使用Openssl来在Linux系统下生成证书
1、SSL所使用的证书可以是自己建的,也可以通过一个商业性CA如Verisign 或 Thawte签署的。
2、证书的概念:首先要有一个根证书,然后用根证书来签发服务器证书和客户证书,一般理解:服务器证书和客户证书是平级关系。
因此证书有:即根证书,服务器证书,客户端证书
在生成证书之前,一般会有一个私钥,同时用私钥生成证书请求,再利用证书服务器的根证来签发证书。
Linux下用来生成证书的Script如下,注Windows编辑器编辑的文件需转换成Linux格式
#!/bin/sh
# 设置环境变量指向SSL的安装目录
[ "$SSL" = "" ] &&SSL=/usr/lib/ssl
export SSL
# 下面的变量用于组织信息
COUNTRY="CN"
PROVINCE="."
CITY="Shanghai"
ORGANIZATION="MyCompany"
ORG_UNIT="Asia"
PASSWORD="mypass"
COMMON_NAME_SERVER="Server.Asia.MyCompany"
EMAIL_SERVER=""
PASSWORD_SERVER=$PASSWORD
COMMON_NAME_ROOT="RootCA.Asia.MyCompany"
EMAIL_ROOT=""
PASSWORD_ROOT=$PASSWORD
#
证书的有效天数
LIFETIME=1825
PATH=${SSL}/bin/:${SSL}/misc:${PATH}
LD_LIBRARY_PATH=${SSL}/lib
export PATH LD_LIBRARY_PATH
rm -rf demoCA roo* cert* *.pem *.der
# 创建CA私钥ca.key及自我签署根证书cacert.pem"
(echo $COUNTRY
echo $PROVINCE
echo $CITY
echo $ORGANIZATION
echo $ORG_UNIT
echo $COMMON_NAME_ROOT
echo $EMAIL_ROOT
) | openssl req -new -x509 -keyout ca.key -out cacert.pem -days1825 -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
if [ "$?" != "0" ]
then
echo "Failedto create root certificate"
exit 1
fi
# CA根证书输出,生成pkcs12形式并输出"
openssl pkcs12 -export -in cacert.pem -inkey ca.key -out root.p12-cacerts -passin pass:$PASSWORD_ROOT -passoutpass:$PASSWORD_ROOT
openssl pkcs12 -in root.p12 -out root.pem -passinpass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
openssl x509 -inform PEM -outform DER -in root.pem -outroot.der
# 创建服务器证书密钥及证书请求
(echo $COUNTRY
echo $PROVINCE
echo $CITY
echo $ORGANIZATION
echo $ORG_UNIT
echo $COMMON_NAME_SERVER
echo $EMAIL_SERVER
echo $PASSWORD_SERVER
echo $ORG_UNIT
) | openssl req -new -keyout server.key -out server.csr -days 1825-passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER
if [ "$?" != "0" ]
then
echo "Failedto create server request"
exit 1
fi
# CA签署服务器证书
(echo y
echo y) | openssl ca -config ca.cnf -policy policy_anything-keyfile ca.key -cert cacert.pem -in server.csr -out server.pem -passin pass:$PASSWORD_SERVER -key $PASSWORD_SERVER-extensions xpserver_ext -extfile xpextensions
if [ "$?" != "0" ]
then
echo "Failedto sign server certificate"
exit 1
fi
# 服务器证书输出
openssl pkcs12 -export -in server.pem -inkey server.key -outcert-srv.p12 -clcerts -passin pass:$PASSWORD_SERVER -passoutpass:$PASSWORD_SERVER || exit 5
openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passinpass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER || exit6
openssl x509 -inform PEM -outform DER -in cert-srv.pem -outcert-srv.der || exit 7
文件ca.conf内容
[ ca ]
default_ca
= CA_default
[ CA_default ]
dir
= ./CA
certs
= $dir
crl_dir
= $dir/crl
database
= $dir/index.txt
new_certs_dir
= $dir
certificate
= $dir/server.pem
serial
= $dir/serial
crl
= $dir/crl.pem
private_key
= $dir/server.key
RANDFILE
= $dir/.rand
name_opt
= ca_default
cert_opt
= ca_default
default_days
= 365
default_crl_days
= 30
default_md
= md5
preserve
= no
policy
= policy_match
[ policy_match ]
countryName
= match
stateOrProvinceName
= match
organizationName
= match
organizationalUnitName
= optional
commonName
= supplied
emailAddress
= optional
[ policy_anything ]
countryName
= optional
stateOrProvinceName
= optional
localityName
= optional
organizationName
= optional
organizationalUnitName
= optional
commonName
= supplied
emailAddress
= optional
[ req ]
prompt
= no
distinguished_name
= certificate_authority
default_bits
= 2048
input_password
= whatever
output_password
= whatever
[certificate_authority]
countryName
= CN
stateOrProvinceName
= Radius
localityName
= Somewhere
organizationName
= Example Inc.
emailAddress
= admin@example.com
commonName
= "Example Certificate Authority"
文件xpserver_ext内容
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
文件xpextensions内容
#
# File containing the OID's required forWindows.
#
# http://support.microsoft.com/kb/814394/en-us
#
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
当前目录下创建CA子目录,在CA子目录中创建空文件index.txt及serial文件,serial文件的内容为01.
1、SSL所使用的证书可以是自己建的,也可以通过一个商业性CA如Verisign 或 Thawte签署的。
2、证书的概念:首先要有一个根证书,然后用根证书来签发服务器证书和客户证书,一般理解:服务器证书和客户证书是平级关系。
因此证书有:即根证书,服务器证书,客户端证书
在生成证书之前,一般会有一个私钥,同时用私钥生成证书请求,再利用证书服务器的根证来签发证书。
Linux下用来生成证书的Script如下,注Windows编辑器编辑的文件需转换成Linux格式
#!/bin/sh
# 设置环境变量指向SSL的安装目录
[ "$SSL" = "" ] &&SSL=/usr/lib/ssl
export SSL
# 下面的变量用于组织信息
COUNTRY="CN"
PROVINCE="."
CITY="Shanghai"
ORGANIZATION="MyCompany"
ORG_UNIT="Asia"
PASSWORD="mypass"
COMMON_NAME_SERVER="Server.Asia.MyCompany"
EMAIL_SERVER=""
PASSWORD_SERVER=$PASSWORD
COMMON_NAME_ROOT="RootCA.Asia.MyCompany"
EMAIL_ROOT=""
PASSWORD_ROOT=$PASSWORD
#
LIFETIME=1825
PATH=${SSL}/bin/:${SSL}/misc:${PATH}
LD_LIBRARY_PATH=${SSL}/lib
export PATH LD_LIBRARY_PATH
rm -rf demoCA roo* cert* *.pem *.der
# 创建CA私钥ca.key及自我签署根证书cacert.pem"
(echo $COUNTRY
echo $PROVINCE
echo $CITY
echo $ORGANIZATION
echo $ORG_UNIT
echo $COMMON_NAME_ROOT
echo $EMAIL_ROOT
) | openssl req -new -x509 -keyout ca.key -out cacert.pem -days1825 -passin pass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
if [ "$?" != "0" ]
then
fi
# CA根证书输出,生成pkcs12形式并输出"
openssl pkcs12 -export -in cacert.pem -inkey ca.key -out root.p12-cacerts -passin pass:$PASSWORD_ROOT -passoutpass:$PASSWORD_ROOT
openssl pkcs12 -in root.p12 -out root.pem -passinpass:$PASSWORD_ROOT -passout pass:$PASSWORD_ROOT
openssl x509 -inform PEM -outform DER -in root.pem -outroot.der
# 创建服务器证书密钥及证书请求
(echo $COUNTRY
echo $PROVINCE
echo $CITY
echo $ORGANIZATION
echo $ORG_UNIT
echo $COMMON_NAME_SERVER
echo $EMAIL_SERVER
echo $PASSWORD_SERVER
echo $ORG_UNIT
) | openssl req -new -keyout server.key -out server.csr -days 1825-passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER
if [ "$?" != "0" ]
then
fi
# CA签署服务器证书
(echo y
echo y) | openssl ca -config ca.cnf -policy policy_anything-keyfile ca.key -cert cacert.pem -in server.csr
if [ "$?" != "0" ]
then
fi
# 服务器证书输出
openssl pkcs12 -export -in server.pem -inkey server.key -outcert-srv.p12 -clcerts -passin pass:$PASSWORD_SERVER -passoutpass:$PASSWORD_SERVER || exit 5
openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passinpass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER || exit6
openssl x509 -inform PEM -outform DER -in cert-srv.pem -outcert-srv.der || exit 7
文件ca.conf内容
[ ca ]
default_ca
[ CA_default ]
dir
certs
crl_dir
database
new_certs_dir
certificate
serial
crl
private_key
RANDFILE
name_opt
cert_opt
default_days
default_crl_days
default_md
preserve
policy
[ policy_match ]
countryName
stateOrProvinceName
organizationName
organizationalUnitName
commonName
emailAddress
[ policy_anything ]
countryName
stateOrProvinceName
localityName
organizationName
organizationalUnitName
commonName
emailAddress
[ req ]
prompt
distinguished_name
default_bits
input_password
output_password
[certificate_authority]
countryName
stateOrProvinceName
localityName
organizationName
emailAddress
commonName
文件xpserver_ext内容
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
文件xpextensions内容
#
#
#
#
#
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
当前目录下创建CA子目录,在CA子目录中创建空文件index.txt及serial文件,serial文件的内容为01.