TLS/SSL 概念
TLS/SSL 是一组协议,它依赖于公钥基础设施 (PKI) 来实现客户端和服务器之间的安全通信。 对于最常见的情况,每个服务器都必须有私钥。
可以通过多种方式生成私钥。 以下示例说明了使用 OpenSSL 命令行界面生成 2048 位 RSA 私钥:
openssl genrsa -out ryans-key.pem 2048
使用 TLS/SSL,所有服务器(和一些客户端)都必须有证书。 证书是与私钥相对应的公钥,并且由证书颁发机构或私钥的所有者进行数字签名(此类证书称为“自签名”)。 获取证书的第一步是创建证书签名请求(CSR)文件。
OpenSSL 命令行界面可用于为私钥生成 CSR:
openssl req -new -sha256 -key ryans-key.pem -out ryans-csr.pem
一旦生成 CSR 文件,则它可以发送到证书颁发机构进行签名或用于生成自签名证书。
使用 OpenSSL 命令行界面创建自签名证书如以下示例所示:
openssl x509 -req -in ryans-csr.pem -signkey ryans-key.pem -out ryans-cert.pem
生成证书后,可用于生成 .pfx
或 .p12
文件:
openssl pkcs12 -export -in ryans-cert.pem -inkey ryans-key.pem \
-certfile ca-cert.pem -out ryans.pfx
在哪里:
in
: 是签名的证书inkey
: 是关联的私钥certfile
: 是将所有证书颁发机构 (CA) 证书串联到一个文件中,例如cat ca1-cert.pem ca2-cert.pem > ca-cert.pem
TLS/SSL is a set of protocols that rely on a public key infrastructure (PKI) to enable secure communication between a client and a server. For most common cases, each server must have a private key.
Private keys can be generated in multiple ways. The example below illustrates use of the OpenSSL command-line interface to generate a 2048-bit RSA private key:
openssl genrsa -out ryans-key.pem 2048
With TLS/SSL, all servers (and some clients) must have a certificate. Certificates are public keys that correspond to a private key, and that are digitally signed either by a Certificate Authority or by the owner of the private key (such certificates are referred to as "self-signed"). The first step to obtaining a certificate is to create a Certificate Signing Request (CSR) file.
The OpenSSL command-line interface can be used to generate a CSR for a private key:
openssl req -new -sha256 -key ryans-key.pem -out ryans-csr.pem
Once the CSR file is generated, it can either be sent to a Certificate Authority for signing or used to generate a self-signed certificate.
Creating a self-signed certificate using the OpenSSL command-line interface is illustrated in the example below:
openssl x509 -req -in ryans-csr.pem -signkey ryans-key.pem -out ryans-cert.pem
Once the certificate is generated, it can be used to generate a .pfx
or
.p12
file:
openssl pkcs12 -export -in ryans-cert.pem -inkey ryans-key.pem \
-certfile ca-cert.pem -out ryans.pfx
Where:
in
: is the signed certificateinkey
: is the associated private keycertfile
: is a concatenation of all Certificate Authority (CA) certs into a single file, e.g.cat ca1-cert.pem ca2-cert.pem > ca-cert.pem