Environmental Science ：
OpenSSL：3.0.4

1. secret key

1.1 establish RSA Private key

Use openssl genrsa

#  Generate 1024 Bit private key , Output to console 
openssl genrsa 1024

#  Generate 2048 Bit private key , Save to server.key In file 
openssl genrsa -out server.key 2048

#  Generate 2048 Private key with encryption ( Enter the password interactively ), Save to server_passphrase.key In file 
openssl genrsa -out server_passphrase.key -des3 2048

• -out: Output the private key to the specified file , If not, it will be output to the console
• 2048: Generate 2048 Bit of private key
• -des3: Generate encrypted private key

1.2 Use RSA Private key generates public key

#  If it is an encrypted private key , You need to enter the private key password interactively 
openssl rsa -in server.key -pubout -out server_public.key

• -in: Import private key file
• -pubout: Output public key
• -out: Save the output public key to the specified file

1.3 View key

1.3.1 View private key

openssl rsa -in server.key -text

1.3.2 View public key

openssl rsa  -RSAPublicKey_in -in server_public.key -text

2. Certificate request file

With the private key , I can create Certificate Signing Request（csr, Certificate request file ）. Use the private key pair csr Conduct sign( Signature ), meanwhile csr Contains the public key corresponding to the private key

2.1 Use the existing private key to create csr

2.1.1 Use interactive mode

Use openssl req

#  Use private key server.key Generate in interactive mode csr,
openssl req -new -key server.key -out server.csr

• Generally speaking , When interacting, directly knock enter Just go , Indicates use default ; If you want some fields to be empty , You can enter . Knock again enter
• -new: Generate a new csr
• -key: Use the specified private key for signing , meanwhile csr It will contain the public key corresponding to the private key
• -out: The generated csr Save to the specified file

2.1.2 Use profile

New configuration file csr.cnf

[req]
prompt = no
distinguished_name = dn
req_extensions = ext
input_password = tian   #  Password to encrypt the private key 

[dn]
CN = www.feistyduck.com # Common Name  Common name , Usually the website host name 
emailAddress = [email protected]
O = Feisty Duck Ltd     # Organization  organization 
L = London              # Locality  home 
C = GB                  # Country  Country , Such as China ：CN

[ext]
subjectAltName = DNS:www.feistyduck.com,DNS:feistyduck.com 

Add ：

• http://www.sina.com.cn/ For example ,http Is the protocol used for communication ,sina.com.cn Is the domain name ,www Is the name of the machine that provides the service （ Server name ）, Server name + The domain name is the host name , namely www.sina.com.cn It's the host name
• subjectAltName(X.509 Expanding SAN), If only CN, Then a certificate usually corresponds to only one hostname , If you want to use a certificate with multiple host names , adopt subjectAltName To configure , Generally speaking , Host names contain at least two , One belt www. Of , One without ; You can also use wildcards , such as shannont.com and *.shannont.com

Use the configuration file to generate csr

openssl req -new -config csr.cnf -key server.key -out server2.csr

• -config: Specify the configuration file to use

2.2 see csr The content of

openssl req -in server.csr -text -noout

• csr Contains public key , Signature and fields with non empty input value during previous interaction
• The current version of the summary algorithm defaults to sha256
• -text: Output csr In the form of text
• -noout: No output -----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST----- Content between

3. certificate

3.1 Self signed certificate

With csr after , You don't have to go CA Apply for a certificate , Most of the time, the development stage can apply for a self signed certificate for self-test （ Is to use your private key to sign the certificate ）

3.1.1 Use csr Generate Certificate

Use openssl x509 command

#  If the signature uses an encrypted private key, you need to enter the private key password interactively 
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

• x509: X.509 It is the format standard of public key certificate in cryptography
• -req: Indicate that the input file is csr
• -days: How long is the certificate valid
• -in: Input file
• -signkey: Equate to -key, Indicate the private key used for signing

3.1.2 Use the private key to generate the certificate directly

#  Interactive mode , You need to enter the country , organization , Location and other field values , If it is an encrypted private key , Also enter the private key password 
openssl req -new -x509 -days 365 -key server.key -out server2.crt

#  Use the above csr The configuration file of generates the certificate directly 
openssl req -new -x509 -days 365 -key server.key -config csr.cnf -out server3.crt

#  Use -subj Option specifies the country , organization , Location and other field values , If it is an encrypted private key , Also enter the private key password 
openssl req -new -x509 -days 365 -key server.key -out server4.crt -subj "/C=CN/L=ShangHai"

3.2 Check the certificate

The part of the certificate about the public key is exactly the same as 1.3.2 Contents of public key in section

 openssl x509 -text -in server.crt -noout

3.3 Check the certificate

Use openssl s_server Create a server, The default port is 4433, Import certificate and private key

openssl s_server -cert server.crt -key server.key -www

Open the browser , Input https://127.0.0.1:4433, Get the following , Need manual trust