如何使用OpenSSL创建自签名证书 [英] How to create a self-signed certificate with OpenSSL
问题描述
我正在向嵌入式Linux设备添加HTTPS支持.我尝试通过以下步骤生成自签名证书:
openssl req -new > cert.csr
openssl rsa -in privkey.pem -out key.pem
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
cat key.pem>>cert.pem
这可行,但是我遇到了一些错误,例如Google Chrome:
这可能不是您要查找的网站!
该网站的安全证书不受信任!
我错过了什么吗?这是构建自签名证书的正确方法吗?
您可以在一个命令中做到这一点:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
如果您不想使用密码来保护私钥,也可以添加-nodes(no DES的缩写).否则,它将提示您输入至少4个字符"的密码.
您可以将days参数(365)替换为任何数字以影响到期日期.然后它将提示您输入国家名称"之类的内容,但是您只需按 Enter 并接受默认值即可.
添加-subj '/CN=localhost'以取消有关证书内容的问题(将localhost替换为所需的域).
除非您以前将自签名证书导入浏览器,否则它们不会与任何第三方进行验证.如果需要更高的安全性,则应使用由证书颁发机构(CA)签名的证书. /p>
I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps:
openssl req -new > cert.csr
openssl rsa -in privkey.pem -out key.pem
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
cat key.pem>>cert.pem
This works, but I get some errors with, for example, Google Chrome:
This is probably not the site you are looking for!
The site's security certificate is not trusted!
Am I missing something? Is this the correct way to build a self-signed certificate?
You can do that in one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.
The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.
Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).
Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a certificate authority (CA).
这篇关于如何使用OpenSSL创建自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
