openssl HOWTO证书生成 --翻译
2015-05-09 14:30
471 查看
Introduction
How you handle certificates depends a great deal on what your role is.Your role can be one or several of:
User of some client application
User of some server application
Certificate authority
角色不同,证书的用法不同,你的角色可能是:
-客户端
-服务器端
证书作者
This file is for users who wish to get a certificate of their own.
Certificate authorities should read https://www.openssl.org/docs/apps/ca.html.
这个文档是满足想要自己生成证书的用户,证书的功能、权限需要读取如上连接(就是各种参数的使用)
In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. By default the file is named
openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
You can specify a different configuration file using the
‘-config {file}’ argument with the commands shown below.
接下来使用的情况都是在标准设置文档下,你会在/etc/,/usr/local/ssl/下找到,其实意思就是说,使用证书需要先设置参数,用-config,我没在他给的路径下找到openssl.cnf,但在bin文件夹下找到了→_→
Relationship with keys
Certificates are related to public key cryptography by containing a
public key. To be useful, there must be a corresponding private key somewhere. With OpenSSL, public keys are easily derived from private keys, so before you create a certificate or a certificate request, you need to create a private key.
证书需要密钥支持,在生成证书前,需要需要生成密钥对
Private keys are generated with ‘openssl genrsa -out privkey.pem’ if you want a RSA private key, or if you want a DSA private key:
‘openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem’.
这个步骤请看
http://blog.csdn.net/wpxiaoxue/article/details/45584635
The private keys created by these commands are not passphrase protected;it might or might not be the desirable thing. Further information on how to create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. The rest of this text assumes you have a private key in the file privkey.pem.
接下来的步骤都假设你已经生成了密钥对
Creating a certificate request
To create a certificate, you need to start with a certificate request
(or, as some certificate authorities like to put it, “certificate
signing request”, since that’s exactly what they do, they sign it and
give you the result back, thus making it authentic according to their policies). A certificate request is sent to a certificate authority
to get it signed into a certificate. You can also sign the certificate
yourself if you have your own certificate authority or create a
self-signed certificate (typically for testing purpose).
The certificate request is created like this:
生成证书需要向证书机构发送申请请求,让他们给证书签名,当然你也可以自签名(一般测试是这样的)输入如下命令:
openssl req -new -key privkey.pem -out cert.csr
这时候证书就生成了,你可以发给证书权威机构去签名,如果他们可以处理pem格式,或者在命令后加-outform参数
Now, cert.csr can be sent to the certificate authority, if they can
handle files in PEM format. If not, use the extra argument ‘-outform’ followed by the keyword for the format to use (see another HOWTO
How you handle certificates depends a great deal on what your role is.Your role can be one or several of:
User of some client application
User of some server application
Certificate authority
角色不同,证书的用法不同,你的角色可能是:
-客户端
-服务器端
证书作者
This file is for users who wish to get a certificate of their own.
Certificate authorities should read https://www.openssl.org/docs/apps/ca.html.
这个文档是满足想要自己生成证书的用户,证书的功能、权限需要读取如上连接(就是各种参数的使用)
In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. By default the file is named
openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
You can specify a different configuration file using the
‘-config {file}’ argument with the commands shown below.
接下来使用的情况都是在标准设置文档下,你会在/etc/,/usr/local/ssl/下找到,其实意思就是说,使用证书需要先设置参数,用-config,我没在他给的路径下找到openssl.cnf,但在bin文件夹下找到了→_→
Relationship with keys
Certificates are related to public key cryptography by containing a
public key. To be useful, there must be a corresponding private key somewhere. With OpenSSL, public keys are easily derived from private keys, so before you create a certificate or a certificate request, you need to create a private key.
证书需要密钥支持,在生成证书前,需要需要生成密钥对
Private keys are generated with ‘openssl genrsa -out privkey.pem’ if you want a RSA private key, or if you want a DSA private key:
‘openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem’.
这个步骤请看
http://blog.csdn.net/wpxiaoxue/article/details/45584635
The private keys created by these commands are not passphrase protected;it might or might not be the desirable thing. Further information on how to create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt. The rest of this text assumes you have a private key in the file privkey.pem.
接下来的步骤都假设你已经生成了密钥对
Creating a certificate request
To create a certificate, you need to start with a certificate request
(or, as some certificate authorities like to put it, “certificate
signing request”, since that’s exactly what they do, they sign it and
give you the result back, thus making it authentic according to their policies). A certificate request is sent to a certificate authority
to get it signed into a certificate. You can also sign the certificate
yourself if you have your own certificate authority or create a
self-signed certificate (typically for testing purpose).
The certificate request is created like this:
生成证书需要向证书机构发送申请请求,让他们给证书签名,当然你也可以自签名(一般测试是这样的)输入如下命令:
openssl req -new -key privkey.pem -out cert.csr
这时候证书就生成了,你可以发给证书权威机构去签名,如果他们可以处理pem格式,或者在命令后加-outform参数
Now, cert.csr can be sent to the certificate authority, if they can
handle files in PEM format. If not, use the extra argument ‘-outform’ followed by the keyword for the format to use (see another HOWTO
相关文章推荐
- openssl howto 篇密钥生成-翻译
- python练习之通过python pexpect实现自动生成openssl证书
- openssl 生成证书 ca.pem client.pem server.pem
- 使用 openssl 生成证书(含openssl详解)
- openssl生成证书命令详解
- [转]openssl生成证书和自签证书
- 用Keytool和OpenSSL生成和签发数字证书
- Linux下使用openssl生成证书
- 使用 openssl 生成证书(含openssl详解)
- 安全通信系统--OpenSSL的安装编译、证书生成
- [iOS]通过openssl库生成pkcs#10证书
- 基于 openssl 生成用于 SSL 和 TLS 的数字证书
- 《How to become a hacker》(怎样成为一名黑客?)翻译(2)
- Linux下使用OpenSSL生成证书
- openssl证书生成
- 用OpenSSL生成CA根证书来签名Keytool生成的证书请求
- PHP通过OpenSSL生成证书、密钥并且加密解密数据
- 一个shell脚本,实现利用OpenSSL生成X509证书
- openssl生成https证书
- 使用openssl生成包含证书链的java用jks证书