SSL基础：11:使用req子命令创建自签名证书

这篇文章通过具体的示例，创建CA的私钥以及证书签名请求文件，并使用私钥对证书签名请求文件进行签名生成证书。

步骤1: 创建CA的私钥

创建CA的私钥，这里就直接使用创建缺省的2048位的RSA的私钥，可使用如下命令创建：

[root@liumiaocn ~]# mkdir certificate
[root@liumiaocn ~]# cd certificate/
[root@liumiaocn certificate]# openssl genrsa -out ca.key
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................+++++
...................+++++
e is 65537 (0x010001)
[root@liumiaocn certificate]# ls
ca.key
[root@liumiaocn certificate]#

这里名为ca.key的文件实际就是PEM格式。

[root@liumiaocn certificate]# cat ca.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAx7/xpeNHhriv90etyh5EahunygyWRz79YWbJlbx6Kv/1N6r+
vcLTDGrWffaSsJ+iouq9cuZvz87NNvJShYGJwGPDNXv/YjGKMc/6pAkF2JlF72Sk
mbRLHD229N1pg/SMqqwbnVcvMgCR4+XA3mJK4OWPpVSVdteCvaCoIOakN81sbgHI
EwClX0GPzN29L+g5ERAEc4Tj3Skyo0aXTm97OGyqq1hiP7xqR2uqAddrP4H+I9pn
Po/4yDhwu69FKGwa9a3j0faEqtMCFfDKPnaqvlTJHBwol1BnZOVJvAWFXn1Og6zw
BZDl1W8lFOK4lZbi4I2XLSbzQfNUehoHOK8OEQIDAQABAoIBAA3Se29GPfHVn9+V
pzIATC2ngkHaAyAk/LWbvkFNTIrjMV3LyFrrO111mygWQupT8ZYidj+YMI6Jueue
cxVn9FdKz/xIe1CZKv3tbWOieDQXzx4UscstDbGDl8Bz/dQyvPUmeba2jL6CCZZi
lKkO1i2f1QPUyY7ytMpYbqnwK9bskbjsDFHLsnj4mP0zV+CjL1oGy+nOU4WKQbzK
BF01oC4WBv53oqkJuHj3dmhjUubvHV86lGJJNTLnbRocF0HiozYDcHk7UalbPSE7
Xxmql12L7QN9db/rzdzpicHMnAnrhqJLc3wcajyfjt8vmk1M/nRLgnSCk2pJHBxZ
TyIEAf0CgYEA9UtsBt2uoge8ic7kfJUqhElcA2aIuLazqLFxWdLMSLe0brmgDPom
8CqrA+7wxS5hgcXSilXbjipBDQdinjvmKIxRReDcL/UPgYXtIc1xG8U6q7gNzd+4
Wu7R8wd1FsBYTf4KsqHyggHzjmDLAEIMR62Ph4UvFRRcRLkPuJFW0/cCgYEA0Heq
91o81EgMZHGtUqtj5SVJ4b5WPnav1frg+RwDFWQWgDh4/Tp/i6+VDF6PFCEoXxtd
vrdHGitzaM+cOcBUNYzU/zkzdQSETrDW/MaBEaWKMUtN50F4OSEKGX6iR4ZKdBW+
0Nxe3T9etwHajqv7Sz/6WX3MZ933V7OjUMfLnDcCgYBebZt3hS1uCMZm0rOY1h+Y
71ixom4tlX/SCAUXzBOCRt355hGcDUyiFfrht8EOV02IFKx5PpYXw2JpbpdjTLHM
mD/NQ8Pf3loKxZDE+354b1OnuWHvCBnDP76o7Q0BJiiYVZyuqbNeovusqsxbHBH4
IfNn+zhlyAHBHvDTX3fqfwKBgDfCGjdoqmZ5Et92zE4VS3XJwHYhy72PTz6jiLL4
fBanm6EV+b55fA3nm60gSZKvv7WYgz10lg742jiJdxa3S467KWlOamX9HEpT4Fzh
1znaFhlTM/YLu9VD8giZp1wMHjPocQ46MyFoRrQaSdPpSiB5b0OqcxbA9tw9TwxX
NC2HAoGAPQtL8C+PO49t+AvfDBJ2d4Kv6fHggWfatwAYyMO9vICukGTkGT+LPF+r
nv7IQNY+Iey8MYBYKck7Z6+lThMlcLsp2/ldtLgb4yr8mRx2W/3j88FAekuSTWWL
2oiX76S1ZhxPBb1Js2UU6/BfKaTLpMnOys6HTsmMmgUUrX1bous=
-----END RSA PRIVATE KEY-----
[root@liumiaocn certificate]#

步骤2: 创建证书签名请求文件

CSR证书签名请求文件是创建证书时所必须的，可以通过openssl req命令来生成，结合本例可使用如下命令进行创建：

执行命令：openssl req -new -key ca.key -out request.csr -nodes

命令选项说明：

• -new： 创建请求
• -key：指定所使用的私钥
• -out: 指定创建的证书签名请求文件名称

[root@liumiaocn certificate]# openssl req -new -key ca.key -out request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:LiaoNing
Locality Name (eg, city) []:DaLian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:devops
Organizational Unit Name (eg, section) []:unicorn
Common Name (e.g. server FQDN or YOUR name) []:devops.com
Email Address []:liumiaocn@outlook.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@liumiaocn certificate]#

步骤3: 验证证书签名请求文件的完整性

可以通过-verify选项验证CSR证书签名请求文件的完整性，执行示例命令如下所示，如果显示verify OK则说明CSR文件正常（没有被篡改过）。

[root@liumiaocn certificate]# openssl req -verify -in request.csr -noout
verify OK
[root@liumiaocn certificate]# 
[root@liumiaocn certificate]# openssl req -verify -in request.csr 
verify OK
-----BEGIN CERTIFICATE REQUEST-----
MIIC1TCCAb0CAQAwgY8xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhMaWFvTmluZzEP
MA0GA1UEBwwGRGFMaWFuMQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNv
cm4xEzARBgNVBAMMCmRldm9wcy5jb20xJDAiBgkqhkiG9w0BCQEWFWxpdW1pYW9j
bkBvdXRsb29rLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMe/
8aXjR4a4r/dHrcoeRGobp8oMlkc+/WFmyZW8eir/9Teq/r3C0wxq1n32krCfoqLq
vXLmb8/OzTbyUoWBicBjwzV7/2IxijHP+qQJBdiZRe9kpJm0Sxw9tvTdaYP0jKqs
G51XLzIAkePlwN5iSuDlj6VUlXbXgr2gqCDmpDfNbG4ByBMApV9Bj8zdvS/oOREQ
BHOE490pMqNGl05vezhsqqtYYj+8akdrqgHXaz+B/iPaZz6P+Mg4cLuvRShsGvWt
49H2hKrTAhXwyj52qr5UyRwcKJdQZ2TlSbwFhV59ToOs8AWQ5dVvJRTiuJWW4uCN
ly0m80HzVHoaBzivDhECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQC0mQzlQHZC
bR1lN5qa81caofZwx6hlLL5HNNe0pz2Vh0alKlaKPQvZ6L1syQ5KjfRJQ/sqTiVM
3beCgBffLCBZXbmw+65Yt5zvTVTKNDaZJJTY68KBAjLt25S+sx8rF6JhIgYi7fIo
JriBEo0z4g9oZQWtTEzhYCUbOpAasKrgNa2iubsyTatD9wPWC4EtUW58xD15N6rH
UcAck5Rnsy00ihWbVdaWuLXHkHc9bWBRCQ1lWVLDsrJL9syXCgOlMcGNqnBbgOUz
kVqeQ/DziZTP8ceKUhY9H5j+sZ5F5Z6+peQveIHl5TxMrZEaWIyZCiUYKMVABHHj
TTOQ9dqkJxMO
-----END CERTIFICATE REQUEST-----
[root@liumiaocn certificate]#

步骤4: 创建自签名证书

首先创建了一个RSA的私钥，然后使用此私钥创建了CSR证书签名请求文件，接下来就可以利用私钥对此CSR文件签发指定期限的自签名证书了，使用命令如下所示：

执行命令：openssl req -x509 -key ca.key -in request.csr -out cert-test.crt -days 3650 命令选项说明：

• -x509： 生成自签名证书而不是CSR文件
• -key：指定所使用的私钥
• -in：指定所使用的CSR证书签名请求文件
• -out: 指定创建的证书文件名称
• -days: 指定证书有效期间

[root@liumiaocn certificate]# ls
ca.key  request.csr
[root@liumiaocn certificate]# openssl req -x509 -key ca.key -in request.csr -out cert-test.crt -days 3650
[root@liumiaocn certificate]# ls
ca.key  cert-test.crt  request.csr
[root@liumiaocn certificate]#

可以直接cat确认所生成的自签名证书的内容：

[root@liumiaocn certificate]# cat cert-test.crt 
-----BEGIN CERTIFICATE-----
MIIEATCCAumgAwIBAgIUVOFIbnAdeDKvwhkPPRKWaRM4hqEwDQYJKoZIhvcNAQEL
BQAwgY8xCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhMaWFvTmluZzEPMA0GA1UEBwwG
RGFMaWFuMQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNvcm4xEzARBgNV
BAMMCmRldm9wcy5jb20xJDAiBgkqhkiG9w0BCQEWFWxpdW1pYW9jbkBvdXRsb29r
LmNvbTAeFw0xOTEyMDkyMTQwMTRaFw0yOTEyMDYyMTQwMTRaMIGPMQswCQYDVQQG
EwJDTjERMA8GA1UECAwITGlhb05pbmcxDzANBgNVBAcMBkRhTGlhbjEPMA0GA1UE
CgwGZGV2b3BzMRAwDgYDVQQLDAd1bmljb3JuMRMwEQYDVQQDDApkZXZvcHMuY29t
MSQwIgYJKoZIhvcNAQkBFhVsaXVtaWFvY25Ab3V0bG9vay5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHv/Gl40eGuK/3R63KHkRqG6fKDJZHPv1h
ZsmVvHoq//U3qv69wtMMatZ99pKwn6Ki6r1y5m/Pzs028lKFgYnAY8M1e/9iMYox
z/qkCQXYmUXvZKSZtEscPbb03WmD9IyqrBudVy8yAJHj5cDeYkrg5Y+lVJV214K9
oKgg5qQ3zWxuAcgTAKVfQY/M3b0v6DkREARzhOPdKTKjRpdOb3s4bKqrWGI/vGpH
a6oB12s/gf4j2mc+j/jIOHC7r0UobBr1rePR9oSq0wIV8Mo+dqq+VMkcHCiXUGdk
5Um8BYVefU6DrPAFkOXVbyUU4riVluLgjZctJvNB81R6Ggc4rw4RAgMBAAGjUzBR
MB0GA1UdDgQWBBSGRn1mOPW921/A5p9UODxNNIXZMzAfBgNVHSMEGDAWgBSGRn1m
OPW921/A5p9UODxNNIXZMzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4IBAQC5LpJ9ZggHPvbDskrQJ103Kgm9Oz8PoDgax3XXujmJnghnatb3cq0MO8Fz
GdhvXLsiIyoR1yH9x46YpDEK98oU0YG5bTpOrfNZwLxGjGHN1s6bpYpD23zLiaf1
xLuGkw2twSjk7iZF6I4feGcKkfrvxRS3fIXbbRsjVe+Ra0cx7eLdB6kv41+VE2GQ
Uhp85gnuq0ZEB/weLc+SOa/GwUp6+TTf/6lHn3ZxJ23jcmYsWyyO3d5VPetozxF6
Ez1tErJ89HkYnCDXonLM/sUOdL18QTYDJlwSn+SohxYfG2dFNH1KBYN7qFaLWtxC
15I5GVDQVgjpGAI4giLwhMO8pYRW
-----END CERTIFICATE-----
[root@liumiaocn certificate]#

查看此证书发行者信息以及公钥内容

liumiaocn:certificate liumiao$ openssl x509 -in cert-test.crt -noout -issuer
issuer= /C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com/emailAddress=liumiaocn@outlook.com
liumiaocn:certificate liumiao$ openssl x509 -in cert-test.crt -noout -pubkey
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx7/xpeNHhriv90etyh5E
ahunygyWRz79YWbJlbx6Kv/1N6r+vcLTDGrWffaSsJ+iouq9cuZvz87NNvJShYGJ
wGPDNXv/YjGKMc/6pAkF2JlF72SkmbRLHD229N1pg/SMqqwbnVcvMgCR4+XA3mJK
4OWPpVSVdteCvaCoIOakN81sbgHIEwClX0GPzN29L+g5ERAEc4Tj3Skyo0aXTm97
OGyqq1hiP7xqR2uqAddrP4H+I9pnPo/4yDhwu69FKGwa9a3j0faEqtMCFfDKPnaq
vlTJHBwol1BnZOVJvAWFXn1Og6zwBZDl1W8lFOK4lZbi4I2XLSbzQfNUehoHOK8O
EQIDAQAB
-----END PUBLIC KEY-----
liumiaocn:certificate liumiao$

使用rsa子命令从签名的私钥中提取公钥内容，可以看到提取到的公钥就是生成的证书文件cert-test.crt中的公钥内容

liumiaocn:certificate liumiao$ openssl rsa -in ca.key -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx7/xpeNHhriv90etyh5E
ahunygyWRz79YWbJlbx6Kv/1N6r+vcLTDGrWffaSsJ+iouq9cuZvz87NNvJShYGJ
wGPDNXv/YjGKMc/6pAkF2JlF72SkmbRLHD229N1pg/SMqqwbnVcvMgCR4+XA3mJK
4OWPpVSVdteCvaCoIOakN81sbgHIEwClX0GPzN29L+g5ERAEc4Tj3Skyo0aXTm97
OGyqq1hiP7xqR2uqAddrP4H+I9pnPo/4yDhwu69FKGwa9a3j0faEqtMCFfDKPnaq
vlTJHBwol1BnZOVJvAWFXn1Og6zwBZDl1W8lFOK4lZbi4I2XLSbzQfNUehoHOK8O
EQIDAQAB
-----END PUBLIC KEY-----
liumiaocn:certificate liumiao$

方式2: 一步生成

-x509和-new选项结合，直接生成证书，可生成私钥和最终的证书文件。

liumiaocn:certificate liumiao$ ls
liumiaocn:certificate liumiao$ openssl req -x509 -new -keyout ca.key -out cert-test.crt -days 365 -nodes -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com"
Generating a 2048 bit RSA private key
.........+++
...+++
writing new private key to 'ca.key'
-----
liumiaocn:certificate liumiao$ ls
ca.key		cert-test.crt
liumiaocn:certificate liumiao$

无论分布生成还是一步生成，此证书都是自签名的证书，即issuers和subject是相同的内容

liumiaocn:certificate liumiao$ openssl x509 -in cert-test.crt -noout -issuer
issuer= /C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com
liumiaocn:certificate liumiao$ openssl x509 -in cert-test.crt -noout -subject
subject= /C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com
liumiaocn:certificate liumiao$