此文章是vip文章,如何查看?  

1,点击链接获取密钥 http://nicethemes.cn/product/view29882.html

2,在下方输入文章查看密钥即可立即查看当前vip文章


OpenSSL生成根证书CA及签发证书

  • 时间:
  • 浏览:
  • 来源:互联网

OpenSSL生成根证书CA及签发证书

  • 1.系统环境
  • 2.准备工作
    • 2.1.OpenSSL的配置
  • 3.生成根证书
    • 3.1.生成根证书私钥
    • 3.2.生成证书请求(ca.csr)
    • 3.3.检查证书请求信息
    • 3.4.自签发根证书
    • 3.5.检查证书
    • 3.6.快速方式用私钥创建自签名证书
  • 4. 创建二级证书
    • 4.1.生成私钥和证书请求
    • 4.2.使用根证书签发二级证书
  • 5.生成服务器端证书
    • 5.1.生成服务端私钥(server-key.pem)
    • 5.2.生成证书请求文件(server.csr)
    • 5.3.检查证书请求信息
    • 5.4.使用根证书签发服务端证书(server.cer)
    • 5.5.检查生成的证书
  • 6.生成客户端证书
    • 6.1.生成客户端私钥(client-key.pem)
    • 6.2.生成证书请求文件(client.csr)
    • 6.3.检查证书请求信息
    • 6.4.使用根证书签发客户端证书(client.cer)
    • 6.5.检查生成的证书
  • 7.证书格式转换
    • 7.1.格式说明
    • 7.2.PEM转DER
    • 7.3.DER转PEM
    • 7.4.PKCS#12(PFX)和PEM格式转换
  • 8.导出证书
    • 8.1.导出客户端证书密钥和证书链
    • 8.2.导出服务端证书密钥和证书链
    • 8.3.导出根证书
  • 9. 相关问题及解决
    • 9.1.生成客户端证书时报错bad decrypt
  • 10.参考资料

1.系统环境

操作系统:ubuntu 18.04 64bit
Openssl版本:1.1.1d ,10 Sep 2019

$ openssl version
OpenSSL 1.1.1d 10 Sep 2019

2.准备工作

2.1.OpenSSL的配置

定位一下OpenSSL的配置文件openssl.cnf
$ locate openssl.cnf | grep /etc
/etc/ssl/openssl.cnf

修改配置 sudo gedit /etc/ssl/openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

#dir = ./demoCA # Where everything is kept
dir = /home/share/openssl/demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to ‘no’ to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

#certificate = $dir/cacert.pem # The CA certificate
certificate = $certs/ca.cer # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extensions to add to the cert
创建相关子目录/文件
序号 目录 说明 备注
certs 存放证书的地方,证书在签名之后会放置到这个目录下 mkdir certs
crl 存放已经吊销的证书 mkdir crl
index.txt OpenSSL已签发证书的文本数据库文件(此文件通常在初始化的时候是空的) touch index.txt
newcerts 存放CA生成的新证书 mkdir newcerts
serial 证书签发时使用的序列号参考文件,该文件的序列号是以16进制格式进行存放的,该文件必须提供并且包含一个有效的序列号 openssl rand -hex 16 > serial
cat serial
备注:使用随机数生成器来初始化证书序列号
private 这个目录存放私钥,一个给CA使用,一个给OCSP响应程序使用。 mkdir private
在这里插入图片描述

3.生成根证书

3.1.生成根证书私钥

openssl genrsa -aes256 -out private/cakey.pem 1024
命令含义如下:
genrsa——使用RSA算法产生私钥
-aes256——使用256位密钥的AES算法对私钥进行加密
-out——输出文件的路径
1024——指定私钥长度

备注:私钥密码 test

3.2.生成证书请求(ca.csr)

openssl req -new -key private/cakey.pem -out private/ca.csr -subj “/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=TEST/OU=mygroup/CN=TEST”
该命令含义如下:
req——执行证书签发命令
-new——新证书签发请求
-key——指定私钥路径
-out——输出的csr文件的路径
-subj——证书相关的用户信息(subject的缩写)

备注:这里需要输入私钥密码;
备注2:可以将证书私钥生成和证书请求合并为一个操作,具体演示见创建二级证书章节;

3.3.检查证书请求信息

openssl req -text -in ca.csr -noout
输出示例:

Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = ZHEJIANG, L = HANGZHOU, O = TEST, OU = mygroup, CN = TEST
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:9c:8d:64:fd:f1:07:2d:72:86:a7:06:aa:77:83:
65:64:e0:1b:eb:40:57:09:f7:a2:64:40:70:da:d9:
36:b0:f5:37:ba:69:42:79:80:79:09:77:97:bb:53:
86:df:3d:29:a9:97:13:43:66:35:64:53🆎78:95:
f9:d1:f4:5c:e3:38:24:b9:71:fe:91:f8:d5:b1:3a:
ad:16:9f:3f:18:2b:fa:31:aa:76:f3:7a:4c:ba:66:
49:a7:79:f8:b4:45:2c:e2:2e:04:f9:66:6a:57:6b:
28:29:89:58:8f:2b:2b:5a:a5:2e:8b:d4:28:0b:b4:
36:66:77:05:9f:07:e8:91:2b
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
4d:a3:8d:0e:10:14:59:77:57:45:ce:9a:9f:07:1a:2b:bc:b5:
6f:7b:85:a2:47:8c:92:e0:a0:5e:49:61:14:36:1d:d9:86:b3:
5f:0e:a7:b6:3c:4b:10:e5:ee:7b:62:11:33:41:09:f6:e9:27:
21:8a:e3:5a:be:3f:ca:8a:a5:71:75:d6:e9:7c:71🇩🇪51:74:
9b:83:cb:af:19:52:42:9f:bc:b2:04:18:8d:73:c2:9b:e7:9d:
40:8b:12:18:52:ba:83:c0:57:1b:b1:98:71:86:51:08:18:bf:
68:51:40:ac:1a:03:9f:df:7c:76:06:3b:16:34🆎cf:0a:5e:
08:6e

3.4.自签发根证书

openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey private/cakey.pem -in private/ca.csr -out certs/ca.cer
该命令的含义如下:
x509——生成x509格式证书
-req——输入csr文件
-days——证书的有效期(天)
-sha1——证书摘要采用sha1算法
-extensions——按照openssl.cnf文件中配置的v3_ca项添加扩展
-signkey——签发证书的私钥
-in——要输入的csr文件
-out——输出的cer证书文件

备注:
(1)创建非根证书指定 -extensions v3_req,表示,在openssl.cnf中v3_req扩展属性为:basicConstraints = CA:FALSE。
(2)创建根证书时,指定了-extensions v3_ca,basicConstraints = critical,CA:true。
在这里插入图片描述

3.5.检查证书

命令(与检查证书请求命令不同)
openssl x509 -text -in ca.cer -noout
输出示例:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
70:c9:bb:5b:c8:d2:07:53:df:e0:44:98:0e:35:c9:c1:b4:e8:fa:8a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = CN, ST = ZHEJIANG, L = HANGZHOU, O = TEST, OU = mygroup, CN = TEST
Validity
Not Before: Nov 25 09:06:39 2019 GMT
Not After : Nov 24 09:06:39 2020 GMT
Subject: C = CN, ST = ZHEJIANG, L = HANGZHOU, O = TEST, OU = mygroup, CN = TEST
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:9c:8d:64:fd:f1:07:2d:72:86:a7:06:aa:77:83:
65:64:e0:1b:eb:40:57:09:f7:a2:64:40:70:da:d9:
36:b0:f5:37:ba:69:42:79:80:79:09:77:97:bb:53:
86:df:3d:29:a9:97:13:43:66:35:64:53🆎78:95:
f9:d1:f4:5c:e3:38:24:b9:71:fe:91:f8:d5:b1:3a:
ad:16:9f:3f:18:2b:fa:31:aa:76:f3:7a:4c:ba:66:
49:a7:79:f8:b4:45:2c:e2:2e:04:f9:66:6a:57:6b:
28:29:89:58:8f:2b:2b:5a:a5:2e:8b:d4:28:0b:b4:
36:66:77:05:9f:07:e8:91:2b
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
4c:3f:fa:c2:be:26:a5:0f:6b:9f:7f:0b:d1:dd:ed:b8:ae:47:
95:38:94:90:2f:3f:09:02:02:18:5a:f1:e7:f0:03:54:93:90:
e5:54:a2:83:11:e2:8e:16:e7:b1:8f:e5:57:09:2a:61:17:da:
95:fe:f3:ee:7b:2c:21:a3:8f:ba:a1:2e:89:52:36:20:8d:1c:
24:b7:bd:61:cb:d3:47:ff:1d:63:6c:93:55:52:64:01:2a:12:
7e:e1:5a:49:20:01:e9:29:aa:c0:af:ce:e1:c0:46:d0:d4:2d:
07:e5:04:63:14:00:73:7c:ce:c9:d7:83:cc:9e:02:c6:c7:ee:
3a:c6

3.6.快速方式用私钥创建自签名证书

也可以跳过CSR环节,直接使用私钥创建自签名证书
openssl req -new x509 -days 365 -key private/ca.csr -out certs/ca2.cer -subj “/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=TEST/OU=mygroup/CN=TEST”
若要创建对多个主机名有效的证书,则使用x509命令签发证书时,使用-extfile开关引用指定扩展名称(subjectAltName)文件

4. 创建二级证书

4.1.生成私钥和证书请求

openssl req -new -out sub-ca.csr -keyout private/sub-ca.key -subj “/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=TEST/OU=mygroup2/CN=TEST”
备注:
1、此步骤会提示输入私钥密码;
2、子证书的信息不能与根证书的信息一样,否则在证书生成时会报错。这里OU字段与根证书进行区别

4.2.使用根证书签发二级证书

openssl ca -config /etc/ssl/openssl.cnf -in sub-ca.csr -out certs/sub-ca.cer

5.生成服务器端证书

5.1.生成服务端私钥(server-key.pem)

openssl genrsa -aes256 -out private/server-key.pem 1024
这里私钥密码 test

5.2.生成证书请求文件(server.csr)

openssl req -new -key private/server-key.pem -out private/server.csr -subj “/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname”

5.3.检查证书请求信息

openssl req -text -in server.csr -noout
输出示例:
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = myprovince, L = mycity, O = myorganization, OU = mygroup, CN = myname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:d3:96:88:0b:97:fe:e0:23:3d:19:be:8c:5c:52:
11:20:52:07:8d:e9:bf:5b:cc:30:93:27:89:bb:ed:
3d:8c:d5:42:d3:b5:21:ce:5d:33:5a:61:f0:2a:3c:
7b:7a:06:54:11:41:07:2d:ce:51:2a:44:a1🇩🇪36:
cb:34:e8:ea:82:c4:61💿f0:b3:4b:ca:dd:f5:95:
37:91:3b:e5:a8:1d:a7:fd:8b:9b:2b:fb:59:cc:dd:
68:e8:9f:10:0d:16:19:4d:87:62:4a:57:d0:e8:31:
f9:4e:46:b5:1d:70:88:97:39:72:39:aa:48:5d:40:
49:15:bf:25:6c:d4:62:a2:2f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
42:6e:19:7b:0c:1d:6f:4c:41:ed:b9:c4:f2:4e:ef:5b:d8:d1:
81:c4:3b:24:4b:ac:dc:e7:dd:79:81:f6:b4:76:ff:3a:85:2d:
a8:90:3b:f9:77:02:7b:43:9c:20:d7:8c:ee:67💿79:3e:d5:
a6:a3:39:74:9f:4c:d4:d8:c9:d8:35:c9:ca:55:54:3f:62:3b:
c2:b2:c1:51:1d:bf:84:b0:5a:15:6f:03:5f:50:0e:25:fe:f1:
ea:02:3b:06:b7:d2:01:3d💿03:ad:e6:b2:92:03:71:f4:97:
96:88:25:55:8a:40:9a:c6:d7:0a:8f:36:ce:32:7f:d0:8c:a3:
90:a0

5.4.使用根证书签发服务端证书(server.cer)

openssl x509 -req -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer

-CA——CA证书的路径,即前面生成的根证书
-CAkey——指定CA证书的私钥路径,需要使用根证书相关的私钥。
-CAserial——指定证书序列号文件的路径
-CAcreateserial——表示证书序列号文件指定的文件并非已经存在,而由命令去创建。
运行示例:

$ openssl x509 -req -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
Signature ok
subject=C = CN, ST = myprovince, L = mycity, O = myorganization, OU = mygroup, CN = myname
Getting CA Private Key
Enter pass phrase for private/cakey.pem:

备注:
(3)创建非根证书指定 -extensions v3_req,表示,在openssl.cnf中v3_req扩展属性为:basicConstraints = CA:FALSE。
(4)创建根证书时,指定了-extensions v3_ca,basicConstraints = critical,CA:true。

5.5.检查生成的证书

$ openssl x509 -text -in server.cer -noout
运行示例:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
6e:4a:a9:e7:2d:fb:2a:b1:19:b9:2b:8b:0b:3a:90:dd:37:f0:f4:e0
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = CN, ST = ZHEJIANG, L = HANGZHOU, O = TEST, OU = mygroup, CN = TEST
Validity
Not Before: Nov 25 12:57:37 2019 GMT
Not After : Nov 24 12:57:37 2020 GMT
Subject: C = CN, ST = myprovince, L = mycity, O = myorganization, OU = mygroup, CN = myname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:d3:96:88:0b:97:fe:e0:23:3d:19:be:8c:5c:52:
11:20:52:07:8d:e9:bf:5b:cc:30:93:27:89:bb:ed:
3d:8c:d5:42:d3:b5:21:ce:5d:33:5a:61:f0:2a:3c:
7b:7a:06:54:11:41:07:2d:ce:51:2a:44:a1🇩🇪36:
cb:34:e8:ea:82:c4:61💿f0:b3:4b:ca:dd:f5:95:
37:91:3b:e5:a8:1d:a7:fd:8b:9b:2b:fb:59:cc:dd:
68:e8:9f:10:0d:16:19:4d:87:62:4a:57:d0:e8:31:
f9:4e:46:b5:1d:70:88:97:39:72:39:aa:48:5d:40:
49:15:bf:25:6c:d4:62:a2:2f
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
81:24:89:7c:73:2f:36:e1:e7:9a:14:c2:1e:47:93:c0:7d:b8:
06:27:15:45:91:65:6c:3a💿6c:c4:63:c4:cb:ad:20:26:53:
fa:8c:07:85:4c:c3:f7:8a:05:d7:ca:81:4b:48:c2:db:10:4d:
f3:31:47:29:94:fe:0d:1f:b6:30:1f:c6:2f:99:ff:a8:2a:fc:
b0:f5🆎3e:27:53:02:e9:13:a8:f4:4b:f1:e9:5d:98:39:27:
9e:ed:aa:44:4c:8c:d0:14:7d:63:2c:22:26:64:72:b7:ad:ac:
7a:9c:b9:30:68:d7:3a🇩🇪78:87:91:e2:c1:a1:24:89:1a:c9:
d6:e2

6.生成客户端证书

6.1.生成客户端私钥(client-key.pem)

openssl genrsa -aes256 -out private/client-key.pem 1024
私钥密码 test

6.2.生成证书请求文件(client.csr)

openssl req -new -key private/client-key.pem -out private/client.csr -subj “/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=TEST”

6.3.检查证书请求信息

$ openssl req -text -in client.csr -noout
输出示例:
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = myprovince, L = mycity, O = myorganization, OU = mygroup, CN = TEST
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:ca:9b:09:b5:12💿6d:e2:a9:5e:a8:e5:f8:1f:
40:67:a1:fd:f9:ec:af:9f:b6:38:42:30:5e:92:a9:
be:b9:43:42:15:a0:36:b4:4c:07:e6:e5:49:e9:02:
55:b3:01:39:65:c6:f0:bb:24🇩🇪bd:01:47:3d:1a:
50:00:3f:0e:bf:6f:71:e4:d3:d1:07:82:dc:46:83:
9e:24:af:ad:c8:41:75:8b:6e:88:e7:bf:d9:95:63:
6f:5e:1e:fa:d2:e7:ca:1e:59:7d:75:4e:99:b3:eb:
84:b9:2c:eb:78:08:ca:d5:08:65:2f:92:a4:ac:07:
30:b3🇩🇪6b:f2:e9:91:00:29
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
15:3d:9e:f5:7d:f0:78:a8:e0:3b:d8:0f:e2:f8:0e:a6:f3:21:
04:9a:57:53:23:4e:80:70:8a:a9:8f:85:b3:09:e9:75:14:06:
bc:f5:64:c3:b7:77:24:6c:ae:d6:f3:9e:9f:be:34:53:f4:ef:
bb:4c:35:69:b6:e5:02:c6:2a:c6:50:f2:f9:ec:83:80:37:4f:
6d💿49:78:fa:5c:60:b1:00:16:b3:22:91:86:f9:2e:5f:31:
4c:43:b5:ca:ea:30:52:84:7e:cf:91:5c:15:94:7b:72:be:61:
dc:24:df:e1:4b:b8:f7:09:6d:a5:69:0c:d7:3f:b9:40:ed:67:
c6:bd

6.4.使用根证书签发客户端证书(client.cer)

openssl x509 -req -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem -CAserial ca.srl -CAcreateserial -in private/client.csr -out certs/client.cer
需要注意的是,上方签发服务端证书时已经使用-CAcreateserial生成过ca.srl文件,因此这里也可以不带这个参数了。

6.5.检查生成的证书

$ openssl x509 -text -in client.cer -noout
输出示例:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
6e:4a:a9:e7:2d:fb:2a:b1:19:b9:2b:8b:0b:3a:90:dd:37:f0:f4:e1
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = CN, ST = ZHEJIANG, L = HANGZHOU, O = TEST, OU = mygroup, CN = TEST
Validity
Not Before: Nov 25 13:16:25 2019 GMT
Not After : Nov 24 13:16:25 2020 GMT
Subject: C = CN, ST = myprovince, L = mycity, O = myorganization, OU = mygroup, CN = TEST
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:ca:9b:09:b5:12💿6d:e2:a9:5e:a8:e5:f8:1f:
40:67:a1:fd:f9:ec:af:9f:b6:38:42:30:5e:92:a9:
be:b9:43:42:15:a0:36:b4:4c:07:e6:e5:49:e9:02:
55:b3:01:39:65:c6:f0:bb:24🇩🇪bd:01:47:3d:1a:
50:00:3f:0e:bf:6f:71:e4:d3:d1:07:82:dc:46:83:
9e:24:af:ad:c8:41:75:8b:6e:88:e7:bf:d9:95:63:
6f:5e:1e:fa:d2:e7:ca:1e:59:7d:75:4e:99:b3:eb:
84:b9:2c:eb:78:08:ca:d5:08:65:2f:92:a4:ac:07:
30:b3🇩🇪6b:f2:e9:91:00:29
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
3c:c4:ba:85:97:94:5e:14:63:9d:c0:da:bd:ac:4d:82:b4:fd:
e5:38:21:bd:a1:75:19:01:11:51:18:2b:18:2f:fe:16:46:70:
9c:f8:0d:20:a6:17:47:0d:fd:8a:c8:c5:97:15:dd:f9:41:04:
e4:2d:2a:2d:cf:b7💿a7:2a:af:02:ef:17:11:af:90:9f:3a:
0e:ea:4a:93:b2:d6:3f:c1:fa:2e:5c:98:0a:1b:a7:d0:69:d0:
d9:9d:06:4e:d6:57:f8:45:f2:a4:65:14:d9:3c:66:ad:fb:01:
73:4c:5a:59:c6:62:75:02:ec:37:e9:d6:ee:16🇩🇪c3:b8:6b:
b1:03

7.证书格式转换

7.1.格式说明

格式 说明 备注
DER 二进制格式,包含原始格式的X.509证书,使用DER ASN.1编码
PEM ASCII证书,包含base64编码过的DER证书。
PKCS#7 RFC2315定义的一种比较复杂的格式,目的是用于签名和加密数据的传输,文件里面可以包含所需的整个证书链。
PKCS#12 一种用来保存服务器私钥和整个证书链的复杂格式。

7.2.PEM转DER

openssl x509 -inform PEM -in server.cer -outform DER -out server.der

7.3.DER转PEM

$ openssl x509 -inform DER -in server.der -outform PEM -out server.pem
可以比较
server.cer->server.der->server.pem 转换回来后,可以比较server.cer和server.pem文件内容相同

7.4.PKCS#12(PFX)和PEM格式转换

具体看导出证书章节

8.导出证书

8.1.导出客户端证书密钥和证书链

$ openssl pkcs12 -export -clcerts -name myclient -inkey private/client-key.pem -in certs/client.cer -out certs/client.keystore
Enter pass phrase for private/client-key.pem:
Enter Export Password:
Verifying - Enter Export Password:

参数说明:
pkcs12——用来处理pkcs#12格式的证书
-export——执行的是导出操作
-clcerts——导出的是客户端证书,-cacerts则表示导出的是ca证书
-name——导出的证书别名
-inkey——证书的私钥路径
-in——要导出的证书的路径
-out——输出的密钥库文件的路径

8.2.导出服务端证书密钥和证书链

$ openssl pkcs12 -export -clcerts -name myserver -inkey private/server-key.pem -in certs/server.cer -out certs/server.keystore
Enter pass phrase for private/server-key.pem:
Enter Export Password:
Verifying - Enter Export Password:

8.3.导出根证书

$ keytool -importcert -trustcacerts -alias www.mydomain.com -file certs/ca.cer -keystore certs/ca-trust.keystore

参数说明:
-trustcacerts 信任证书
-alias 别名
-file 要导出的根证书路径
-keypass 证书仓库密码
-keystore 添加到的证书仓库路径
-storepass 证书仓库密码

Enter keystore password:
Re-enter new password:
Owner: CN=TEST, OU=mygroup, O=TEST, L=HANGZHOU, ST=ZHEJIANG, C=CN
Issuer: CN=TEST, OU=mygroup, O=TEST, L=HANGZHOU, ST=ZHEJIANG, C=CN
Serial number: 70c9bb5bc8d20753dfe044980e35c9c1b4e8fa8a
Valid from: Mon Nov 25 17:06:39 CST 2019 until: Tue Nov 24 17:06:39 CST 2020
Certificate fingerprints:
MD5: DA:8A:0D:8B:BC:EA:DB:78:BB:4F:CD:08:7B:1B:32:F3
SHA1: 3A:4E:C4:FB:C1:87:3B:6D:76:B6:47:38:FC:A5:D8:67:D8:1D:9C:54
SHA256: EC:96:F8:9E:73:8C:AD:F4:89:94:52:BF:71:5B:20:EB:13:D0:C9:10:16:DA:EF:9C:AF:17:E0:1B:C5:EB:A3:00
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]: y
Certificate was added to keystore

9. 相关问题及解决

9.1.生成客户端证书时报错bad decrypt

现象:
$ openssl x509 -req -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem -CAserial ca.srl -in private/client.csr -out certs/client.cer
Signature ok
subject=C = CN, ST = myprovince, L = mycity, O = myorganization, OU = mygroup, CN = TEST
Getting CA Private Key
Enter pass phrase for private/cakey.pem:
unable to load CA Private Key
139964182488128:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:570:
139964182488128:error:0906A065:PEM routines:PEM_do_header:bad decrypt:crypto/pem/pem_lib.c:461:
原因:根证书相关的密钥的密码输错了
解决方式:重新输入,注意键盘大小写开关

10.参考资料

《https权威指南》 2016.9第1版 中国工信出版集团
博文 https://yq.aliyun.com/articles/40398

本文链接http://element-ui.cn/news/show-577004.aspx