[英]Create CSR using existing private key
What I am trying to do is, create a CSR and with a private key that is password protected (the key).我想要做的是,创建一个 CSR 并使用受密码保护的私钥(密钥)。
In OpenSSL I can create a private key with a password like so:在 OpenSSL 中,我可以创建一个带有密码的私钥,如下所示:
openssl genrsa -des3 -out privkey.pem 2048
Is there some way I can use the key I just created and generate a CSR using the key?有什么方法可以使用我刚刚创建的密钥并使用该密钥生成 CSR?
If not is there some way I can generate a CSR along with a PASSWORD PROTECTED private key?如果没有,我可以通过某种方式生成 CSR 以及受密码保护的私钥吗?
This is the second example from the documentation of OpenSSL req :这是OpenSSL req 文档中的第二个示例:
Create a private key and then generate a certificate request from it:
创建私钥,然后从中生成证书请求:
openssl genrsa -out key.pem 2048 openssl req -new -key key.pem -out req.pem
Note that, if you do this directly with req
(see 3rd example), if you don't use the -nodes
option, your private key will also be encrypted:请注意,如果您直接使用
req
执行此操作(参见第三个示例),如果您不使用-nodes
选项,您的私钥也将被加密:
openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
(Despite what the documentation says, it's not exactly the same as the second example, since it doesn't use -des3
, but you would have done so anyway.) (不管文档怎么说,它与第二个示例并不完全相同,因为它不使用
-des3
,但无论如何你都会这样做。)
A password protected key means the private key was encrypted.受密码保护的密钥意味着私钥已加密。 Herein, 'key' refers to private keys.
这里,“密钥”是指私钥。 When using a key, like when creating a certificate signing request (CSR), if the key was encrypted expect to be prompted for the password.
使用密钥时,例如创建证书签名请求 (CSR) 时,如果密钥已加密,则预计会提示输入密码。
Create a CSR from an existing encrypted private -key
.从现有的加密私钥创建
-key
。 After the password prompt, depending on the openssl configuration file , you may be prompted to specify the distinguished name (DN) of the future certificate.密码提示后,根据 openssl配置文件,可能会提示您指定未来证书的可分辨名称 (DN)。 Option
-new
refers to the CSR:选项
-new
指的是 CSR:
openssl req -key a.key -new -out a.csr
It should be stated that creating a CSR from an existing key is not typical.应该指出的是,从现有密钥创建 CSR 并不常见。 Key creation is easy and low cost, and newer keys may be more secure.
密钥创建简单且成本低,更新的密钥可能更安全。 So the usual scenario when creating a CSR is to create a new private key.
所以创建 CSR 时通常的场景是创建一个新的私钥。
Update for openssl version 3.0 (circa 2022) openssl 版本 3.0 的更新(大约 2022 年)
genrsa was deprecated; genrsa 已被弃用; replaced by genpkey .
替换为genpkey 。 Also, encryption with AES128 was preferable to 3DES, for both security and performance.
此外,就安全性和性能而言,使用 AES128 加密优于 3DES。 To create a new
-aes-128-cbc
encrypted key: :要创建新的
-aes-128-cbc
加密密钥::
openssl genpkey -aes-128-cbc -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out a.key
Then, as above, use it to create a new CSR.然后,如上所述,使用它来创建一个新的 CSR。
Or in one step, create a new 3DES encrypted RSA key + CSR:或者在一个步骤中,创建一个新的 3DES 加密 RSA 密钥 + CSR:
openssl req -newkey rsa:2048 -keyout a.key -out a.csr
Confirm what was created by the above commands.确认由上述命令创建的内容。 Configuration file(s) may have played a role in the commands, because not all options were used on the command line.
配置文件可能在命令中发挥了作用,因为并非所有选项都在命令行上使用。
openssl rsa -in a.key -text -noout # key bits & primes used, prompts if encrypted
openssl asn1parse -in a.key -i -dlimit 16 # encryption cipher used
openssl req -in a.csr -text -noout -verify # subject, pub key & signature algorithms, V3 extensions
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.