[Mac/Linux] 使用 openssl 指令產生 CSR,並解密產生的私鑰
公司有提供產生憑證 (certificate) 的服務,
不過要提供 CSR (Certificate Signing Request) 檔案,
簡單記錄一下步驟吧~
首先,執行下列指令:
openssl req -newkey rsa:2048 -keyout server_enc.key -out server.csr
接下來,會需要輸入一個密碼,來保護這個存放私鑰 (private key) 的檔案 server_enc.key:
Generating a 2048 bit RSA private key ........................................+++ .........................................................+++ writing new private key to 'server_enc.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
接著,需要輸入一些資訊,這會記錄在憑證裡面。
公司有規定要輸入一些特定值,
若沒有規定的話,就自己輸入適當的值吧,
不需要的地方按 Enter 留空就可以了:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:Texas Locality Name (eg, city) []:Irving Organization Name (eg, company) []:Test Inc. Organizational Unit Name (eg, section) []: Common Name (eg, fully qualified host name) []:*.dev.test.com Email Address []:[email protected]
最後它又要求再輸入另一個密碼來保護這個 CSR 檔案,
我是按 Enter 直接略過:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:
這樣子就會產生私鑰 (存在 server_enc.key) 和 CSR (存在 server.csr) 檔案。
如果打開 server_enc.key 來看的話,會是像這樣的內容,
可以看到它是 ENCRYPTED PRIVATE KEY,也就是加密過的私鑰:
-----BEGIN ENCRYPTED PRIVATE KEY----- MIIFHzBJBgkqh...... ...... -----END ENCRYPTED PRIVATE KEY-----
在之後的應用中,通常會需要解密過 (也就是不需要輸入密碼) 的私鑰,
可以這樣產生:
openssl rsa -in server_enc.key -out server.key
產生出的 server.key 內容就會是 RSA PRIVATE KEY,
就是未加密的私鑰囉:
-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAK...... ...... -----END RSA PRIVATE KEY-----
參考資料:
Manually Generate a Certificate Signing Request (CSR) Using OpenSSL – SSL.com
How to Decrypt an RSA Private Key Using OpenSSL | Marco
(本頁面已被瀏覽過 766 次)