Comment générer un certificat SSL autosigné en utilisant OpenSSL

Mots clés : sslopensslcertificatessl-certificatex509certificatessl

meilleur 5 Réponses Comment générer un certificat SSL autosigné en utilisant OpenSSL

vote vote

99

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 
vote vote

85

[ alternate_names ]  DNS.1       = example.com DNS.2       = www.example.com DNS.3       = mail.example.com DNS.4       = ftp.example.com  # Add these if you need them. But usually you don't want them or #   need them in production. You may need them for development. # DNS.5       = localhost # DNS.6       = localhost.localdomain # IP.1        = 127.0.0.1 # IP.2        = ::1 
openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes \     -keyout example-com.key.pem -days 365 -out example-com.cert.pem 
openssl req -config example-com.conf -new -sha256 -newkey rsa:2048 -nodes \     -keyout example-com.key.pem -days 365 -out example-com.req.pem 
openssl x509 -in example-com.cert.pem -text -noout 
openssl req -in example-com.req.pem -text -noout 
[ req ] default_bits        = 2048 default_keyfile     = server-key.pem distinguished_name  = subject req_extensions      = req_ext x509_extensions     = x509_ext string_mask         = utf8only  # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). #   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. [ subject ] countryName         = Country Name (2 letter code) countryName_default     = US  stateOrProvinceName     = State or Province Name (full name) stateOrProvinceName_default = NY  localityName            = Locality Name (eg, city) localityName_default        = New York  organizationName         = Organization Name (eg, company) organizationName_default    = Example, LLC  # Use a friendly name here because it's presented to the user. The server's DNS #   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated #   by both IETF and CA/Browser Forums. If you place a DNS name here, then you #   must include the DNS name in the SAN too (otherwise, Chrome and others that #   strictly follow the CA/Browser Baseline Requirements will fail). commonName          = Common Name (e.g. server FQDN or YOUR name) commonName_default      = Example Company  emailAddress            = Email Address emailAddress_default        = test@example.com  # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ]  subjectKeyIdentifier        = hash authorityKeyIdentifier    = keyid,issuer  # You only need digitalSignature below. *If* you don't allow #   RSA Key transport (i.e., you use ephemeral cipher suites), then #   omit keyEncipherment because that's key transport. basicConstraints        = CA:FALSE keyUsage            = digitalSignature, keyEncipherment subjectAltName          = @alternate_names nsComment           = "OpenSSL Generated Certificate"  # RFC 5280, Section 4.2.1.12 makes EKU optional #   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused #   In either case, you probably only need serverAuth. # extendedKeyUsage    = serverAuth, clientAuth  # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ]  subjectKeyIdentifier        = hash  basicConstraints        = CA:FALSE keyUsage            = digitalSignature, keyEncipherment subjectAltName          = @alternate_names nsComment           = "OpenSSL Generated Certificate"  # RFC 5280, Section 4.2.1.12 makes EKU optional #   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused #   In either case, you probably only need serverAuth. # extendedKeyUsage    = serverAuth, clientAuth  [ alternate_names ]  DNS.1       = example.com DNS.2       = www.example.com DNS.3       = mail.example.com DNS.4       = ftp.example.com  # Add these if you need them. But usually you don't want them or #   need them in production. You may need them for development. # DNS.5       = localhost # DNS.6       = localhost.localdomain # DNS.7       = 127.0.0.1  # IPv6 localhost # DNS.8     = ::1 
# IPv4 localhost # IP.1       = 127.0.0.1  # IPv6 localhost # IP.2     = ::1 
vote vote

76

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \   -keyout example.key -out example.crt -subj "/CN=example.com" \   -addext "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1" 
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \   -keyout example.key -out example.crt -extensions san -config \   <(echo "[req]";      echo distinguished_name=req;      echo "[san]";      echo subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1     ) \   -subj "/CN=example.com" 
vote vote

67

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX 
req 
-x509 
-newkey arg 
-keyout filename 
-out filename 
-days n 
-nodes 
vote vote

50

openssl genrsa -out server.key 2048 openssl rsa -in server.key -out server.key openssl req -sha256 -new -key server.key -out server.csr -subj '/CN=localhost' openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt 
cat server.crt server.key > cert.pem 

Questions similaires