环境:
CentOS linux2.6.18-164.el5
CentOS linux2.6.18-164.el5openssl version
OpenSSL 1.0.0d 8 Feb 2011
1. 给CA生成一个私匙
[root@localhost SSL]# openssl genrsa 2046 > ./cakey.pem
Generating RSA private key, 2046 bit long modulus
...............+++
..................................................................+++
e is 65537 (0x10001)
[root@localhost SSL]# ls
cakey.pem[root@localhost SSL]# openssl req -new -x509 -key ./cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HUBEI
Locality Name (eg, city) []:XIANGFAN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AD
Organizational Unit Name (eg, section) []:AD
Common Name (eg, YOUR name) []:*.xxx.com
Email Address []:xxx@123.com
[root@localhost SSL]# ls
cacert.pem cakey.pem
[root@localhost SSL]# [root@localhost SSL]# openssl x509 -in cacert.pem -inform PEM -outform DER -out cacert.der
[root@localhost SSL]# ls
cacert.der cacert.pem cakey.pem4.可以看下 vim /etc/pki/tls/openssl.cnf 里面的配置,主要关注下 [ CA_default ]段里面的内容 。
5.创建个server目录,生成一个服务器私钥
[root@localhost SSL]# mkdir server
[root@localhost SSL]# ls
cacert.der cacert.pem cakey.pem server
[root@localhost SSL]# cd server/
[root@localhost server]# openssl genrsa 2048 > ./server.key
Generating RSA private key, 2048 bit long modulus
.......................................+++
.............+++
e is 65537 (0x10001)
[root@localhost server]# ls
server.key[root@localhost server]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HUBEI
Locality Name (eg, city) []:XIANGFAN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AD
Organizational Unit Name (eg, section) []:AD
Common Name (eg, YOUR name) []:www.xxx.com
Email Address []:xxx@123.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
[root@localhost server]# ls
server.csr server.key7.利用证书请求生成一个crt证书
[root@localhost server]# openssl ca -in server.csr -out server.crt
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Dec 13 09:46:31 2013 GMT
Not After : Dec 13 09:46:31 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = HUBEI
organizationName = AD
organizationalUnitName = AD
commonName = www.xxx.com
emailAddress = xxx@123.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8E:01:29:FF:D5:86:97:B4:CA:C3:B9:F9:BF:27:1C:C2:B6:7C:42:51
X509v3 Authority Key Identifier:
keyid:2A:A8:D2:2C:3D:45:05:92:9B:93:0A:F9:AA:F7:9F:B6:E1:C9:5B:53
Certificate is to be certified until Dec 13 09:46:31 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost server]# ls
server.crt server.csr server.key
[root@localhost server]#
[root@localhost server]# openssl ca -in server.csr -out server.crt
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (AAA) and the request (AD)stateOrProvinceName = optional
organizationName = optional
就可以了。
7.服务器用上server.crt证书,在客户端IE浏览器导入上面生成cacert.der,
再在windows的C:\Windows\System32\drivers\etc\hosts文件里面加上
4.4.4.4 www.xxx.com
4.4.4.4是以前https://4.4.4.4/index.html访问的IP,在浏览器中访问https://www.xxx.com之后,就再也不会报出证书不受信任了。
/*生成一个crl*/
[root@localhost SSL]# mkdir crl
[root@localhost SSL]# cd crl
/*证书撤销*/
[root@localhost crl]# openssl ca -keyfile ../cakey.pem -cert ../cacert.pem -revoke ../server/server.crt
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Revoking Certificate 04.
Data Base Updated
/*数据库已更新,证书被标记上撤销的标志,需要生成新的证书撤销列表*/
[root@localhost crl]# openssl ca -gencrl -keyfile ../cakey.pem -cert ../cacert.pem -out ./crl.crl
Using configuration from /usr/local/openssl/ssl/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
6555276:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/crlnumber','r')
6555276:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
/*缺少个文件,随便生成一个*/
[root@localhost crl]# echo 12 > /etc/pki/CA/crlnumber
/*再来一次*/
[root@localhost crl]# openssl ca -gencrl -keyfile ../cakey.pem -cert ../cacert.pem -out ./crl.crl
Using configuration from /usr/local/openssl/ssl/openssl.cnf
[root@localhost crl]# ls
crl.crl
/*查看crl内容*/
[root@localhost crl]# openssl crl -noout -text -in crl.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=HUBEI/L=XIANGFAN/O=AD/OU=AD/CN=*.xxx.com/emailAddress=xxx@123.com
Last Update: Dec 16 08:27:02 2013 GMT
Next Update: Jan 15 08:27:02 2014 GMT
CRL extensions:
X509v3 CRL Number:
18
Revoked Certificates:
Serial Number: 04
Revocation Date: Dec 16 08:22:12 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
。。。
。。。
850
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
