使用现有私钥创建 CSR
[英]Create CSR using existing private key
问题描述
What I am trying to do is, create a CSR and with a private key that is password protected (the key).
我想要做的是,创建一个 CSR 并使用受密码保护的私钥(密钥)。
In OpenSSL I can create a private key with a password like so:在 OpenSSL 中,我可以创建一个带有密码的私钥,如下所示:
openssl genrsa -des3 -out privkey.pem 2048
Is there some way I can use the key I just created and generate a CSR using the key?有什么方法可以使用我刚刚创建的密钥并使用该密钥生成 CSR?
If not is there some way I can generate a CSR along with a PASSWORD PROTECTED private key?如果没有,我可以通过某种方式生成 CSR 以及受密码保护的私钥吗?
2 个解决方案
解决方案1
66 已采纳 2012-02-27 20:25:57
This is the second example from the documentation of OpenSSL req :这是OpenSSL req 文档中的第二个示例:
Create a private key and then generate a certificate request from it:
openssl genrsa -out key.pem 2048 openssl req -new -key key.pem -out req.pem
Note that, if you do this directly with req (see 3rd example), if you don't use the -nodes option, your private key will also be encrypted:请注意,如果您直接使用req执行此操作(参见第三个示例),如果您不使用-nodes选项,您的私钥也将被加密:
openssl req -newkey rsa:2048 -keyout key.pem -out req.pem
(Despite what the documentation says, it's not exactly the same as the second example, since it doesn't use -des3 , but you would have done so anyway.) (不管文档怎么说,它与第二个示例并不完全相同,因为它不使用-des3 ,但无论如何你都会这样做。)
解决方案2
0 2022-12-28 21:33:01
A password protected key means the private key was encrypted.受密码保护的密钥意味着私钥已加密。 Herein, 'key' refers to private keys.这里,“密钥”是指私钥。 When using a key, like when creating a certificate signing request (CSR), if the key was encrypted expect to be prompted for the password.使用密钥时,例如创建证书签名请求 (CSR) 时,如果密钥已加密,则预计会提示输入密码。
Create a CSR from an existing encrypted private -key .从现有的加密私钥创建-key 。 After the password prompt, depending on the openssl configuration file , you may be prompted to specify the distinguished name (DN) of the future certificate.密码提示后,根据 openssl配置文件,可能会提示您指定未来证书的可分辨名称 (DN)。 Option -new refers to the CSR:选项-new指的是 CSR:
openssl req -key a.key -new -out a.csr
It should be stated that creating a CSR from an existing key is not typical.应该指出的是,从现有密钥创建 CSR 并不常见。 Key creation is easy and low cost, and newer keys may be more secure.密钥创建简单且成本低,更新的密钥可能更安全。 So the usual scenario when creating a CSR is to create a new private key.所以创建 CSR 时通常的场景是创建一个新的私钥。
Update for openssl version 3.0 (circa 2022) openssl 版本 3.0 的更新(大约 2022 年)
genrsa was deprecated; genrsa 已被弃用; replaced by genpkey .替换为genpkey 。 Also, encryption with AES128 was preferable to 3DES, for both security and performance.此外,就安全性和性能而言,使用 AES128 加密优于 3DES。 To create a new -aes-128-cbc encrypted key: :要创建新的-aes-128-cbc加密密钥::
openssl genpkey -aes-128-cbc -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out a.key
Then, as above, use it to create a new CSR.然后,如上所述,使用它来创建一个新的 CSR。
Or in one step, create a new 3DES encrypted RSA key + CSR:或者在一个步骤中,创建一个新的 3DES 加密 RSA 密钥 + CSR:
openssl req -newkey rsa:2048 -keyout a.key -out a.csr
Confirm what was created by the above commands.确认由上述命令创建的内容。 Configuration file(s) may have played a role in the commands, because not all options were used on the command line.配置文件可能在命令中发挥了作用,因为并非所有选项都在命令行上使用。
openssl rsa -in a.key -text -noout # key bits & primes used, prompts if encrypted
openssl asn1parse -in a.key -i -dlimit 16 # encryption cipher used
openssl req -in a.csr -text -noout -verify # subject, pub key & signature algorithms, V3 extensions
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.