1.下载OpenSSL的windows版本

32位:openssl-1.0.2a-i386-win32.zip

64位:openssl-1.0.2a-x64_86-win64.zip

下载之后解压即可使用,不过软件缺少配置文件

2.建立配置文件

在解压后的目录, 即openssl.exe所在目录新建配置文件,名为openssl-1.0.2a.cnf,内容如下

# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*

# This definition stops the following lines choking if HOME isn't

# defined.

HOME            = .

RANDFILE        = $ENV::HOME/.rnd

openssl_conf        = openssl_init

[ openssl_init ]

# Extra OBJECT IDENTIFIER info:

#oid_file        = $ENV::HOME/.oid

oid_section        = new_oids

engines            = engine_section

# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions        =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6

####################################################################

[ ca ]

default_ca    = CA_default        # The default ca section

####################################################################

[ CA_default ]

dir        = $ENV::KEY_DIR        # Where everything is kept

certs        = $dir            # Where the issued certs are kept

crl_dir        = $dir            # Where the issued crl are kept

database    = $dir/index.txt    # database index file.

new_certs_dir    = $dir            # default place for new certs.

certificate    = $dir/ca.crt         # The CA certificate

serial        = $dir/serial         # The current serial number

crl        = $dir/crl.pem         # The current CRL

private_key    = $dir/ca.key        # The private key

RANDFILE    = $dir/.rand        # private random number file

x509_extensions    = usr_cert        # The extentions to add to the cert

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crl_extensions    = crl_ext

default_days    = 3650            # how long to certify for

default_crl_days= 30            # how long before next CRL

default_md    = md5            # use public key default MD

preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy        = policy_anything

# For the CA policy

[ policy_match ]

countryName        = match

stateOrProvinceName    = match

organizationName    = match

organizationalUnitName    = optional

commonName        = supplied

name            = optional

emailAddress        = optional

# For the 'anything' policy

# At this point in time, you must list all acceptable 'object'

# types.

[ policy_anything ]

countryName        = optional

stateOrProvinceName    = optional

localityName        = optional

organizationName    = optional

organizationalUnitName    = optional

commonName        = supplied

name            = optional

emailAddress        = optional

####################################################################

[ req ]

default_bits        = 1024

default_keyfile     = privkey.pem

distinguished_name    = req_distinguished_name

attributes        = req_attributes

x509_extensions    = v3_ca    # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for

# input_password = secret

# output_password = secret

# This sets a mask for permitted string types. There are several options.

# default: PrintableString, T61String, BMPString.

# pkix     : PrintableString, BMPString (PKIX recommendation after 2004).

# utf8only: only UTF8Strings (PKIX recommendation after 2004).

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

# MASK:XXXX a literal mask value.

string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]

countryName            = Country Name (2 letter code)

countryName_default        = CN

countryName_min            = 2

countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)

stateOrProvinceName_default    = LiaoNing

localityName            = Locality Name (eg, city)

localityName_default        = DaLian

0.organizationName        = Organization Name (eg, company)

0.organizationName_default    = KEY_ORG

# we can do this but it is not needed normally :-)

#1.organizationName        = Second Organization Name (eg, company)

#1.organizationName_default    = World Wide Web Pty Ltd

organizationalUnitName        = Organizational Unit Name (eg, section)

#organizationalUnitName_default    =

commonName            = Common Name (eg, your name or your server\'s hostname)

commonName_max            = 64

name                = Name

name_max            = 64

emailAddress            = Email Address

emailAddress_default        = mail@host.domain

emailAddress_max        = 40

# JY -- added for batch mode

organizationalUnitName_default = KEY_OU

commonName_default = KEY_CN

name_default = KEY_NAME

# SET-ex3            = SET extension number 3

[ req_attributes ]

challengePassword        = A challenge password

challengePassword_min        = 4

challengePassword_max        = 20

unstructuredName        = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.

# nsCertType            = server

# For an object signing certificate this would be used.

# nsCertType = objsign

# For normal client use this is typical

# nsCertType = client, email

# and for everything including object signing:

# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.

nsComment            = "Easy-RSA Generated Certificate"

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

extendedKeyUsage=clientAuth

keyUsage = digitalSignature

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# Copy subject details

# issuerAltName=issuer:copy

#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

[ server ]

# JY ADDED -- Make a cert with nsCertType set to "server"

basicConstraints=CA:FALSE

nsCertType                     = server

nsComment                      = "Easy-RSA Generated Server Certificate"

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

extendedKeyUsage=serverAuth

keyUsage = digitalSignature, keyEncipherment

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical

# extensions.

#basicConstraints = critical,CA:true

# So we do this instead.

basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will

# prevent it being used as an test self-signed certificate it is best

# left out by default.

# keyUsage = cRLSign, keyCertSign

# Some might want this also

# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation

# subjectAltName=email:copy

# Copy issuer details

# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!

# obj=DER:02:03

# Where 'obj' is a standard or added object

# You can even override a supported extension:

# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always,issuer:always

[ engine_section ]

#

# If you are using PKCS#11

# Install engine_pkcs11 of opensc (www.opensc.org)

# And uncomment the following

# verify that dynamic_path points to the correct location

#

#pkcs11 = pkcs11_section

[ pkcs11_section ]

engine_id = pkcs11

dynamic_path = /usr/lib/engines/engine_pkcs11.so

MODULE_PATH = changeme

PIN = 1234

init = 0

3.初始化一些参数

cmd切换到openssl目录,执行以下初始化内容

初始化内容包括,建立keys文件夹,生成index.txt空文本文件,生成serial文件内容为01

rmdir /s /q keys

mkdir keys

copy /Y nul keys\index.txt

echo 01 >keys\serial

SET HOME=.

SET KEY_DIR=keys

4.生成ca证书

这一步生成了2个文件:ca.key为CA的私钥文件,ca.crt为CA的证书文件,这两个文件后面的证书签名做准备

openssl req -days 3650 -nodes -new -x509 -keyout keys\ca.key -out keys\ca.crt -config openssl-1.0.2a.cnf

5.生成服务端证书

生成服务器证书请求文件和服务器私钥

openssl req -days 3650 -nodes -new -keyout keys\server.key -out keys\server.csr -config openssl-1.0.2a.cnf

CA签名

openssl ca -days 3650 -out keys\server.crt -in keys\server.csr -extensions server -config openssl-1.0.2a.cnf

清除.old文件防止将来创建文件出现错误

del /q keys\*.old

6.生成客户端证书

生成客户端证书请求文件和客户端私钥

openssl req -days 3650 -nodes -new -keyout keys\client.key -out keys\client.csr -config openssl-1.0.2a.cnf

CA签名

openssl ca -days 3650 -out keys\client.crt -in keys\client.csr -config openssl-1.0.2a.cnf

清除.old文件防止将来创建文件出现错误

del /q keys\*.old

生成的证书文件都在keys文件夹中

笔者生成的证书下载:http://download.csdn.net/detail/gsls200808/8697633

Widows下利用OpenSSL生成证书的更多相关文章

  1. Linux下使用openssl生成证书

    利用OpenSSL生成库和命令程序,在生成的命令程序中包括对加/解密算法的测试,openssl程序,ca程序.利用openssl,ca可生成用于C/S模式的证书文件以及CA文件. 参考:http:// ...

  2. 如何利用OpenSSL生成证书

    此文已由作者赵斌授权网易云社区发布. 欢迎访问网易云社区,了解更多网易技术产品运营经验. 一.前言 最近为了测试内容分发网络(Content Delivery Network,简称 CDN)添加的新功 ...

  3. 【本地服务器】利用openssl生成证书

    (一)下载openssl软件,解压,进入bin目录 下载地址 (二)1.在当前bin目录,按住shift键右击,选择"在此处打开命令窗口" 2.打开cmd命令窗口之后,在窗口中输入 ...

  4. linux下利用openssl来实现证书的颁发(详细步骤)--转载和修改

    原文地址:http://www.cnblogs.com/firtree/p/4028354.html linux下利用openssl来实现证书的颁发(详细步骤) 1.首先需要安装openssl,一个开 ...

  5. linux下利用openssl来实现证书的颁发(详细步骤)

    1.首先需要安装openssl,一个开源的实现加解密和证书的专业系统.在centos下可以利用yum安装. 2.openssl的配置文件是openssl.cnf,我们一般就是用默认配置就可以.如果证书 ...

  6. 利用openssl管理证书及SSL编程第1部分: openssl证书管理

    利用openssl管理证书及SSL编程第1部分 参考:1) 利用openssl创建一个简单的CAhttp://www.cppblog.com/flyonok/archive/2010/10/30/13 ...

  7. 使用OpenSSL生成证书

    使用OpenSSL生成证书 下载安装openssl,进入/bin/下面,执行命令(把ssl目录下的openssl.cnf 拷贝到bin目录下)1.首先要生成服务器端的私钥(key文件):openssl ...

  8. Golang(十一)TLS 相关知识(二)OpenSSL 生成证书

    0. 前言 接前一篇文章,上篇文章我们介绍了数字签名.数字证书等基本概念和原理 本篇我们尝试自己生成证书 参考文献:TLS完全指南(二):OpenSSL操作指南 1. OpenSSL 简介 OpenS ...

  9. Windows 下使用OpenSSL生成RSA公钥和私钥

    Windows 下使用OpenSSL生成RSA公钥和私钥 (1)下载OpenSSL 可到该地址下载OpenSSL: https://www.openssl.org/source/(https://ww ...

随机推荐

  1. poj-2386 lake counting(搜索题)

    Time limit1000 ms Memory limit65536 kB Due to recent rains, water has pooled in various places in Fa ...

  2. HDU 3594 Cactus 有向仙人掌图判定

    题意 给出一个有向图,并给出仙人掌图的定义 图本身是强连通的 每条边属于且只属于一个环 判断输入的图是否是强连通的. 分析 杭电OJ上的数据比较弱,网上一些有明显错误的代码也能AC. 本着求真务实的精 ...

  3. Python虚拟机中的一般表达式(三)

    其他一般表达式 在前两章:Python虚拟机中的一般表达式(一).Python虚拟机中的一般表达式(二)中,我们介绍了Python虚拟机是怎样执行创建一个整数值对象.字符串对象.字典对象和列表对象.现 ...

  4. WIN 备份 重装

    title: WIN 备份 重装 date: 2018-09-01 22:35:31 updated: tags: [windows,记录,折腾] description: keywords: com ...

  5. xml ,html,xhtml

    html,xhtml和xml的定义: 1.html即是超文本标记语言(Hyper Text Markup Language),是最早写网页的语言,但是由于时间早,规范不是很好,大小写混写且编码不规范: ...

  6. [整理]配置SSH密钥自动登录远程服务器

    原理: 公钥私钥匹配通过验证,允许访问服务器. 简单步骤: 1.在本地创建一对密钥 2.将公钥传到需要访问的服务器上 3.将公钥放入服务器的authorized_keys,确保访问时能通过验证 4.本 ...

  7. OA笔记

    一:Asp.Net MVC请求处理原理(Asp.Net mvc 是怎样进入请求管道的.)请求-->IIS--->ISAPIRuntime-->HttpWorkRequest--> ...

  8. Welcome-to-Swift-03字符串和字符(Strings and Characters)

    String是例如“hello, world“”,“海贼王” 这样的有序的Character(字符)类型的值的集合,通过String类型来表示. Swift 的String和Character类型提供 ...

  9. matlab 中的删除文件

    Matlab中有两种删除文件的方式: 一种是删除文件     delete()函数      //可以使用help  delete命令查询delete()函数的使用方法 delete('p1.jpg' ...

  10. 【CF675E】Trains and Statistic(贪心,DP,线段树优化)

    题意:a[i]表示从第i个车站可以一张票到第[i+1,a[i]]这些车站;p[i][j]表示从第i个车站到第j个车站的最少的票数,现在要求∑dp[i][j](1<=i<=n,i<j& ...