前期准备工作 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 [root@localhost ~]# cat /etc/redhat-release Rocky Linux release 9.4 (Blue Onyx) [root@localhost demoCA]# openssl version OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022) [root@localhost ~]# pwd /root [root@localhost ~]# mkdir -p demoCA [root@localhost ~]# cp /etc/pki/tls/openssl.cnf . [root@localhost ~]# vi openssl.cnf [ CA_default ] dir = /root/demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key [ policy_match ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [root@localhost ~]# cd demoCA/ #root@localhost demoCA]# mkdir newcerts private [root@localhost demoCA]# chmod 700 private [root@localhost demoCA]# touch index.txt [root@localhost demoCA]# echo 01 > serial [root@localhost demoCA]# tree -L 1 . ├── index.txt ├── newcerts ├── private └── serial 2 directories, 2 files newcerts:存放 CA 已签署颁发过的数字证书 private:存放 CA 的私钥 serial:存放证书序列号,可自定义第一张证书的序号(e.g. 0001),之后每新建一张证书,序列号会自动加1 index.txt:存放证书信息
生成CA证书RSA私钥 1 2 3 4 5 6 7 8 9 10 11 12 [root@localhost demoCA]# openssl genrsa -passout pass:google -des3 -out ~/demoCA/private/cakey.pem 2048 [root@localhost demoCA]# tree -L 2 . ├── index.txt ├── newcerts ├── private │ └── cakey.pem └── serial 2 directories, 3 files
生成CA的根证书公钥 CA证书签名请求 & 对证书进行自签名
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 [root@localhost demoCA]# openssl req -x509 -passin pass:google -new -nodes -key ~/demoCA/private/cakey.pem -days 3650 -s ubj "/C=CN/ST=GuangDong/L=GZ/O=Approach/CN=www.heiok.com" -out cacert.pem [root@localhost demoCA]# tree -L 2 . ├── cacert.pem ├── index.txt ├── newcerts ├── private │ └── cakey.pem └── serial 2 directories, 4 files [root@localhost demoCA]# cat cacert.pem -----BEGIN CERTIFICATE----- MIIDkzCCAnugAwIBAgIUV3Ql0iptpwoskmLaWoWD2kMmkgQwDQYJKoZIhvcNAQEL BQAwWTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzELMAkGA1UEBwwC R1oxETAPBgNVBAoMCEFwcHJvYWNoMRYwFAYDVQQDDA13d3cuaGVpb2suY29tMB4X DTI0MTIyNTA4MjkwOVoXDTM0MTIyMzA4MjkwOVowWTELMAkGA1UEBhMCQ04xEjAQ BgNVBAgMCUd1YW5nRG9uZzELMAkGA1UEBwwCR1oxETAPBgNVBAoMCEFwcHJvYWNo MRYwFAYDVQQDDA13d3cuaGVpb2suY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA1/hreZ4fTBB4rf3JX1KmnFp5F+JicASvYGgoGsyhYAiHsD5AWvqF rbuolZqtK6qpxMcFhP7HKyvVM/gtbtWvcdfQFsvcdBOHifKDjnerGRcI6sThY7jg qI4fJRjNN7wOTpFMS1J6BxUx9x9LMP6NPnhKUqmWqvhExOGOCxqKGkZdgNp1gPri sWJVqZdoX6hDfbe1n4qkVT6j322rt6+dU+52T8sBkTVc+9dZx67d0d6nhUdl6TnI Z7qNPmAr7F17IwWHAcGks/qp4izVHCjKljlEg+jFMb1Su1sMQRjyFn1pkAroS8iH vbhuW6tfX/c8WH/Rry6FlJlvQIcUaSdFKQIDAQABo1MwUTAdBgNVHQ4EFgQUkMyf n8Vx4qeP/S9cdZ6Du4CuibUwHwYDVR0jBBgwFoAUkMyfn8Vx4qeP/S9cdZ6Du4Cu ibUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAIjDmxvVLuJGA 4A8I7QXIhSmFPG2WPems70C2N6hXeybMVN9wGFHp7v9m23Xe83J7wogZMbspRR+Z tDML/s51P2JQOTQ91eJ6bj21gWQa/Guhb2H8fQtEoXONYfIfIZMIYL2o66GkPOFy QCeWS3NJdgwDRNcDXIxguZAA0PMnKZkYT5B0G4K0wN9oEqE3+2ZjpF70Wnpo5aWp 1ZbgZFEAhvv6f1Qjc+4GeCVq92b98qXbrkGcim9Vb6ZLhdXFCcJZyxjDJsIBkEW6 OudF00OwP6OWSI5DN4bniXpHcJQQ15CPZdEiGpsHA6Ac6+fb+ENiodbwfdR/eJxX 0g1ALTFR3A== -----END CERTIFICATE-----
查看 CA 证书的内容 CA证书已包含与密钥文件对应的公钥信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 [root@localhost demoCA]# openssl x509 -in cacert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 57:74:25:d2:2a:6d:a7:0a:2c:92:62:da:5a:85:83:da:43:26:92:04 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = GuangDong, L = GZ, O = Approach, CN = www.heiok.com Validity Not Before: Dec 25 08:29:09 2024 GMT Not After : Dec 23 08:29:09 2034 GMT Subject: C = CN, ST = GuangDong, L = GZ, O = Approach, CN = www.heiok.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d7:f8:6b:79:9e:1f:4c:10:78:ad:fd:c9:5f:52: a6:9c:5a:79:17:e2:62:70:04:af:60:68:28:1a:cc: a1:60:08:87:b0:3e:40:5a:fa:85:ad:bb:a8:95:9a: ad:2b:aa:a9:c4:c7:05:84:fe:c7:2b:2b:d5:33:f8: 2d:6e:d5:af:71:d7:d0:16:cb:dc:74:13:87:89:f2: 83:8e:77:ab:19:17:08:ea:c4:e1:63:b8:e0:a8:8e: 1f:25:18:cd:37:bc:0e:4e:91:4c:4b:52:7a:07:15: 31:f7:1f:4b:30:fe:8d:3e:78:4a:52:a9:96:aa:f8: 44:c4:e1:8e:0b:1a:8a:1a:46:5d:80:da:75:80:fa: e2:b1:62:55:a9:97:68:5f:a8:43:7d:b7:b5:9f:8a: a4:55:3e:a3:df:6d:ab:b7:af:9d:53:ee:76:4f:cb: 01:91:35:5c:fb:d7:59:c7:ae:dd:d1:de:a7:85:47: 65:e9:39:c8:67:ba:8d:3e:60:2b:ec:5d:7b:23:05: 87:01:c1:a4:b3:fa:a9:e2:2c:d5:1c:28:ca:96:39: 44:83:e8:c5:31:bd:52:bb:5b:0c:41:18:f2:16:7d: 69:90:0a:e8:4b:c8:87:bd:b8:6e:5b:ab:5f:5f:f7: 3c:58:7f:d1:af:2e:85:94:99:6f:40:87:14:69:27: 45:29 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 90:CC:9F:9F:C5:71:E2:A7:8F:FD:2F:5C:75:9E:83:BB:80:AE:89:B5 X509v3 Authority Key Identifier: 90:CC:9F:9F:C5:71:E2:A7:8F:FD:2F:5C:75:9E:83:BB:80:AE:89:B5 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption Signature Value: 22:30:e6:c6:f5:4b:b8:91:80:e0:0f:08:ed:05:c8:85:29:85: 3c:6d:96:3d:e9:ac:ef:40:b6:37:a8:57:7b:26:cc:54:df:70: 18:51:e9:ee:ff:66:db:75:de:f3:72:7b:c2:88:19:31:bb:29: 45:1f:99:b4:33:0b:fe:ce:75:3f:62:50:39:34:3d:d5:e2:7a: 6e:3d:b5:81:64:1a:fc:6b:a1:6f:61:fc:7d:0b:44:a1:73:8d: 61:f2:1f:21:93:08:60:bd:a8:eb:a1:a4:3c:e1:72:40:27:96: 4b:73:49:76:0c:03:44:d7:03:5c:8c:60:b9:90:00:d0:f3:27: 29:99:18:4f:90:74:1b:82:b4:c0:df:68:12:a1:37:fb:66:63: a4:5e:f4:5a:7a:68:e5:a5:a9:d5:96:e0:64:51:00:86:fb:fa: 7f:54:23:73:ee:06:78:25:6a:f7:66:fd:f2:a5:db:ae:41:9c: 8a:6f:55:6f:a6:4b:85:d5:c5:09:c2:59:cb:18:c3:26:c2:01: 90:45:ba:3a:e7:45:d3:43:b0:3f:a3:96:48:8e:43:37:86:e7: 89:7a:47:70:94:10:d7:90:8f:65:d1:22:1a:9b:07:03:a0:1c: eb:e7:db:f8:43:62:a1:d6:f0:7d:d4:7f:78:9c:57:d2:0d:40: 2d:31:51:dc
生成服务器证书密钥文件 & 证书签名请求 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 [root@localhost demoCA]# openssl req -utf8 -newkey rsa:2048 -nodes -keyout client.key -subj "/C=CN/ST=广东省/O=广东省服 务器/CN=广东省服务器" -out client.csr [root@localhost demoCA]# tree -L 2 . ├── cacert.pem ├── client.csr ├── client.key ├── index.txt ├── newcerts ├── private │ └── cakey.pem └── serial 2 directories, 6 files [root@localhost demoCA]# cat client.csr -----BEGIN CERTIFICATE REQUEST----- MIICoDCCAYgCAQAwWzELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCeW5v+S4nOecgTEb MBkGA1UECgwS5bm/5Lic55yB5pyN5Yqh5ZmoMRswGQYDVQQDDBLlub/kuJznnIHm nI3liqHlmagwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyuYovU3Vh MmZfOZlYYy6SFJq8Xk7ZznhZRI8eTerfe08tqH2L/XWXPnlZWbOrvRME+Njmi6Wv ZaXyNiWb39GRkxVRMBWYU7OLE8aUdowznTtFeJAnm/gHZhfmUaIMp3R+zyLs5POy ZJ0o4cD3YVk+ep7FN+uPefrWgc4u3QXZoX011JrCwgP4hMYL7qgytXfQ0Y045oU6 zciKI05XeAlT9+rtiM4k1ee6DZY8GvH5UoNEwC7onDK2BhM9iIu82OscVrgaKNrJ yDgoUa/8h8I6Ar9a+7w/3/lT+wnq9pWmek2WqNCb4DsystOurHZQCL7orn3z6wCa L9TntnUL0cbzAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAKTZwHQsRaFPexJoc rR+qklzdGScCEYJbiB6qk6Q+UFa8l0yO/xnKXQ0iCCbwZ2MtUM2Bw6d/95hlIaq6 ENDrtrGSK2BkUNvocr+IM1YJHdG/jPFyKJanY6AlokQEo03pfuGgRQMlnOu2ZQls /2EFPBv6CVwidgTY2cqZHGw3cicoPiZ39ikj07P+V+uira1YqUSkyV+xf8M3G5vK luHBKq71DvJNH+LFJawOpILWReAhIXaxT+6lI17JqCiH9Rs0Srw7/V76Ks6sLpo8 eZr/WxsOCzDvztyhyyiB1QJj5cjnl6wU/g3NhHvo7JjFqobOH86Pa72v53OJ1lHI Idh1Iw== -----END CERTIFICATE REQUEST-----
CA签发服务器证书 根据 openssl.cnf 加载CA证书并集合服务器证书签名请求文件来完成签名
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 [root@localhost demoCA]# openssl ca -passin pass:google -config ~/openssl.cnf -in client.csr -out client_cert.pem -batch Using configuration from /root/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 25 08:55:30 2024 GMT Not After : Dec 25 08:55:30 2025 GMT Subject: countryName = CN stateOrProvinceName = \U5E7F\U4E1C\U7701 organizationName = \U5E7F\U4E1C\U7701\U670D\U52A1\U5668 commonName = \U5E7F\U4E1C\U7701\U670D\U52A1\U5668 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: E2:AF:5A:FB:F3:B8:25:2C:62:D9:3B:09:EA:1A:65:0E:3E:12:54:18 X509v3 Authority Key Identifier: 90:CC:9F:9F:C5:71:E2:A7:8F:FD:2F:5C:75:9E:83:BB:80:AE:89:B5 Certificate is to be certified until Dec 25 08:55:30 2025 GMT (365 days) Write out database with 1 new entries Data Base Updated [root@localhost demoCA]# tree -L 3 . ├── cacert.pem ├── client_cert.pem ├── client.csr ├── client.key ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old 2 directories, 11 files [root@localhost demoCA]# ll total 36 -rw-r--r--. 1 root root 1302 Dec 25 16:29 cacert.pem -rw-r--r--. 1 root root 4443 Dec 25 16:55 client_cert.pem -rw-r--r--. 1 root root 989 Dec 25 16:42 client.csr -rw-------. 1 root root 1704 Dec 25 16:42 client.key -rw-r--r--. 1 root root 225 Dec 25 16:55 index.txt -rw-r--r--. 1 root root 21 Dec 25 16:55 index.txt.attr -rw-r--r--. 1 root root 0 Dec 25 15:59 index.txt.old drwxr-xr-x. 2 root root 20 Dec 25 16:55 newcerts drwx------. 2 root root 23 Dec 25 16:21 private -rw-r--r--. 1 root root 3 Dec 25 16:55 serial -rw-r--r--. 1 root root 3 Dec 25 15:59 serial.old [root@localhost demoCA]# cat client_cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=GuangDong, L=GZ, O=Approach, CN=www.heiok.com Validity Not Before: Dec 25 08:55:30 2024 GMT Not After : Dec 25 08:55:30 2025 GMT Subject: C=CN, ST=\xE5\xB9\xBF\xE4\xB8\x9C\xE7\x9C\x81, O=\xE5\xB9\xBF\xE4\xB8\x9C\xE7\x9C\x81\xE6\x9C\x8D\xE5\x8A\xA1\xE5\x99\xA8, CN=\xE5\xB9\xBF\xE4\xB8\x9C\xE7\x9C\x81\xE6\x9C\x8D\xE5\x8A\xA1\xE5\x99\xA8 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b2:b9:8a:2f:53:75:61:32:66:5f:39:99:58:63: 2e:92:14:9a:bc:5e:4e:d9:ce:78:59:44:8f:1e:4d: ea:df:7b:4f:2d:a8:7d:8b:fd:75:97:3e:79:59:59: b3:ab:bd:13:04:f8:d8:e6:8b:a5:af:65:a5:f2:36: 25:9b:df:d1:91:93:15:51:30:15:98:53:b3:8b:13: c6:94:76:8c:33:9d:3b:45:78:90:27:9b:f8:07:66: 17:e6:51:a2:0c:a7:74:7e:cf:22:ec:e4:f3:b2:64: 9d:28:e1:c0:f7:61:59:3e:7a:9e:c5:37:eb:8f:79: fa:d6:81:ce:2e:dd:05:d9:a1:7d:35:d4:9a:c2:c2: 03:f8:84:c6:0b:ee:a8:32:b5:77:d0:d1:8d:38:e6: 85:3a:cd:c8:8a:23:4e:57:78:09:53:f7:ea:ed:88: ce:24:d5:e7:ba:0d:96:3c:1a:f1:f9:52:83:44:c0: 2e:e8:9c:32:b6:06:13:3d:88:8b:bc:d8:eb:1c:56: b8:1a:28:da:c9:c8:38:28:51:af:fc:87:c2:3a:02: bf:5a:fb:bc:3f:df:f9:53:fb:09:ea:f6:95:a6:7a: 4d:96:a8:d0:9b:e0:3b:32:b2:d3:ae:ac:76:50:08: be:e8:ae:7d:f3:eb:00:9a:2f:d4:e7:b6:75:0b:d1: c6:f3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: E2:AF:5A:FB:F3:B8:25:2C:62:D9:3B:09:EA:1A:65:0E:3E:12:54:18 X509v3 Authority Key Identifier: 90:CC:9F:9F:C5:71:E2:A7:8F:FD:2F:5C:75:9E:83:BB:80:AE:89:B5 Signature Algorithm: sha256WithRSAEncryption Signature Value: 0a:e7:5a:c0:f6:b5:14:f6:c4:6a:b8:d3:8b:fc:d9:c0:a6:7c: 22:e2:1b:93:db:55:89:44:7a:c3:47:e5:ba:5c:87:27:a9:32: 5b:a7:26:b7:e5:da:52:c8:ca:9e:3d:bc:64:7e:ff:81:78:68: 00:b0:23:1b:8b:9c:73:60:18:bd:7d:2d:5f:d6:41:20:cd:69: 55:13:74:d5:ce:c7:07:86:41:22:69:ee:5c:5a:46:13:83:ef: 46:90:a3:03:aa:f9:fd:a9:a8:2d:ca:3c:77:60:e6:ee:79:03: 7c:3a:33:78:a5:13:c9:4d:df:9b:58:af:e1:d3:41:89:cb:d9: 81:ae:35:01:08:ca:9c:7b:7f:a5:d2:5b:c5:ef:31:34:85:a3: a6:17:a6:ae:dd:14:d5:0e:88:63:16:50:6c:eb:ff:0b:be:45: 6e:17:eb:65:9a:ab:e8:94:d1:a6:e9:ca:90:9b:8c:08:29:4b: 3f:ef:5d:6c:03:c4:b8:d8:d9:b0:04:80:43:30:31:c9:71:bc: 9b:82:67:b8:37:55:57:a8:47:42:58:43:35:9e:f1:e1:08:0f: fd:17:f6:a2:92:88:83:c4:a7:1f:5b:af:c4:ac:ec:85:a5:af: 77:a8:79:b3:19:b2:92:9d:7e:0f:9a:20:3e:99:47:a3:48:59: 37:ba:07:ef -----BEGIN CERTIFICATE----- MIIDfDCCAmSgAwIBAgIBATANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJDTjES MBAGA1UECAwJR3VhbmdEb25nMQswCQYDVQQHDAJHWjERMA8GA1UECgwIQXBwcm9h Y2gxFjAUBgNVBAMMDXd3dy5oZWlvay5jb20wHhcNMjQxMjI1MDg1NTMwWhcNMjUx MjI1MDg1NTMwWjBbMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ5bm/5Lic55yBMRsw GQYDVQQKDBLlub/kuJznnIHmnI3liqHlmagxGzAZBgNVBAMMEuW5v+S4nOecgeac jeWKoeWZqDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALK5ii9TdWEy Zl85mVhjLpIUmrxeTtnOeFlEjx5N6t97Ty2ofYv9dZc+eVlZs6u9EwT42OaLpa9l pfI2JZvf0ZGTFVEwFZhTs4sTxpR2jDOdO0V4kCeb+AdmF+ZRogyndH7PIuzk87Jk nSjhwPdhWT56nsU36495+taBzi7dBdmhfTXUmsLCA/iExgvuqDK1d9DRjTjmhTrN yIojTld4CVP36u2IziTV57oNljwa8flSg0TALuicMrYGEz2Ii7zY6xxWuBoo2snI OChRr/yHwjoCv1r7vD/f+VP7Cer2laZ6TZao0JvgOzKy066sdlAIvuiuffPrAJov 1Oe2dQvRxvMCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU4q9a+/O4JSxi 2TsJ6hplDj4SVBgwHwYDVR0jBBgwFoAUkMyfn8Vx4qeP/S9cdZ6Du4CuibUwDQYJ KoZIhvcNAQELBQADggEBAArnWsD2tRT2xGq404v82cCmfCLiG5PbVYlEesNH5bpc hyepMlunJrfl2lLIyp49vGR+/4F4aACwIxuLnHNgGL19LV/WQSDNaVUTdNXOxweG QSJp7lxaRhOD70aQowOq+f2pqC3KPHdg5u55A3w6M3ilE8lN35tYr+HTQYnL2YGu NQEIypx7f6XSW8XvMTSFo6YXpq7dFNUOiGMWUGzr/wu+RW4X62Waq+iU0abpypCb jAgpSz/vXWwDxLjY2bAEgEMwMclxvJuCZ7g3VVeoR0JYQzWe8eEID/0X9qKSiIPE px9br8Ss7IWlr3eoebMZspKdfg+aID6ZR6NIWTe6B+8= -----END CERTIFICATE-----
导出为 PKCS#12 文件 1 2 3 4 5 6 OpenSSL 1.0.2k-fips [root@localhost demoCA]# openssl pkcs12 -export -in client_cert.pem -inkey client.key -out client.p12 Enter Export Password: Verifying - Enter Export Password:
Adobe Acrobat添加OpenSSL 3.0.7版本生成的.p12文件会有加密算法与 KDF(密钥派生函数)问题,添加以下参数解决
参数说明:
-certpbe PBE-SHA1-3DES:指定证书的加密算法为 3DES(适用于旧软件)。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 OpenSSL 3.0.7 [root@localhost demoCA]# openssl pkcs12 -export -in client_cert.pem -inkey client.key -out client.p12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg SHA1 Enter Export Password: Verifying - Enter Export Password: [root@localhost demoCA]# ll total 40 -rw-r--r--. 1 root root 1302 Dec 25 16:29 cacert.pem -rw-r--r--. 1 root root 4443 Dec 25 16:55 client_cert.pem -rw-r--r--. 1 root root 989 Dec 25 16:42 client.csr -rw-------. 1 root root 1704 Dec 25 16:42 client.key -rw-------. 1 root root 2643 Dec 25 17:09 client.p12 -rw-r--r--. 1 root root 225 Dec 25 16:55 index.txt -rw-r--r--. 1 root root 21 Dec 25 16:55 index.txt.attr -rw-r--r--. 1 root root 0 Dec 25 15:59 index.txt.old drwxr-xr-x. 2 root root 20 Dec 25 16:55 newcerts drwx------. 2 root root 23 Dec 25 16:21 private -rw-r--r--. 1 root root 3 Dec 25 16:55 serial -rw-r--r--. 1 root root 3 Dec 25 15:59 serial.old