client-prikey.pem 2048
生成client的公钥
openssl rsa -in ca/client-prikey.pem -pubout -out ca/client-pubkey.pem
openssl x509 -in ca/client-cert.pem -pubkey -noout > ca/client-pubkey.pem
使用根证书生成client的证书
openssl req -new -out ca/client-req.csr -key ca/client-prikey.pem
Organization Name ( eg, company) : General Motors
Common Name ( eg, YOUR name) [ ] : voter1
Email Address [ ] : [ 默认]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [ ] :123456
An optional company name [ ] : testing
openssl x509 -req -in ca/client-req.csr -out ca/client-cert.pem -CA ca/ca-cert.pem -CAkey ca/ca-prikey.pem -CAcreateserial -days 3650
openssl pkcs12 -export -clcerts -in ca/client-cert.pem -inkey ca/client-prikey.pem -out ca/client.p12
非交互式生成 X.509证书
(1)Root CA
openssl req -newkey rsa:2048 -passout pass:123456 -keyout ca_rsa_private.pem -x509 -days 365 -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CA/[email protected] "
(2)使用根证书生成 一个服务器证书
openssl req -newkey rsa:2048 -passout pass:server -keyout server_rsa_private.pem -out server.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=SERVER/[email protected] "
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca_rsa_private.pem -passin pass:123456 -CAcreateserial -out server.crt
openssl rsa -in server_rsa_private.pem -out server_rsa_private.pem.unsecure
(3)使用根证书生成 一个客户端的证书
openssl req -newkey rsa:2048 -passout pass:client -keyout client_rsa_private.pem -out client.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CLIENT/[email protected] "
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca_rsa_private.pem -passin pass:123456 -CAcreateserial -out client.crt
openssl rsa -in client_rsa_private.pem -out client_rsa_private.pem.unsecure
往期精彩回顾:
区块链知识系列
密码学系列
零知识证明系列
共识系列
公链调研系列
比特币系列
以太坊系列
EOS系列
Filecoin系列
联盟链系列
Fabric系列
智能合约系列
Token系列