Permalink
昨天从张宴blog看到nginx ssl文章,按步骤来之没有成功,很是郁闷,甚至问了一个比较S的问题。。后来查了一下,看到了
PEM-DER-CSR-CRT文件的解释,如下。后来接合另一个文章才算搞定了ssl。So hungary ,回去再整理一下,拿出来吧。。
要把自己的网站从http 过渡到https,需要一个ssl 认证,一般可用的ssl 认证都是像Verisign和Thawte这样的组织颁发的,我们又不是银行,当然用不起了,不过我们可以自己认证。
文章中,介绍了产生私钥.key ,认证签名申请.csr 和网站认证.crt,crt文件就是nginx ssl 需要使用的文件了。
前几步参考 张宴文章即可,关键是最后一步。
3. Generate a Self-Signed SSL Certificate,产生一个自签名的 SSL认证文件。
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
这样才是生成crt文件,也就是在nginx中使用的。
以下为原文链接 。
http://www.thegeekstuff.com/2009/07/linux-apache-mod-ssl-generate-key-csr-crt-file/
How To Generate SSL Key, CSR and Self Signed Certificate For Apache。
If you want to convert your website from HTTP to HTTPS, you need to get a SSL certificate from a valid organization like Verisign or Thawte. You can also generate self signed SSL certificate for testing purpose.
In this article, let us review how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.
Key, CSR and CRT File Naming Convention
I typically like to name the files with the domain name of the HTTPS URL that will be using this certificate. This makes it easier to identify and maintain.
Instead of server.key, I use www.thegeekstuff.com.key
Instead of server.csr, I use www.thegeekstuff.com.csr
Instead of server.crt, I use www.thegeekstuff.com.crt
1. Generate Private Key on the Server Running Apache + mod_ssl
First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.
# openssl genrsa -des3 -out www.thegeekstuff.com.key 1024
Generating RSA private key, 1024 bit long modulus
.......................................++++++
...................................................++++++
e is 73547 (0x01001)
Enter pass phrase for www.thegeekstuff.com.key:
Verifying - Enter pass phrase for www.thegeekstuff.com.key:
# ls -ltr www.thegeekstuff.*
-rw-r--r-- 1 root root 963 Jun 13 20:26 www.thegeekstuff.com.key
The generated private key looks like the following.
# cat www.thegeekstuff.com.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,485B3C6371C9916E
ymehJu/RowzrclMcixAyxdbfzQphfUAk9oK9kK2
jadfoiyqthakLKNqw9z1MoaqkPyqeHevUm26no
AJKIETHKJADFS2BGb0n61/Ksk8isp7evLM4+QY
KAQETKjdiahteksMJOjXLq+vf5Ra299fZPON7yr
-----END RSA PRIVATE KEY-----
2. Generate a Certificate Signing Request (CSR)
Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.
# openssl req -new -key www.thegeekstuff.com.key -out www.thegeekstuff.com.csr
Enter pass phrase for www.thegeekstuff.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Los Angeles
Organization Name (eg, company) [My Company Ltd]:The Geek Stuff
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []: thegeekstuff
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ls -ltr www.thegeekstuff.*
-rw-r--r-- 1 root root 963 Jun 13 20:26 www.thegeekstuff.com.key
-rw-r--r-- 1 root root 664 Jun 13 20:35 www.thegeekstuff.com.csr
3. Generate a Self-Signed SSL Certificate
For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.
# openssl x509 -req -days 365 -in www.thegeekstuff.com.csr -signkey www.thegeekstuff.com.key -out www.thegeekstuff.com.crt
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=thegeekstuff/OU=IT/CN=www.thegeekstuff.com
Getting Private key
Enter pass phrase for www.thegeekstuff.com.key:
# ls -l www.thegeekstuff*
-rw-r--r-- 1 root root 963 Jun 13 20:26 www.thegeekstuff.com.key
-rw-r--r-- 1 root root 664 Jun 13 20:35 www.thegeekstuff.com.csr
-rw-r--r-- 1 root root 879 Jun 13 20:43 www.thegeekstuff.com.crt
# cat www.thegeekstuff.com.crt
-----BEGIN CERTIFICATE-----
haidfshoaihsdfAKDJFAISHTEIHkjasdjadf9w0BAQUFADCB
kjadfijadfhWQIOUQERUNcMNasdkjfakljasdBgEFBQcDAQ
kjdghkjhfortoieriqqeurNZXCVMNCMN.MCNaGF3dGUuY29
-----END CERTIFICATE-----
You can use this method to generate Apache SSL Key, CSR and CRT file in most of the Linux, Unix systems including Ubuntu, Debian, CentOS, Fedora and Red Hat.
Ok, this one should be in the docs, but unfortunately, there is only
a completely outdated note in there.
For any PKI certificate there are 3 parts:
1. The secret private key, which only the relevant computer should
know and which no-one else should be able to see or steal. This can
be stored in hardware (at a price), in an encrypted PKCS12 file
(extension .pfx or .p12) with the other two parts (mostly some
Microsoft programs need this), in an encrypted DER format file
(extension varies with the program) (rarely used) or in a PEM-encoded
encrypted DER file (extension .key) (the most common for non-Microsoft
products such as Apache).
2. The public key, which everybody will know. Most of the time this
is simply included as a field inside the cert (part 3 below), only
during the first steps of generating the cert may you temporarily need
this as a on its own. This may be stored in DER format (rare) or
PEM-encoded DER format (the usual). The file extension varies but
is often .pub, .der or .pem.
3. The certificate, which contains the public key, the name of the
server or person or company etc. that owns the matching private key,
various other important information and a signature (by the same or a
different public key) on all these facts. The certificate may be stored
with the private key in a PKCS12 file (extension .pfx or .p12) with the
other two parts (mostly some Microsoft programs need this), in an
unencrypted DER file (extension .crt or .cer) (only Microsoft IIS needs
this) or in an unencrypted PEM-encoded DER file (extension .crt or
.cer) (everything else uses this).
On 25-07-2010 00:49, Warron French wrote:
> I have been reading HOWTOs all over the internet trying to figure out
> how to generate a self-signed and/or CA (mine) signed certificate.
>
> What I can't understand is, WHY do I need an RSA "key" or certificate.
> I think it's a key. WHY do I need a PEM certificate, and why a DER
> certificate?
>
> No where on any website does it say WHEN to use one type of certificate
> or just a key?
>
> Apache httpd.conf files will reference both .key and .crt files in their
> syntax; isn't the .crt a PEM-encoded certificate file? If so, why not
> give it a more meaningful .pem extension instead.
>
> Can anyone clarify for me? I am trying not to chase my tail and want to
> learn this stuff on a deeper level.
>
> When do I know if I need to perform the openssl req and then openssl
> x509 commands and NOT the openssl rsa command.
>
> This is all very confusing and I see no simplified (non-doctoral)
> documentation on this material. Anyone have a book to suggest?
>
>
> Thanks to anyone that can respond.
Note: Cross posted from 志存高远.Permalink