1. 创立根证书密钥文件(自己做CA)root.key:
openssl genrsa -des3 -out root.key
2. 创立根证书的申请文件root.csr:
openssl req -new -key root.key -out root.csr
3. 创立一个自目前日期起为期十年的根证书root.crt:
openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
4. 创立服务器证书密钥server.key:
openssl genrsa –des3 -out server.key 2048
5.创立服务器证书的申请文件server.csr:
openssl req -new -key server.key -out server.csr
6. 创立自目前日期起管用期为期两年的服务器证书server.crt:
openssl x509 -req -days 730 -md5 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
1. 创立根证书密钥文件(自己做CA)root.key:
openssl genrsa -des3 -out root.key
输出内容为:
[lenin@archer ~]$ openssl genrsa -des3 -out root.key
Generating RSA private key, 512 bit long modulus
……………..++++++++++++
..++++++++++++
e is 65537 (0×10001)
Enter pass phrase for root.key: ← 输入一个新密码
Verifying – Enter pass phrase for root.key: ← 重新输入一遍密码
2. 创立根证书的申请文件root.csr:
openssl req -new -key root.key -out root.csr
输出内容为:
[lenin@archer ~]$ openssl req -new -key root.key -out root.csr
Enter pass phrase for root.key: ← 输入前面创立的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.whflsc.com’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN ← 国度代号,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音
Locality Name (eg, city) []:BeiJing ← 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ←
公司英文名
Organizational Unit Name (eg, section) []: ← 能够不输入
Common Name (eg, YOUR name) []: ← 此刻不输入
Email Address []:admin@mycompany.com ← 电子邮箱,可容易填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 能够不输入
An optional company name []: ← 能够不输入
3. 创立一个自目前日期起为期十年的根证书root.crt:
openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
输出内容为:
[lenin@archer ~]$ openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./emailAddress=admin@
mycompany.com
Getting Private key
Enter pass phrase for root.key: ← 输入前面创立的密码
4. 创立服务器证书密钥server.key:
openssl genrsa –des3 -out server.key 2048
输出内容为:
[lenin@archer ~]$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
….+++
…………………………………………..+++
e is 65537 (0×10001)
运行时会提醒输入密码,此密码用于加密key文件(参数des3便是指加密算法,
当然也能够拨取其他你感受平安的算法.),尔后每当需读取此文件(穿越openssl
供给的号召或API)都需输入口令.万一感受不得体,也能够肃清这个口令,
但定然要批准其他的防御措施!
肃清key文件口令的号召:
openssl rsa -in server.key -out server.key
5.创立服务器证书的申请文件server.csr:
openssl req -new -key server.key -out server.csr
输出内容为:
[lenin@archer ~]$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN ← 国度名目,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省名,拼音
Locality Name (eg, city) []:BeiJing ← 市名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ←
公司英文名
Organizational Unit Name (eg, section) []: ← 能够不输入
Common Name (eg, YOUR name) []:om ←
服务器主机名,若填写不准确,博览器会报告证书无效,但并不波及利用
Email Address []:admin@mycompany.com ← 电子邮箱,可容易填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 能够不输入
An optional company name []: ← 能够不输入
6. 创立自目前日期起管用期为期两年的服务器证书server.crt:
openssl x509 -req -days 730 -md5 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
输出内容为:
[lenin@archer ~]$ openssl x509 -req -days 730 -md5 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
使用opensll工具来生证书过程如下:
一 ) 首先创建CA根证书
1) 生成RSA private key 给CA (3 DES 加密, PEM 格式):
$ openssl genrsa -des3 -out rootca.key 1024
2) 产生一个X509结构,PEM格式的自签名证书(当然也可以由CA机构签名)
$ openssl req -new -x509 -days 365 -key rootca.key -out rootca.crt
3) 查看该根证书的详细内容
$ openssl x509 -noout -text -in rootca.crt
4) 验证证书有效性
$ openssl verify -CAfile rootca.crt rootca.crt
第一个为根证书,第二个为需要验证的子证书,由于是自签名,相当于自己给自己颁发的?
な椤?
二 ) 用根证书颁发子证书
1) 生成一个3DES 加密,PEM格式的RSA private KEY .
$ openssl genrsa -des3 -out user.key 1024
2) 产生证书签名请求文件(PEM格式)
$ openssl req -new -key user.key -out user.csr
3) 使用CA根证书签名
A 生成配置文件如下ca.config :
[ ca ]
default_ca=CA_own
[ CA_own ]
dir=C:/openssl/bin
certs=C:/openssl/bin
new_certs_dir=C:/openssl/bin //生成子证书的目录
database=C:/openssl/bin/index.txt //生成子证书后会更新内容到此文件
serial=C:/openssl/bin/serial.txt //子证书的序列号从此文件读取
certificate=C:/openssl/bin/rootca.crt //根证书
private_key=C:/openssl/bin/rootca.key //根证书的私钥
default_days=365
default_crl_days=30
default_md=md5
preserve=no
policy=policy_anything
[ policy_anything ]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional
B 执行如下命令来签名
openssl ca -config ca.config -out user.crt -infiles user.csr
4) 验证证书有效性
openssl verify -CAfile rootca.crt user.crt
用rootca.crt的公钥验证user.crt的签名是否合法。
################################################################
# penssl example configuration file.
# This is mostly used for generation of certificate requests.
#################################################################
[ ca ]
default_ca= CA_default # The default ca section
#################################################################
[ CA_default ]
dir=/home/lqy/WorkShop/openssl_install/CA # Where everything is kept
certs=$dir/certs # Where the issued certs are kept
crl_dir= $dir/crl # Where the issued crl are kept
database= $dir/index.txt # database index file
new_certs_dir= $dir/newcerts # default place for new certs
certificate=$dir/root.crt # The CA certificate
serial= $dir/serial # The current serial number
crl= $dir/crl.pem # The current CRL
private_key= $dir/private/root.key # The private key
RANDFILE= $dir/.rand # private random number file
default_days= 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md= md5 # which message digest to use
preserve= no # keep passed DN ordering
# A few different ways of specifying how closely the request should
# conform to the details of the CA
policy= policy_match # For the CA policy
[ policy_match ]
countryName= match
stateOrProvinceName= match
organizationName= match
organizationalUnitName= optional
commonName= optional
emailAddress= optional
# For the `anything' policy
# At this point in time, you must list all acceptable `object'
# types
[ policy_anything ]
countryName = optional
stateOrProvinceName= optional
localityName= optional
organizationName = optional
organizationalUnitName = optional
commonName= optional
emailAddress= optional
[ req ]
default_bits = 1024
default_keyfile= privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName= Country Name (2 letter code)
countryName_min= 2
countryName_max = 2
stateOrProvinceName= State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg. YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName= An optional company name
openssl genrsa -des3 -out root.key
2. 创立根证书的申请文件root.csr:
openssl req -new -key root.key -out root.csr
3. 创立一个自目前日期起为期十年的根证书root.crt:
openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
4. 创立服务器证书密钥server.key:
openssl genrsa –des3 -out server.key 2048
5.创立服务器证书的申请文件server.csr:
openssl req -new -key server.key -out server.csr
6. 创立自目前日期起管用期为期两年的服务器证书server.crt:
openssl x509 -req -days 730 -md5 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
1. 创立根证书密钥文件(自己做CA)root.key:
openssl genrsa -des3 -out root.key
输出内容为:
[lenin@archer ~]$ openssl genrsa -des3 -out root.key
Generating RSA private key, 512 bit long modulus
……………..++++++++++++
..++++++++++++
e is 65537 (0×10001)
Enter pass phrase for root.key: ← 输入一个新密码
Verifying – Enter pass phrase for root.key: ← 重新输入一遍密码
2. 创立根证书的申请文件root.csr:
openssl req -new -key root.key -out root.csr
输出内容为:
[lenin@archer ~]$ openssl req -new -key root.key -out root.csr
Enter pass phrase for root.key: ← 输入前面创立的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.whflsc.com’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN ← 国度代号,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音
Locality Name (eg, city) []:BeiJing ← 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ←
公司英文名
Organizational Unit Name (eg, section) []: ← 能够不输入
Common Name (eg, YOUR name) []: ← 此刻不输入
Email Address []:admin@mycompany.com ← 电子邮箱,可容易填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 能够不输入
An optional company name []: ← 能够不输入
3. 创立一个自目前日期起为期十年的根证书root.crt:
openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
输出内容为:
[lenin@archer ~]$ openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=MyCompany Corp./emailAddress=admin@
mycompany.com
Getting Private key
Enter pass phrase for root.key: ← 输入前面创立的密码
4. 创立服务器证书密钥server.key:
openssl genrsa –des3 -out server.key 2048
输出内容为:
[lenin@archer ~]$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
….+++
…………………………………………..+++
e is 65537 (0×10001)
运行时会提醒输入密码,此密码用于加密key文件(参数des3便是指加密算法,
当然也能够拨取其他你感受平安的算法.),尔后每当需读取此文件(穿越openssl
供给的号召或API)都需输入口令.万一感受不得体,也能够肃清这个口令,
但定然要批准其他的防御措施!
肃清key文件口令的号召:
openssl rsa -in server.key -out server.key
5.创立服务器证书的申请文件server.csr:
openssl req -new -key server.key -out server.csr
输出内容为:
[lenin@archer ~]$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN ← 国度名目,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省名,拼音
Locality Name (eg, city) []:BeiJing ← 市名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ←
公司英文名
Organizational Unit Name (eg, section) []: ← 能够不输入
Common Name (eg, YOUR name) []:om ←
服务器主机名,若填写不准确,博览器会报告证书无效,但并不波及利用
Email Address []:admin@mycompany.com ← 电子邮箱,可容易填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 能够不输入
An optional company name []: ← 能够不输入
6. 创立自目前日期起管用期为期两年的服务器证书server.crt:
openssl x509 -req -days 730 -md5 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
输出内容为:
[lenin@archer ~]$ openssl x509 -req -days 730 -md5 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
使用opensll工具来生证书过程如下:
一 ) 首先创建CA根证书
1) 生成RSA private key 给CA (3 DES 加密, PEM 格式):
$ openssl genrsa -des3 -out rootca.key 1024
2) 产生一个X509结构,PEM格式的自签名证书(当然也可以由CA机构签名)
$ openssl req -new -x509 -days 365 -key rootca.key -out rootca.crt
3) 查看该根证书的详细内容
$ openssl x509 -noout -text -in rootca.crt
4) 验证证书有效性
$ openssl verify -CAfile rootca.crt rootca.crt
第一个为根证书,第二个为需要验证的子证书,由于是自签名,相当于自己给自己颁发的?
な椤?
二 ) 用根证书颁发子证书
1) 生成一个3DES 加密,PEM格式的RSA private KEY .
$ openssl genrsa -des3 -out user.key 1024
2) 产生证书签名请求文件(PEM格式)
$ openssl req -new -key user.key -out user.csr
3) 使用CA根证书签名
A 生成配置文件如下ca.config :
[ ca ]
default_ca=CA_own
[ CA_own ]
dir=C:/openssl/bin
certs=C:/openssl/bin
new_certs_dir=C:/openssl/bin //生成子证书的目录
database=C:/openssl/bin/index.txt //生成子证书后会更新内容到此文件
serial=C:/openssl/bin/serial.txt //子证书的序列号从此文件读取
certificate=C:/openssl/bin/rootca.crt //根证书
private_key=C:/openssl/bin/rootca.key //根证书的私钥
default_days=365
default_crl_days=30
default_md=md5
preserve=no
policy=policy_anything
[ policy_anything ]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional
B 执行如下命令来签名
openssl ca -config ca.config -out user.crt -infiles user.csr
4) 验证证书有效性
openssl verify -CAfile rootca.crt user.crt
用rootca.crt的公钥验证user.crt的签名是否合法。
################################################################
# penssl example configuration file.
# This is mostly used for generation of certificate requests.
#################################################################
[ ca ]
default_ca= CA_default # The default ca section
#################################################################
[ CA_default ]
dir=/home/lqy/WorkShop/openssl_install/CA # Where everything is kept
certs=$dir/certs # Where the issued certs are kept
crl_dir= $dir/crl # Where the issued crl are kept
database= $dir/index.txt # database index file
new_certs_dir= $dir/newcerts # default place for new certs
certificate=$dir/root.crt # The CA certificate
serial= $dir/serial # The current serial number
crl= $dir/crl.pem # The current CRL
private_key= $dir/private/root.key # The private key
RANDFILE= $dir/.rand # private random number file
default_days= 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md= md5 # which message digest to use
preserve= no # keep passed DN ordering
# A few different ways of specifying how closely the request should
# conform to the details of the CA
policy= policy_match # For the CA policy
[ policy_match ]
countryName= match
stateOrProvinceName= match
organizationName= match
organizationalUnitName= optional
commonName= optional
emailAddress= optional
# For the `anything' policy
# At this point in time, you must list all acceptable `object'
# types
[ policy_anything ]
countryName = optional
stateOrProvinceName= optional
localityName= optional
organizationName = optional
organizationalUnitName = optional
commonName= optional
emailAddress= optional
[ req ]
default_bits = 1024
default_keyfile= privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName= Country Name (2 letter code)
countryName_min= 2
countryName_max = 2
stateOrProvinceName= State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg. YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName= An optional company name
扫一扫
7066
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
