openssl HOWTO证书生成 --翻译

Introduction

How you handle certificates depends a great deal on what your role is.Your role can be one or several of:

User of some client application

User of some server application

Certificate authority

角色不同，证书的用法不同，你的角色可能是：

-客户端

-服务器端

证书作者

This file is for users who wish to get a certificate of their own.

Certificate authorities should read https://www.openssl.org/docs/apps/ca.html.

这个文档是满足想要自己生成证书的用户，证书的功能、权限需要读取如上连接（就是各种参数的使用）

In all the cases shown below, the standard configuration file, as

compiled into openssl, will be used. You may find it in /etc/,

/usr/local/ssl/ or somewhere else. By default the file is named

openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.

You can specify a different configuration file using the

‘-config {file}’ argument with the commands shown below.

接下来使用的情况都是在标准设置文档下，你会在/etc/,/usr/local/ssl/下找到，其实意思就是说，使用证书需要先设置参数，用-config，我没在他给的路径下找到openssl.cnf，但在bin文件夹下找到了→_→

Relationship with keys

Certificates are related to public key cryptography by containing a

public key. To be useful, there must be a corresponding private key somewhere. With OpenSSL, public keys are easily derived from private keys, so before you create a certificate or a certificate request, you need to create a private key.

证书需要密钥支持，在生成证书前，需要需要生成密钥对

Private keys are generated with ‘openssl genrsa -out privkey.pem’ if you want a RSA private key, or if you want a DSA private key:

‘openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem’.

这个步骤请看

http://blog.csdn.net/wpxiaoxue/article/details/45584635

The private keys created by these commands are not passphrase protected;it might or might not be the desirable thing. Further information on how to create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. The rest of this text assumes you have a private key in the file privkey.pem.

接下来的步骤都假设你已经生成了密钥对

Creating a certificate request

To create a certificate, you need to start with a certificate request

(or, as some certificate authorities like to put it, “certificate

signing request”, since that’s exactly what they do, they sign it and

give you the result back, thus making it authentic according to their policies). A certificate request is sent to a certificate authority

to get it signed into a certificate. You can also sign the certificate

yourself if you have your own certificate authority or create a

self-signed certificate (typically for testing purpose).

The certificate request is created like this:

生成证书需要向证书机构发送申请请求，让他们给证书签名，当然你也可以自签名（一般测试是这样的）输入如下命令：

openssl req -new -key privkey.pem -out cert.csr

这时候证书就生成了，你可以发给证书权威机构去签名，如果他们可以处理pem格式，或者在命令后加-outform参数

Now, cert.csr can be sent to the certificate authority, if they can

handle files in PEM format. If not, use the extra argument ‘-outform’ followed by the keyword for the format to use (see another HOWTO