Git Bash OpenSSL – Generate Self Signed Certificate
前言
以前就写过了, 只是写的太乱, 这篇是一个整理版. 以前的文章:
我已经没有用 PowerSheel 做证书了, 所以就不介绍了.
参考:
generate-trusted-ssl-certificate
Git Bash OpenSSL
OpenSSL 是最终使用的 tool, 它是 Linux 世界的东西, 要跑它最好是通过 Git.
安装 Git. Git 里面又有一个冬冬叫 Bash.
所以 Git > Bash > OpenSSL
Create .sh and .cnf
创建一个 folder 和 2 个 files
1. openssl.cnf
[ req ] default_bits = 2048 default_md = sha256 default_days = 825 encrypt_key = no distinguished_name = subject req_extensions = req_ext x509_extensions = x509_ext string_mask = utf8only prompt = no # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). # Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. [ subject ] countryName = MY stateOrProvinceName = Johor localityName = Skudai organizationName = Stooges Web Design OU = Engineering # Use a friendly name here because it's presented to the user. The server's DNS # names are placed in Subject Alternate Names. Plus, DNS names here is deprecated # by both IETF and CA/Browser Forums. If you place a DNS name here, then you # must include the DNS name in the SAN too (otherwise, Chrome and others that # strictly follow the CA/Browser Baseline Requirements will fail). commonName = 192.168.1.152 emailAddress = stoogeswebdesign@gmail.com # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ... [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer # You only need digitalSignature below. *If* you don't allow # RSA Key transport (i.e., you use ephemeral cipher suites), then # omit keyEncipherment because that's key transport. basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign subjectAltName = @alternate_names extendedKeyUsage = serverAuth # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. #extendedKeyUsage = TLS Web Server Authentication # Section req_ext is used when generating a certificate signing request. I.e., openssl req ... [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alternate_names nsComment = "OpenSSL Generated Certificate" # RFC 5280, Section 4.2.1.12 makes EKU optional # CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused # In either case, you probably only need serverAuth. # extendedKeyUsage = serverAuth, clientAuth [ alternate_names ] IP.1 = 192.168.1.152 DNS.1 = *.192.168.1.152 DNS.2 = 192.168.1.152
它是一个 config file, 把 IP 和公司信息换掉就可以了。
2. generate.sh
它是一个 command file, 内容是
#!/bin/bash openssl req -days 825 -config openssl.cnf -new -x509 -out 192.168.1.152.crt -keyout 192.168.1.152.key
config link to 上面的 openssl.cnf, IP 换掉就可以了。
825 days 是因为 IOS 的限制,不能放太久。
openssl.cnf 里虽然也 set 了 default_days 但是,那个好像不适用于 openssl req command,所以这里还需要 set 一次。
for localhost
如果是做 localhost certificate,openssl.cnf 里的 IP.1 需要放 127.0.0.1,其它的地方把 192.168.1.152 换成 localhost 就可以了。
Run command
对着 folder 打开 Git Bash
然后输入 command
bash generate.sh
它会生成 2 个 files, .crt 和 .key.
Convert to .pfx
继续输入 command
openssl pkcs12 -export -out 192.168.1.152.pfx -inkey 192.168.1.152.key -in 192.168.1.152.crt
在输入密码就可以了.
