转载请注明出处: http://blog.csdn.net/zhangyang0402/archive/2010/05/27/5626953.aspx
操作系统:Windows XP professional SP3
Openssl: 1.0.0 29
一、 生成CA证书
1. 生成CA私钥
C:/demoCA>openssl genrsa -out ca.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
............++++++
..............................++++++
e is 65537 (0x10001)
2. 生成CA证书请求
C:/demoCA>openssl req -new -key ca.key -out ca.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intel
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Yang Zhang
Email Address []:yang.zhang@intel.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
3. 自签名CA证书
C:/demoCA>openssl x509 -req -in ca.csr -out ca.cert -signkey ca.key -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Intel/OU=IT/CN=Yang Zhang/emailAddress=yang
.zhang@intel.com
Getting Private key
二、生成客户端证书
1. 生成私钥
C:/demoCA>openssl genrsa -out client.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)
2. 生成证书请求
C:/demoCA>openssl req -new -key client.key -out client.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intel
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:client
Email Address []:client@intel.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:654321
An optional company name []:
3.CA签名
C:/demoCA>openssl x509 -req -in client.csr -out client.cert -CA ca.cert -CAkey c
a.key -CAcreateserial -days 3650
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Intel/OU=IT/CN=client/emailAddress=client@intel.com
Getting CA Private Key
4. 转换成pfx格式
C:/demoCA>openssl pkcs12 -export -clcerts -in client.cert -inkey client.key -out
client.pfx
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:123456
三、 配置Ipsec
通过上面的方法,生成CA证书ca.cert,两个客户端证书client.pfx, server.pfx
1. 导入证书
在两台测试机中,通过MMC分别导入CA证书和自己的证书,CA证书导入到本地计算机的“受信任的根证书颁发机构”证书下,个人证书导入到本地计算机的“个人”证书下(个人证书导入时要输入先前的export password)。
注:导入个人证书后,在MMC证书中双击个人证书,在“常规”选项卡时,可看到一个钥匙标记“您有一个与该证书对应的私钥”, 若无此标记,则Ipsec 在Main Mode协商中将会失败。这也是制作客户端证书时转换成pfx格式证书的原因。
2. 设置身份验证方法
在两台测试机中,设置身份验证方法为“使用由此证书颁发机构(CA)颁发的证书”,单击“浏览”按钮,选择CA证书即可(注:不是选择个人证书)
四、测试
C:/demoCA>ping 192.168.0.201
Pinging 192.168.0.201 with 32 bytes of data:
Negotiating IP Security.
Reply from 192.168.0.201: bytes=32 time<1ms TTL=128
Reply from 192.168.0.201: bytes=32 time<1ms TTL=128
Reply from 192.168.0.201: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.201:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
测试成功