利用openssl制作证书的过程详细记录
1:环境
CentOS-4.4,内核版本:Linux beijing5000 2.6.9-42.EL #1 Sat Aug 12 09:17:58 CDT 2006 i686 i686 i386 GNU/Linux
openssl版本:OpenSSL 0.9.7a Feb 19 2003
机器的ip地址为:192.168.3.9
2:制作思想
先生成一个根证书,然后用根证书来生成其它证书
3:制作根证书
3.1查找系统所安装openssl的位置
#find / -name openssl.cnf
/usr/share/ssl/openssl.cnf
#cd /usr/share/ssl
# ls -a
. .. CA cert.pem certs lib misc openssl.cnf private
3.2×××的失效天数
# vi openssl.cnf
找到63行的default_days = 365 ,修改为:default_days = 3650
这样十年才过期.
3.3修改CA脚本
#cd misc
# ls -a
. .. CA c_hash c_info c_issuer c_name
#vi CA
编辑CA,把DAYS="-days 365"的365改成你希望的数值,注意要比openssl.cnf中的"default_days"要大,当时也不要太大,一般为15年到20年就好了。
所以我改为DAYS="-days 7300"(20年)
3.4生成一个待签名的根证书,用来给其它证书进行签名认证
#./CA -newca
出现:
CA certificate filename (or enter to create)
然后回车
出现:
Making CA certificate ...
Generating a 1024 bit RSA private key
................++++++
.......++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
然后输入密码:root
出现:
Verifying - Enter PEM pass phrase:
再输入一次密码:root
出现:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
输入:ro
出现:
State or Province Name (full name) [Berkshire]:
输入:roots
出现:
Locality Name (eg, city) [Newbury]:
输入:rootcity
出现:
Organization Name (eg, company) [My Company Ltd]:
输入:rootorg
出现:
Organizational Unit Name (eg, section) []:
输入:rootsection
出现:
Common Name (eg, your name or your server's hostname) []:
输入:rootname
出现:
Email Address []:
输入:
root@163.com
3.5生成与证书相对应的crl文件
#openssl ca -gencrl -out crl.pem
当出现:
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
输入密码:root
#ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA
4:制作主机***gateway用的证书
因为我在搭建ipsec的环境中需要两个主机分别为:***gateway和jim
4.1生成待签名认证的证书,默认名字为newreq.pem,输入的密码用在填写
/etc/ipsec.secrets文件中
#./CA -newreq
出现:
Generating a 1024 bit RSA private key
..++++++
..........++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
输入:***gateway
出现:
Verifying - Enter PEM pass phrase:
再输入一次密码:***gateway
出现:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
输入:ro
出现:
State or Province Name (full name) [Berkshire]:
输入:roots
出现:
Locality Name (eg, city) [Newbury]:
输入:rootcity
出现:
Organization Name (eg, company) [My Company Ltd]:
输入:rootorg
出现:
Organizational Unit Name (eg, section) []:
输入:rootsection
出现:
Common Name (eg, your name or your server's hostname) []:
输入:***gateway
出现:
Email Address []:
输入:
***gateway@163.com
出现:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
输入:***gatewaychall
出现:
An optional company name []:
输入:***gatewaycompany
出现:Request (and private key) is in newreq.pem
#ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA newreq.pem
4.2 对生成的证书进行签名认证,默认名字为newcert.pem
#./CA -sign
出现:
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
输入:root
出现:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 6 03:42:50 2008 GMT
Not After : Nov 4 03:42:50 2018 GMT
Subject:
countryName = ro
stateOrProvinceName = roots
localityName = rootcity
organizationName = rootorg
organizationalUnitName = rootsection
commonName = ***gateway
emailAddress =
***gateway@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
29:B6:59:AB:F6:4C:84:50:B0:96
6:9B:30:48:65:52:E2:7B:95:70
X509v3 Authority Key Identifier:
keyid:6F:F8:4B:9C:A1:F4:AF:84:47:88:BE:4C:2C:A3:0F:EE:C2:07:8C:E1
DirName:/C=ro/ST=roots/L=rootcity/O=rootorg/OU=rootsection/CN=rootname/emailAddress=root@163.com
serial:00
Certificate is to be certified until Nov 4 03:42:50 2018 GMT (3650 days)
Sign the certificate? [y/n]:
输入:y
出现:
1 out of 1 certificate requests certified, commit? [y/n]
输入:y
出现:
Signature Algorithm: md5WithRSAEncryption
a9:c9:0d:2e:b1:43:f4:89:b1:8e:d4:26:d1:51:1f:3c:1a:2e:
07:2c:e9:3c:74:e7:66:6b:7a:d5:f2:65:8c:95:30:df:10:ac:
c9:73:30:f5:97:c4:f0:7d:64:f8:a9:4a:26:da:d9:21:2b:07:
eb:8d:e2:8b:a0:50:f3:bb:1d:a3:bf:64:d4:0b:85:1a:db:37:
75:98:be:0f:91:81:95:4f:e8:d7:cd:6a:8a:f9:af:cf:ee:f4:
1c:63:f9:24:e8:88:9a:a8:be:fa:e1:ad:5f:82:d3:cf:84:d0:
1b:db:db:0d:c8:1c:30:26:bf:ea:a3:6f:91:31:68:2f:31:5e:
38:32
-----BEGIN CERTIFICATE-----
MIIDpDCCAw2gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCcm8x
DjAMBgNVBAgTBXJvb3RzMREwDwYDVQQHEwhyb290Y2l0eTEQMA4GA1UEChMHcm9v
dG9yZzEUMBIGA1UECxMLcm9vdHNlY3Rpb24xETAPBgNVBAMTCHJvb3RuYW1lMRsw
GQYJKoZIhvcNAQkBFgxyb290QDE2My5jb20wHhcNMDgxMTA2MDM0MjUwWhcNMTgx
MTA0MDM0MjUwWjCBjjELMAkGA1UEBhMCbWUxDzANBgNVBAgTBm1lbGluczESMBAG
A1UEBxMJbWVsaW5jaXR5MREwDwYDVQQKEwhtZWxpbm9yZzEVMBMGA1UECxMMbWVs
aW5zZWN0aW9uMRIwEAYDVQQDEwltZWxpbm5hbWUxHDAaBgkqhkiG9w0BCQEWDW1l
bGluQDE2My5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMx/kqizL1Fw
ZFaPGYnbcypycaXd0QsfnBzJqecY84zSaci3pWxMAVI9c6M+kLrty8MgW0TozJtL
gpVz+19uqPDBDoWo7zhEAqmdWIDN6/MpysMy8LuCPKQHu53Fr8YF/inJqB8ho7Zn
Jj4MoJ4M45VNg/7ssBTrDtsOcD2w+knzAgMBAAGjggEUMIIBEDAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUKbZZq/ZMhFCwltabMEhlUuJ7lXAwgbUGA1UdIwSBrTCBqoAUb/hL
nKH0r4RHiL5MLKMP7sIHjOGhgY6kgYswgYgxCzAJBgNVBAYTAnJvMQ4wDAYDVQQI
EwVyb290czERMA8GA1UEBxMIcm9vdGNpdHkxEDAOBgNVBAoTB3Jvb3RvcmcxFDAS
BgNVBAsTC3Jvb3RzZWN0aW9uMREwDwYDVQQDEwhyb290bmFtZTEbMBkGCSqGSIb3
DQEJARYMcm9vdEAxNjMuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAKnJDS6xQ/SJ
sY7UJtFRHzwaLgcs6Tx052ZretXyZYyVMN8QrMlzMPWXxPB9ZPipSiba2SErB+uN
4ougUPO7HaO/ZNQLhRrbN3WYvg+RgZVP6NfNaor5r8/u9Bxj+SToiJqovvrhrV+C
08+E0Bvb2w3IHDAmv+qjb5ExaC8xXjgy
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
#ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA newcert.pem newreq.pem
4.3 认证检验一下被签名的证书
#./CA -verify
出现:newcert.pem: OK
4.4 重新命名文件
#ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA newcert.pem newreq.pem
#mv newcert.pem ***gateway.cert
# ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA ***gateway.cert newreq.pem
#mv newreq.pem ***gateway.key
# ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA ***gateway.key ***gateway.cert
5:制作主机Jim用的证书
5.1:生成待签名认证的证书,默认名字为newreq.pem,输入的密码用在填写
/etc/ipsec.secrets文件中
#cd /usr/share/ssl/misc
#./CA -newreq
出现:
Generating a 1024 bit RSA private key
........++++++
....................................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
输入密码:jimpass
出现:
Verifying - Enter PEM pass phrase:
再输入密码一次:jimpass
出现:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
输入:ro
出现:
State or Province Name (full name) [Berkshire]:
输入:roots
出现:
Locality Name (eg, city) [Newbury]:
输入:rootcity
出现:
Organization Name (eg, company) [My Company Ltd]:
输入:rootorg
出现:
Organizational Unit Name (eg, section) []:
输入:rootsection
出现:
Common Name (eg, your name or your server's hostname) []:
输入:jimname
出现:
Email Address []:
输入:
jim@163.com
出现:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
输入:jimchall
出现:
An optional company name []:
输入:jimcompany
出现:
Request (and private key) is in newreq.pem
#ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA ***gateway.key ***gateway.cert newreq.pem
5.2 对生成的证书进行签名认证,默认名字为newcert.pem
#./CA -sign
出现:
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
输入:root
出现:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Nov 6 05:51:03 2008 GMT
Not After : Nov 4 05:51:03 2018 GMT
Subject:
countryName = ro
stateOrProvinceName = roots
localityName = rootcity
organizationName = rootorg
organizationalUnitName = rootsection
commonName = jimname
emailAddress =
jim@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EF:8B:78:F0:EE:22:AE:FF:78:EE:58:E0:5E:E3:96:6D:5B:52:A7:77
X509v3 Authority Key Identifier:
keyid:6F:F8:4B:9C:A1:F4:AF:84:47:88:BE:4C:2C:A3:0F:EE:C2:07:8C:E1
DirName:/C=ro/ST=roots/L=rootcity/O=rootorg/OU=rootsection/CN=rootname/emailAddress=root@163.com
serial:00
Certificate is to be certified until Nov 4 05:51:03 2018 GMT (3650 days)
Sign the certificate? [y/n]:
输入:y
出现:
1 out of 1 certificate requests certified, commit? [y/n]
输入:y
出现:
Signature Algorithm: md5WithRSAEncryption
06:ed:87:1c:74:db:4a:e9:04:f9:80:6f:03:53:21:28:fd:4d:
ae:a8:f1:b5:b2:2a:dd:e3:bc:a0:41:b7:53:b7:8b:a5:4b:6c:
7e:a1:ea:29:48:16:d6:87:85:ed:a6:a2:a6:ed:59:14:dc:e2:
67:7c:ab:54:ff:bc:f8:e1:b5:7e:64:58:df:c1:8b:44:50:cc:
87:43:6f:8c:e9:3d:c3:53:21:f3:85:fa:a8:10:68:14:23:ad:
1d:de:f3:89:c1:18:85:28:97:d2:39:a9:5a:cf:31:a1:2d:2c:
95:9c:19:b4:0f:ac:ad:8b:25:2c:3a:9a:1d:8e:ae:73:71:bb:
87:de
-----BEGIN CERTIFICATE-----
MIIDpDCCAw2gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCcm8x
DjAMBgNVBAgTBXJvb3RzMREwDwYDVQQHEwhyb290Y2l0eTEQMA4GA1UEChMHcm9v
dG9yZzEUMBIGA1UECxMLcm9vdHNlY3Rpb24xETAPBgNVBAMTCHJvb3RuYW1lMRsw
GQYJKoZIhvcNAQkBFgxyb290QDE2My5jb20wHhcNMDgxMTA2MDU1MTAzWhcNMTgx
MTA0MDU1MTAzWjCBjjELMAkGA1UEBhMCcmkxDzANBgNVBAgTBnJpZ2h0czESMBAG
A1UEBxMJcmlnaHRjaXR5MREwDwYDVQQKEwhyaWdodG9yZzEVMBMGA1UECxMMcmln
aHRzZWN0aW9uMRIwEAYDVQQDEwlyaWdodG5hbWUxHDAaBgkqhkiG9w0BCQEWDXJp
Z2h0QDE2My5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKJm4Pby0OOu
NICikvCuEfjZDazxSuA2rLYvh06+Q02aeCuxh1jtyxKAbVqmNnP7/UEOveR0SRKN
pgnVer4JATGBzj22JPdglJ5xiKJCj2U91fTkWvdSlvvZd58iWuC9g6pGGLwBI2JY
lw25UGUik1yMz/VN6O42mQLAMJHdB6ozAgMBAAGjggEUMIIBEDAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQU74t48O4irv947ljgXuOWbVtSp3cwgbUGA1UdIwSBrTCBqoAUb/hL
nKH0r4RHiL5MLKMP7sIHjOGhgY6kgYswgYgxCzAJBgNVBAYTAnJvMQ4wDAYDVQQI
EwVyb290czERMA8GA1UEBxMIcm9vdGNpdHkxEDAOBgNVBAoTB3Jvb3RvcmcxFDAS
BgNVBAsTC3Jvb3RzZWN0aW9uMREwDwYDVQQDEwhyb290bmFtZTEbMBkGCSqGSIb3
DQEJARYMcm9vdEAxNjMuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAAbthxx020rp
BPmAbwNTISj9Ta6o8bWyKt3jvKBBt1O3i6VLbH6h6ilIFtaHhe2moqbtWRTc4md8
q1T/vPjhtX5kWN/Bi0RQzIdDb4zpPcNTIfOF+qgQaBQjrR3e84nBGIUol9I5qVrP
MaEtLJWcGbQPrK2LJSw6mh2OrnNxu4fe
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
5.3 认证检验一下被签名的证书
#./CA -verify
出现:newcert.pem: OK
5.4 重新命名文件
#ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA ***gateway.key ***gateway.cert newcert.pem newreq.pem
#mv newcert.pem jim.cert
#ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA ***gateway.key ***gateway.cert newreq.pem jim.cert
#mv newreq.pem jim.key
#ls -a
. .. CA c_hash c_info c_issuer c_name crl.pem demoCA ***gateway.key ***gateway.cert jim.key jim.cert