系统相关
首页 > 系统相关> > Windows 生成双向认证的自签证书(本地测试使用)

Windows 生成双向认证的自签证书(本地测试使用)

作者:互联网

生成服务端证书与客户端证书

1. 生成根证书

   根证书(Root Certificate)是属于根证书颁发机构(CA)的公钥证书。用来验证它所签发的证书(服务端、客户端)

(1)打开openssl

        执行openssl

(2)生成根证书私钥文件

        执行 genrsa -out ca.key 2048,生成ca.key私钥文件

(3)生成根证书公钥文件

        执行 req -new -x509 -days 3650 -key ca.key -out ca.pem ,生成ca.pem公钥文件

        注:此步骤生成时Common Name填写localhost

以上执行命令如下所示:

#(1)打开openssl
E:\Program Files\OpenSSL-Win64\bin>openssl

#(2)生成根证书私钥文件
OpenSSL> genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
......................................................................................+++++
e is 65537 (0x010001)

#(3)生成根证书公钥文件
OpenSSL> req -new -x509 -days 3650 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tracy
Organizational Unit Name (eg, section) []:tracy
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

2. 生成服务端证书

(1)生成服务端私钥文件

        执行 genrsa -out server.key 2048 ,生成server.key私钥文件

(2)请求创建服务端证书

        执行 req -new -key server.key -out server.csr ,生成server.csr证书文件

        若出现以下错误,打开一个新窗囗再执行命令              注:此步骤生成时Common Name填写localhost

(3)生成服务端公钥文件

        执行 x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem ,根据server.csr签发生成server.pem公钥文件

以上执行命令如下所示:

E:\Program Files\OpenSSL-Win64\bin>openssl

#(1)生成服务端私钥文件
OpenSSL> genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................+++++
.............+++++
e is 65537 (0x010001)

#(2)请求创建服务端证书
OpenSSL> req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tracy
Organizational Unit Name (eg, section) []:tracy
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

#(3)生成服务端公钥文件
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.pem
Signature ok
subject=C = cn, ST = beijing, L = beijing, O = tracy, OU = tracy, CN = localhost
Getting CA Private Key

3. 生成客户端证书

(1)生成客户端私钥文件

        执行 ecparam -genkey -name secp384r1 -out client.key ,生成client.key私钥文件

(2)请求创建客户端证书

        执行 req -new -key client.key -out client.csr ,生成client.csr证书文件

        注:此步骤生成时Common Name填写localhost

(3)生成客户端公钥文件

        执行 x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem,根据client.csr签发生成client.pem公钥文件

以上执行命令如下所示:

E:\Program Files\OpenSSL-Win64\bin>openssl

#(1)生成客户端私钥文件
OpenSSL> ecparam -genkey -name secp384r1 -out client.key

#(2)请求创建客户端证书
OpenSSL> req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tracy
Organizational Unit Name (eg, section) []:tracy
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

#(3)生成客户端公钥文件
OpenSSL> x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in client.csr -out client.pem
Signature ok
subject=C = cn, ST = beijing, L = beijing, O = tracy, OU = tracy, CN = localhost
Getting CA Private Key

参考视频:

go语言grpc框架实战_哔哩哔哩_bilibili

标签:Name,Windows,ca,server,key,签证,认证,生成,out
来源: https://blog.csdn.net/ling1998/article/details/122054367