openssl生成证书
[nginx@machina key]$ pwd /app/nginx/key
- 生成私钥 openssl genrsa -out server.key 2048
- 生成证书请求 openssl req -new -key server.key -out server.csr
- 填入信息
[nginx@machina key]$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:ai
Organizational Unit Name (eg, section) []:ai
Common Name (eg, your name or your server's hostname) []:112.96.28.206
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[nginx@machina key]$
[nginx@machina key]$ ls
old server.csr server.key
- 备份一份服务器密钥文件 cp server.key server.key.org
- 去除文件口令 openssl rsa -in server.key.org -out server.key
- 生成证书文件server.crt openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
[nginx@machina key]$ openssl rsa -in server.key.org -out server.key
writing RSA key
[nginx@machina key]$
[nginx@machina key]$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=gd/L=gz/O=ai/OU=ai/CN=112.96.28.206
Getting Private key
一般只需三步:
- openssl genrsa -out server.key 2048
- openssl req -new -key server.key -out server.csr
- openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
关于密码: openssl genrsa -out server.key 2048 不需要密码。 openssl genrsa -des3 -out server.key 2048 需要密码。 https://www.jianshu.com/p/9523d888cf77
关于域名: 用openssl,域名可以不输; 用keystore,必须输入。
