openssl生成ecdsa和rsa证书方法

本文主要讲述使用openssl来生成ecdsa证书和RSA证书。

首先在openssl官网上下载openssl源码，然后进行编译安装。

这个过程本文不进行讲解。默认你的系统中已经安装好了openssl。

但是需要使用下载的源码。

本文中的代码等都是实测可用的。使用平台是linux，版本是ubuntu14.04

下面开始正文。

 

以下linux命令均在root用户下完成。

1、首先要创建一个CA

创建CA的方法是进去openssl的源码目录下的app/文件夹下。然后输入创建CA命令：

root@mzq-desktop:/home/mzq# cd Desktop/openssl-1.0.1j_mzq1/apps/
root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# sh CA.sh -newca

2、生成RSA密钥

生成rsa密钥使用命令openssl genrsa

root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.........................+++
e is 65537 (0x10001)

3、生成ECDSA密钥

生成ecdsa密钥使用命令openssl ecparam

root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl ecparam -name secp384r1 -genkey -out server-ecc.key

3、生成证书请求

生成证书请求使用命令openssl req

RSA证书请求：

root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dcs
Organizational Unit Name (eg, section) []:dcs
Common Name (e.g. server FQDN or YOUR name) []:mzq
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

ECDSA证书请求：

root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl req -new -key server-ecc.key -out server-ecc.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dcs
Organizational Unit Name (eg, section) []:dcs
Common Name (e.g. server FQDN or YOUR name) []:mzq
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

4、签发证书

签发证书使用openssl ca命令

RSA证书：

root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl ca -in server.csr -out server.crt -days 3650
Using configuration from /usr/local/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (AU) and the request (CN)

ECDSA证书：

root@mzq-desktop:/home/mzq/Desktop/openssl-1.0.1j_mzq1/apps# openssl ca -in server-ecc.csr -out server-ecc.crt -days 3650
Using configuration from /usr/local/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (AU) and the request (CN)

这样，证书就申请成功了。可以对证书进行使用。