TLS/SSL 概念
【TLS/SSL concepts】
TLS/SSL 是一组依赖公钥基础设施(PKI)的协议,用于实现客户端与服务器之间的安全通信。在大多数常见情况下,每个服务器都必须拥有一个私钥。
【TLS/SSL is a set of protocols that rely on a public key infrastructure (PKI) to enable secure communication between a client and a server. For most common cases, each server must have a private key.】
私钥可以通过多种方式生成。下面的示例说明了如何使用 OpenSSL 命令行接口生成一个 2048 位的 RSA 私钥:
【Private keys can be generated in multiple ways. The example below illustrates use of the OpenSSL command-line interface to generate a 2048-bit RSA private key:】
openssl genrsa -out ryans-key.pem 2048 使用 TLS/SSL,所有服务器(以及部分客户端)必须拥有一个_证书_。证书是与私钥对应的_公钥_,并且由证书颁发机构或私钥的所有者进行数字签名(这样的证书称为“自签名”)。获取证书的第一步是创建一个_证书签名请求_(CSR)文件。
【With TLS/SSL, all servers (and some clients) must have a certificate. Certificates are public keys that correspond to a private key, and that are digitally signed either by a Certificate Authority or by the owner of the private key (such certificates are referred to as "self-signed"). The first step to obtaining a certificate is to create a Certificate Signing Request (CSR) file.】
可以使用 OpenSSL 命令行接口为私钥生成 CSR:
【The OpenSSL command-line interface can be used to generate a CSR for a private key:】
openssl req -new -sha256 -key ryans-key.pem -out ryans-csr.pem 一旦生成了 CSR 文件,它可以发送到证书颁发机构进行签名,也可以用来生成自签名证书。
【Once the CSR file is generated, it can either be sent to a Certificate Authority for signing or used to generate a self-signed certificate.】
下面的示例演示了如何使用 OpenSSL 命令行接口创建自签名证书:
【Creating a self-signed certificate using the OpenSSL command-line interface is illustrated in the example below:】
openssl x509 -req -in ryans-csr.pem -signkey ryans-key.pem -out ryans-cert.pem 一旦证书生成,就可以用它来生成 .pfx 或 .p12 文件:
【Once the certificate is generated, it can be used to generate a .pfx or
.p12 file:】
openssl pkcs12 -export -in ryans-cert.pem -inkey ryans-key.pem \
-certfile ca-cert.pem -out ryans.pfx 在哪里:
【Where:】
in:是签署的证书inkey:是关联的私钥certfile:是将所有证书颁发机构(CA)的证书合并到一个文件中,例如cat ca1-cert.pem ca2-cert.pem > ca-cert.pem