signature=2e9ca35c9f1b3c9baf1e7c3c58fa7911,关于CA 自签

CA

的自签认证，当然在做自签认证的同时应该把本机提升为

CA

，应为只有

CA

才有权利为别人颁发证书，同时也包括自己，然后才能让

CA

做自签

1

现进入目录

/etc/pki/CA

生成

key

文件

.

生成

key

文件有两种方法

第一方法：

#maketest.pem

注：但是用

make

生成

pem

文件时

必须在

/etc/pki/CA/private

第二方法：

# opennssl genrsa1024 > test.pem

或者

# opensslgenrsa1024 �Cout ttest.pem

注：

但是这种方法生成

key

文件是，该文件必须存在，不然不能成功

# opennssl genrsa1024 > my.pem

Generating RSA private key, 1024 bit long modulus

....++++++

...........................................++++++

e is 65537 (0x10001)

2

生成

key

文件后，提取公钥

# opensslreq-new-x509-keycakey.pem -out../cacert.pem �Cdays 3660

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HENAN

Locality Name (eg, city) [Newbury]:ZHENGZHOU

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:CA

Common Name (eg, your name or your server's hostname) []:station.example.com

Email Address []:root@station.example.co

注；红色的部分是根具自己企业的情况自己添加的一些企业信息

4

编辑文件

/etc/pki/tls/openssl.conf

文件改变一些设置

[ CA_default ]

dir= /etc/pki/CA# Where everything is kept

把相对路径该文绝对路径

并保存

5

创建文件在

/etc/pki/CA

#mkdirnewcerts

# touch ./{serial,index.txt}

6

给

serial

文件一些初始值

#echo “00” >./serial

7

创建目录

myca

，并进如该目录，创建

key

文件

#openssl genrsa1024> my.key

Generating RSA private key, 1024 bit long modulus

.................++++++

......................................++++++

e is 65537 (0x10001)

8

提取公钥

#opensslrsa-in my.key-pubout-outpub.key

writing RSA key

9

创建请求文件

#opensslreq-new-keymy.key-outm.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HENAN

Locality Name (eg, city) [Newbury]:ZHENGZHOU

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:CA

Common Name (eg, your name or your server's hostname) []:station.example.com

Email Address []:root@station.example.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

注：红色内容必须和创建

my.pem

是的信息相同，不然在自签不是不能成功

10

查看创建的请求文件

#opensslreq-intest.csr-noout-text

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=CN, ST=HENAN, L=ZHENGZHOU, O=ZZU, OU=CA, CN=station.example.com/emailAddress=root@station.example.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:db:47:20:6b:fd:76:51:8c:35:31:df:08:59:d2:

f7:c5:2a:f4:00:dd:04:e1:34:73:09:2f:92:cd:42:

5b:92:50:c8:e3:7f:da:72:d4:f1:83:34:07:7e:ed:

48:fe:02:90:49:97:a6:6b:57:3d:18:56:f0:29:e4:

59:2c:d3:aa:c9:d7:ea:b8:c3:8d:49:f5:99:6f:49:

58:35:0e:74:56:b7:f2:32:31:ad:05:59:06:a0:a7:

25:88:75:9a:22:54:89:13:85:66:76:bd:9f:77:f8:

ad:70:90:65:39:98:26:83:c2:1a:65:ed:f6:42:54:

c5:77:68:02:bb:e4:44:01:4f

Exponent: 65537 (0x10001)

Attributes:

a0:00

Signature Algorithm: sha1WithRSAEncryption

34:82:de:72:60:14:cc:98:5d:f2:0f:1b:36:69:c2:1e:72:8e:

7c:7d:b7:5f:be:ad:d7:d3:19:01:d7:37:74:e9:18:5a:1c:df:

c7:76:b9:89:6e:ac:ea:78:4f:1b:38:9f:46:8e:c8:50:2f:7a:

22:72:a2:ca:2e:b1:4a:fd:45:e5:18:9c:16:bc:65:2c:7d:87:

ef:33:d3:18:1e:a8:bb:5f:ca:56:51:a7:44:fa:38:bf:13:4b:

2f:7d:c6:e3:80:79:22:41:50:68:8d:01:28:ad:a4:e6:5a:95:

0b:de:4a:79:e4:41:f6:b4:35:8b:29:95:ef:e4:f6:a4:70:81:

97:e7

11

让

CA

自签

#openssl ca �Cin test.csr �Cout test.crt-days 1900

k that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 0 (0x0)

Validity

Not Before: Feb 26 14:58:40 2010 GMT

Not After : May 11 14:58:40 2015 GMT

Subject:

countryName= CN

stateOrProvinceName= HENAN

organizationName= ZZU

organizationalUnitName= CA

commonName= station.example.com

emailAddress= root@station.example.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

C4:3C:E5:6D:D0:6B:C7:DC:DB:35:4E:9F:E4:63:24:FD:F5:35:6E:89

X509v3 Authority Key Identifier:

keyid:2B:18:5D:BF:28:71:50:13:AB:EF:6A:AC:BA:1C:DD:56:94:E5:39:1B

Certificate is to be certified until May 11 14:58:40 2015 GMT (1900 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

当出现该信息是则说明

CA

自签成功

11

查看自签文件

# opensslx509-in my.crt-noout-text

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 0 (0x0)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=CN, ST=HENAN, L=ZHENGZHOU, O=ZZU, OU=CA, CN=station.example.com/emailAddress=root@station.exmaple.com

Validity

Not Before: Feb 26 14:58:40 2010 GMT

Not After : May 11 14:58:40 2015 GMT

Subject: C=CN, ST=HENAN, O=ZZU, OU=CA, CN=station.example.com/emailAddress=root@station.example.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:db:47:20:6b:fd:76:51:8c:35:31:df:08:59:d2:

f7:c5:2a:f4:00:dd:04:e1:34:73:09:2f:92:cd:42:

5b:92:50:c8:e3:7f:da:72:d4:f1:83:34:07:7e:ed:

48:fe:02:90:49:97:a6:6b:57:3d:18:56:f0:29:e4:

59:2c:d3:aa:c9:d7:ea:b8:c3:8d:49:f5:99:6f:49:

58:35:0e:74:56:b7:f2:32:31:ad:05:59:06:a0:a7:

25:88:75:9a:22:54:89:13:85:66:76:bd:9f:77:f8:

ad:70:90:65:39:98:26:83:c2:1a:65:ed:f6:42:54:

c5:77:68:02:bb:e4:44:01:4f

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

C4:3C:E5:6D:D0:6B:C7:DC:DB:35:4E:9F:E4:63:24:FD:F5:35:6E:89

X509v3 Authority Key Identifier:

keyid:2B:18:5D:BF:28:71:50:13:AB:EF:6A:AC:BA:1C:DD:56:94:E5:39:1B

Signature Algorithm: sha1WithRSAEncryption

5e:41:da:24:5b:2a:81:0e:ce:33:6d:9a:75:97:25:da:fd:e1:

a7:51:b3:ac:57:c1:dc:1c:5d:43:c7:59:dd:f3:3d:71:86:86:

1a:02:a4:e4:2e:bb:37:a9:08:6d:48:81:ff:46:31:cb:e9:16:

64:86:aa:d2:a2:78:fb:6b:53:82:40:19:d9:fb:ae:09:46:79:

3b:cc:ae:1c:dc:ce:90:da:e2:09:09:d4:4d:12:c0:5c:69:83:

80:f5:28:5c:05:17:82:19:be:ff:4b:b7:c3:d6:67:9b:48:95:

65:c4:70:c9:b4:d7:4c:9e:a6:d0:50:6a:b0:42:2a:58:53:2b:

d0:fe:4b:cd:45:8b:06:f7:7d:38:d4:4a:cd:bf:92:4d:fd:06:

73:8e:ed:42:6a:cb:52:43:94:c3:e8:81:2c:80:ac:a8:c1:60:

3f:66:81:46:79:97:a4:b8:37:99:1c:fb:1f:8d:ac:e6:a5:ca:

6b:e0:3b:0d:96:5e:02:c7:6a:e3:a2:f4:48:4a:78:cc:b7:d9:

eb:b5:c6:4b:5f:9d:eb:c2:ad:b7:89:a1:75:51:c3:1c:58:a6:

b3:4f:ed:cd:d7:8d:46:15:ac:21:64:ed:43:1f:61:01:60:bb:

96:14:c9:b5:11:e9:ad:33:f9:d2:a7:25:9b:2f:e1:30:48:20:

6e:f0:0f:9e