1.下载OpenSSL的windows版本

32位:openssl-1.0.2a-i386-win32.zip

64位:openssl-1.0.2a-x64_86-win64.zip

下载之后解压即可使用,不过软件缺少配置文件

2.建立配置文件

在解压后的目录, 即openssl.exe所在目录新建配置文件,名为openssl-1.0.2a.cnf,内容如下

# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*

# This definition stops the following lines choking if HOME isn't

# defined.

HOME            = .

RANDFILE        = $ENV::HOME/.rnd

openssl_conf        = openssl_init

[ openssl_init ]

# Extra OBJECT IDENTIFIER info:

#oid_file        = $ENV::HOME/.oid

oid_section        = new_oids

engines            = engine_section

# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions        =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6

####################################################################

[ ca ]

default_ca    = CA_default        # The default ca section

####################################################################

[ CA_default ]

dir        = $ENV::KEY_DIR        # Where everything is kept

certs        = $dir            # Where the issued certs are kept

crl_dir        = $dir            # Where the issued crl are kept

database    = $dir/index.txt    # database index file.

new_certs_dir    = $dir            # default place for new certs.

certificate    = $dir/ca.crt         # The CA certificate

serial        = $dir/serial         # The current serial number

crl        = $dir/crl.pem         # The current CRL

private_key    = $dir/ca.key        # The private key

RANDFILE    = $dir/.rand        # private random number file

x509_extensions    = usr_cert        # The extentions to add to the cert

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crl_extensions    = crl_ext

default_days    = 3650            # how long to certify for

default_crl_days= 30            # how long before next CRL

default_md    = md5            # use public key default MD

preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy        = policy_anything

# For the CA policy

[ policy_match ]

countryName        = match

stateOrProvinceName    = match

organizationName    = match

organizationalUnitName    = optional

commonName        = supplied

name            = optional

emailAddress        = optional

# For the 'anything' policy

# At this point in time, you must list all acceptable 'object'

# types.

[ policy_anything ]

countryName        = optional

stateOrProvinceName    = optional

localityName        = optional

organizationName    = optional

organizationalUnitName    = optional

commonName        = supplied

name            = optional

emailAddress        = optional

####################################################################

[ req ]

default_bits        = 1024

default_keyfile     = privkey.pem

distinguished_name    = req_distinguished_name

attributes        = req_attributes

x509_extensions    = v3_ca    # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for

# input_password = secret

# output_password = secret

# This sets a mask for permitted string types. There are several options.

# default: PrintableString, T61String, BMPString.

# pkix     : PrintableString, BMPString (PKIX recommendation after 2004).

# utf8only: only UTF8Strings (PKIX recommendation after 2004).

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

# MASK:XXXX a literal mask value.

string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]

countryName            = Country Name (2 letter code)

countryName_default        = CN

countryName_min            = 2

countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)

stateOrProvinceName_default    = LiaoNing

localityName            = Locality Name (eg, city)

localityName_default        = DaLian

0.organizationName        = Organization Name (eg, company)

0.organizationName_default    = KEY_ORG

# we can do this but it is not needed normally :-)

#1.organizationName        = Second Organization Name (eg, company)

#1.organizationName_default    = World Wide Web Pty Ltd

organizationalUnitName        = Organizational Unit Name (eg, section)

#organizationalUnitName_default    =

commonName            = Common Name (eg, your name or your server\'s hostname)

commonName_max            = 64

name                = Name

name_max            = 64

emailAddress            = Email Address

emailAddress_default        = mail@host.domain

emailAddress_max        = 40

# JY -- added for batch mode

organizationalUnitName_default = KEY_OU

commonName_default = KEY_CN

name_default = KEY_NAME

# SET-ex3            = SET extension number 3

[ req_attributes ]

challengePassword        = A challenge password

challengePassword_min        = 4

challengePassword_max        = 20

unstructuredName        = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.

# nsCertType            = server

# For an object signing certificate this would be used.

# nsCertType = objsign

# For normal client use this is typical

# nsCertType = client, email

# and for everything including object signing:

# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.

nsComment            = "Easy-RSA Generated Certificate"

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

extendedKeyUsage=clientAuth

keyUsage = digitalSignature

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# Copy subject details

# issuerAltName=issuer:copy

#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

[ server ]

# JY ADDED -- Make a cert with nsCertType set to "server"

basicConstraints=CA:FALSE

nsCertType                     = server

nsComment                      = "Easy-RSA Generated Server Certificate"

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

extendedKeyUsage=serverAuth

keyUsage = digitalSignature, keyEncipherment

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical

# extensions.

#basicConstraints = critical,CA:true

# So we do this instead.

basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will

# prevent it being used as an test self-signed certificate it is best

# left out by default.

# keyUsage = cRLSign, keyCertSign

# Some might want this also

# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation

# subjectAltName=email:copy

# Copy issuer details

# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!

# obj=DER:02:03

# Where 'obj' is a standard or added object

# You can even override a supported extension:

# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always,issuer:always

[ engine_section ]

#

# If you are using PKCS#11

# Install engine_pkcs11 of opensc (www.opensc.org)

# And uncomment the following

# verify that dynamic_path points to the correct location

#

#pkcs11 = pkcs11_section

[ pkcs11_section ]

engine_id = pkcs11

dynamic_path = /usr/lib/engines/engine_pkcs11.so

MODULE_PATH = changeme

PIN = 1234

init = 0

3.初始化一些参数

cmd切换到openssl目录,执行以下初始化内容

初始化内容包括,建立keys文件夹,生成index.txt空文本文件,生成serial文件内容为01

rmdir /s /q keys

mkdir keys

copy /Y nul keys\index.txt

echo 01 >keys\serial

SET HOME=.

SET KEY_DIR=keys

4.生成ca证书

这一步生成了2个文件:ca.key为CA的私钥文件,ca.crt为CA的证书文件,这两个文件后面的证书签名做准备

openssl req -days 3650 -nodes -new -x509 -keyout keys\ca.key -out keys\ca.crt -config openssl-1.0.2a.cnf

5.生成服务端证书

生成服务器证书请求文件和服务器私钥

openssl req -days 3650 -nodes -new -keyout keys\server.key -out keys\server.csr -config openssl-1.0.2a.cnf

CA签名

openssl ca -days 3650 -out keys\server.crt -in keys\server.csr -extensions server -config openssl-1.0.2a.cnf

清除.old文件防止将来创建文件出现错误

del /q keys\*.old

6.生成客户端证书

生成客户端证书请求文件和客户端私钥

openssl req -days 3650 -nodes -new -keyout keys\client.key -out keys\client.csr -config openssl-1.0.2a.cnf

CA签名

openssl ca -days 3650 -out keys\client.crt -in keys\client.csr -config openssl-1.0.2a.cnf

清除.old文件防止将来创建文件出现错误

del /q keys\*.old

生成的证书文件都在keys文件夹中

笔者生成的证书下载:http://download.csdn.net/detail/gsls200808/8697633

Widows下利用OpenSSL生成证书的更多相关文章

  1. Linux下使用openssl生成证书

    利用OpenSSL生成库和命令程序,在生成的命令程序中包括对加/解密算法的测试,openssl程序,ca程序.利用openssl,ca可生成用于C/S模式的证书文件以及CA文件. 参考:http:// ...

  2. 如何利用OpenSSL生成证书

    此文已由作者赵斌授权网易云社区发布. 欢迎访问网易云社区,了解更多网易技术产品运营经验. 一.前言 最近为了测试内容分发网络(Content Delivery Network,简称 CDN)添加的新功 ...

  3. 【本地服务器】利用openssl生成证书

    (一)下载openssl软件,解压,进入bin目录 下载地址 (二)1.在当前bin目录,按住shift键右击,选择"在此处打开命令窗口" 2.打开cmd命令窗口之后,在窗口中输入 ...

  4. linux下利用openssl来实现证书的颁发(详细步骤)--转载和修改

    原文地址:http://www.cnblogs.com/firtree/p/4028354.html linux下利用openssl来实现证书的颁发(详细步骤) 1.首先需要安装openssl,一个开 ...

  5. linux下利用openssl来实现证书的颁发(详细步骤)

    1.首先需要安装openssl,一个开源的实现加解密和证书的专业系统.在centos下可以利用yum安装. 2.openssl的配置文件是openssl.cnf,我们一般就是用默认配置就可以.如果证书 ...

  6. 利用openssl管理证书及SSL编程第1部分: openssl证书管理

    利用openssl管理证书及SSL编程第1部分 参考:1) 利用openssl创建一个简单的CAhttp://www.cppblog.com/flyonok/archive/2010/10/30/13 ...

  7. 使用OpenSSL生成证书

    使用OpenSSL生成证书 下载安装openssl,进入/bin/下面,执行命令(把ssl目录下的openssl.cnf 拷贝到bin目录下)1.首先要生成服务器端的私钥(key文件):openssl ...

  8. Golang(十一)TLS 相关知识(二)OpenSSL 生成证书

    0. 前言 接前一篇文章,上篇文章我们介绍了数字签名.数字证书等基本概念和原理 本篇我们尝试自己生成证书 参考文献:TLS完全指南(二):OpenSSL操作指南 1. OpenSSL 简介 OpenS ...

  9. Windows 下使用OpenSSL生成RSA公钥和私钥

    Windows 下使用OpenSSL生成RSA公钥和私钥 (1)下载OpenSSL 可到该地址下载OpenSSL: https://www.openssl.org/source/(https://ww ...

随机推荐

  1. vue + axios---封装一个http请求

    在使用vue开发时,官方推荐使用axios来请求接口 // axios官方地址 https://github.com/axios/axios 但是axios并不像 vue-resource 一样拥有i ...

  2. 【js】【vue】获取当前dom层

    多层嵌套,$event.currentTarget 指当前点击层

  3. OpenCV编译 Make出错 recipe for target 'modules/imgproc/CMakeFiles/opencv_test_imgproc.dir/all' failed

    OpenCV编译  Make出错 recipe for target 'modules/imgproc/CMakeFiles/opencv_test_imgproc.dir/all' failed 添 ...

  4. GoF23种设计模式之结构型模式之组合模式

    一.概述 将对象组合成树型结构以表示“部分--整体”的层次关系.组合模式使得用户对单个对象和组合对象的使用具有一致性. 二.适用性 1.你想表示对象的部分--整体层次结构的时候. 2.你希望用户忽略组 ...

  5. redis的字符串操作以及在django中的使用

    redis ----redis.MongoDB : 非关系型数据库 redis   存储在内存中 MongoDB 存储在硬盘中 l  简介 redis是一个key-value存储系统 , 支持持久化 ...

  6. 20个必不可少的Python库也是基本的第三方库

    个属于我常用工具的Python库,我相信你看完之后也会觉得离不开它们.他们是: Requests.Kenneth Reitz写的最富盛名的http库.每个Python程序员都应该有它. Scrapy. ...

  7. CodeForces - 948C Producing Snow(优先队列)

    题意: n天. 每天你会堆一堆雪,体积为 v[i].每天都有一个温度 t[i] 所有之前堆过的雪在第 i 天体积都会减少 t[i] . 输出每天融化了的雪的体积. 这个题的正解我怎么想都很难理解,但是 ...

  8. debian使用sudo

    debian默认没有sudo ,在命令前无法使用sudo #切换到根用户$ su 输入根用户密码 # apt-get install sudo # nano /etc/sudoers 文件的 User ...

  9. <原创>在PE最后一节中插入补丁程序(附代码)

    完整文件  http://files.cnblogs.com/Files/Gotogoo/在PE最后一节中插入补丁程序.zip 在PE文件最后一节中插入补丁程序,是最简单也是最有效的一种,因为PE最后 ...

  10. CF 219 D:Choosing Capital for Treeland(树形dp)

    D. Choosing Capital for Treeland 链接:http://codeforces.com/problemset/problem/219/D   The country Tre ...