ssl - 如何使用OpenSSL创建自签名证书(How to create a self-signed certificate with OpenSSL)

Question

I'm adding HTTPS support to an embedded Linux device.

(我正在向嵌入式Linux设备添加HTTPS支持。)

I have tried to generate a self-signed certificate with these steps:

(我尝试通过以下步骤生成自签名证书：)

openssl req -new > cert.csr
openssl rsa -in privkey.pem -out key.pem
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
cat key.pem>>cert.pem

This works, but I get some errors with, for example, Google Chrome:

(这可行，但是我遇到了一些错误，例如Google Chrome：)

This is probably not the site you are looking for!

(这可能不是您要查找的网站！)
The site's security certificate is not trusted!

(该站点的安全证书不受信任！)

Am I missing something?

(我想念什么吗？)

Is this the correct way to build a self-signed certificate?

(这是构建自签名证书的正确方法吗？)

  ask by michelemarcon translate from so

Answer 1

You can do that in one command:

(您可以通过以下命令执行此操作：)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

You can also add -nodes (short for no DES ) if you don't want to protect your private key with a passphrase.

(如果您不想使用密码来保护私钥，也可以添加-nodes （ no DES缩写）。)

Otherwise it will prompt you for "at least a 4 character" password.

(否则，它将提示您输入“至少4个字符”的密码。)

The days parameter (365) you can replace with any number to affect the expiration date.

(您可以用任何数字替换days参数（365）以影响到期日期。)

It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.

(然后，它将提示您输入“国家名称”之类的内容，但是您只需按Enter并接受默认值即可。)

Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).

(添加-subj '/CN=localhost'以取消有关证书内容的问题（将localhost替换为所需的域）。)

Self-signed certificates are not validated with any third party unless you import them to the browsers previously.

(除非您以前将自签名证书导入浏览器，否则它们不会与任何第三方进行验证。)

If you need more security, you should use a certificate signed by a certificate authority (CA).

(如果需要更高的安全性，则应使用由证书颁发机构 （CA）签名的证书 。)