SSL客户端

cd /ca
mkdir client
cd client

touch openssl_csr.cnf

填下这些东西

[ req ]
#req工具需要的参数。
default_bits       = 2048
distinguished_name = req_distinguished_name
string_mask        = utf8only
default_md         = sha256

[ req_distinguished_name ]
#产生凭证时要输入的资料的说明。
countryName            = Country Name (2 letter code)
stateOrProvinceName    = State or Province Name
localityName           = Locality Name
0.organizationName     = Organization Name
organizationalUnitName = Organizational Unit Name
commonName             = Common Name
emailAddress           = Email Address

openssl genrsa -aes256 -out client.key.pem 4096
＃会提示需要输入私钥使用的密码，例如是helen123
Enter pass phrase for client.key.pem:helen123
＃再次确认密码。
Verifying - Enter pass phrase for client.key.pem:helen123

＃变更私钥的访问权限。
chmod 400 client.key.pem

openssl req -config openssl_csr.cnf -new -sha256 \
-key client.key.pem \
-out client.csr.pem

＃会提示需要输入客户端凭证的私钥密码, 也就是 helen123
Enter pass phrase for client.key.pem:helen123

＃在中继凭证目录下操作。
cd ../intermediate

# 签发申请档，有效期限是365天。
openssl ca -config openssl_intermediate_ca.cnf -extensions client_cert \
-days 365 -notext -md sha256 \
-in ../client/client.csr.pem \
-out ../client/client.cert.pem

# 会提示需要输入中继凭证的私钥密码，也就是bob123
Enter pass phrase for /ca/intermediate/private/intermediate_ca.key.pem:bob123

# 接着会显示要签发的凭证签发申请档的内容。
Check that the request matches the signature
Signature ok
Certificate Details:
...
#签发，输入y 签署证书？
Sign the certificate? [y/n]:y
# 以及询问是否有纪录签发的凭证到资料库（index.txt）, 輸入 y
1 out of 1 certificate requests certified, commit? [y/n]y

＃变更签发的凭证的访问权限。
chmod 444 ../client/client.cert.pem

检查：
openssl x509 -noout -text -in ../client/client.cert.pem

openssl verify -CAfile chain/chain.cert.pem ../client/client.cert.pem
# 显示 OK 表示正确.
../client/client.cert.pem: OK

＃返回客户端凭证目录处理。
cd ../client

# 凭证串链。
cat client.cert.pem ../intermediate/chain/chain.cert.pem > client_chain.cert.pem

＃变更凭证串链的访问权限。
chmod 444 client_chain.cert.pem