快捷生成普通SSL证书

openssl req -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 3650 -out ssl.crt -subj "/C=CN/ST=GD/L=GZ/O=SwallowNetworks/OU=IT/CN=*.example.com/emailAddress=abuse@example.com" -addext "extendedKeyUsage = serverAuth, clientAuth" -addext "subjectAltName = DNS.1:*.google.com, DNS.2:*.g.com, IP:1.1.1.1, email:75311729@qq.com, URI:https://feng.cmd.gd/" -extensions v3_req -sha384

req  #引用openssl官方文档介绍: PKCS#10 certificate request and certificate generating utility
-newkey rsa:2048  #生成RSA 2048bit的key
-nodes #key不要密码, 删掉则要密码
-keyout ssl.key #保存key到文件
-x509 #创建证书, 删掉则创建证书请求CSR
-days 3650 #创建证书使用, CSR无需
-out ssl.crt #保存证书到文件
-subj "/C=CN/ST=GD/L=GZ/O=SwallowNetworks/OU=IT/CN=*.example.com/emailAddress=abuse@example.com" #使用者
-addext "extendedKeyUsage = serverAuth, clientAuth" #增加扩展提供服务器认证, 客户端认证. 可配置值: 
Value                  Meaning
 -----                  -------
 serverAuth             SSL/TLS Web Server Authentication.
 clientAuth             SSL/TLS Web Client Authentication.
 codeSigning            Code signing.
 emailProtection        E-mail Protection (S/MIME).
 timeStamping           Trusted Timestamping
 OCSPSigning            OCSP Signing
 ipsecIKE               ipsec Internet Key Exchange
 msCodeInd              Microsoft Individual Code Signing (authenticode)
 msCodeCom              Microsoft Commercial Code Signing (authenticode)
 msCTLSign              Microsoft Trust List Signing
 msEFS                  Microsoft Encrypted File System

-addext "subjectAltName = DNS.1:*.google.com, DNS.2:*.g.com, IP:1.1.1.1, email:75311729@qq.com, URI:https://feng.cmd.gd/" #SAN 俗称多域
include email (an email address) URI a uniform resource indicator, DNS (a DNS domain name), RID (a registered ID: OBJECT IDENTIFIER), IP (an IP address), dirName (a distinguished name) and otherName.

-addext "keyUsage=digitalSignature, nonRepudiation" #限定key的使用 
The supported names are: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly.

-extensions v3_req #约束证书使用, openssl.conf默认配置是终端证书 basicConstraints = CA:FALSE, keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-sha384 #使用sha384摘要算法签名CSR

标签: none

添加新评论