如何使用 OpenSSL 生成自签名 SSL 证书? [英] How to generate a self-signed SSL certificate using OpenSSL?

问题描述

我正在向嵌入式 Linux 设备添加 HTTPS 支持.我已尝试通过以下步骤生成自签名证书:

I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps:

openssl req -new > cert.csr
openssl rsa -in privkey.pem -out key.pem
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
cat key.pem>>cert.pem

这有效，但我遇到一些错误，例如，谷歌浏览器:

This works, but I get some errors with, for example, Google Chrome:

这可能不是您要找的网站！
该网站的安全证书不受信任！

This is probably not the site you are looking for!
The site's security certificate is not trusted!

我错过了什么吗?这是构建自签名证书的正确方法吗?

Am I missing something? Is this the correct way to build a self-signed certificate?

推荐答案

您可以在一个命令中完成:

You can do that in one command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

如果您不想用密码保护您的私钥，您还可以添加 -nodes(no DES 的缩写).否则它会提示您输入至少 4 个字符"的密码.

You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.

days 参数 (365) 您可以用任何数字替换以影响到期日期.然后它会提示您输入国家/地区名称"之类的内容，但您只需按 Enter 并接受默认值即可.

The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.

添加 -subj '/CN=localhost' 以抑制有关证书内容的问题(将 localhost 替换为您想要的域).

Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).

除非您之前将自签名证书导入浏览器，否则不会通过任何第三方验证.如果您需要更高的安全性，您应该使用由证书颁发机构 (CA) 签署的证书.

Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a certificate authority (CA).

这篇关于如何使用 OpenSSL 生成自签名 SSL 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！