Flying的博客

对时间与世界的认识与描述--想想宇宙是如何诞生的

日志

关于我

一路发

文章分类

OPENSSL根证书的生成及使用

2008-02-02 17:00:32| 分类：其他技术 | 标签： |举报 |字号大中小订阅

下载LOFTER 我的照片书 |

安装OPENSSL后,可以使用它们来生成各种证书,现简单记录如下:

一 ) 首先创建CA根证书

1) 生成RSA private key 给CA (3 DES 加密, PEM 格式):

$ openssl genrsa -des3 -out ca.key 1024

2) 查看生成KEY的详细内容

$ openssl rsa -noout -text -in ca.key

3) 将该KEY改成不加密,PEM格式

$ openssl rsa -in ca.key -out ca.key.unsecure

4) 产生一个X509结构,PEM格式的自签名证书

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

5) 查看该根证书的详细内容

$ openssl x509 -noout -text -in ca.crt

二 ) 产生CLIENT端证书

1) 生成一个3DES 加密,PEM格式的RSA private KEY .

$ openssl genrsa -des3 -out server.key 1024

2) 查看其内容

$ openssl rsa -noout -text -in server.key

3) 将该文件改为不加密的PEM格式

$ openssl rsa -in server.key -out server.key.unsecure

4) 产生证书签名请求文件(PEM格式)

$ openssl req -new -key server.key -out server.csr

5) 查看生成的CSR文件内容

$ openssl req -noout -text -in server.csr

6) 使用CA证书签名

A 生成配置文件如下ca.config :

[ ca ]
default_ca=CA_own
[ CA_own ]
dir=/etc/ssl
certs=/etc/ssl/certs
new_certs_dir=/etc/ssl/ca.db.certs
database=/etc/ssl/ca.db.index
serial=/etc/ssl/ca.db.serial
RANDFILE=/etc/ssl/ca.db.rand
certificate=/etc/ssl/ca.crt
private_key=/etc/ssl/ca.key
default_days=365
default_crl_days=30
default_md=md5
preserve=no
policy=policy_anything
[ policy_anything ]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional

B 执行如下命令来签名

openssl ca -config ca.config -out server.crt -infiles server.csr

检查已签名证书的内容:

openssl verify -CAfile /etc/ssl/ca.crt server.crt

可使用的脚本(不一定能成功,但可初始化环境)

sign.sh

#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
##
#   argument line handling
CSR=
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
#   make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
#   create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = /etc/ssl
certs = /etc/ssl/certs
new_certs_dir = /etc/ssl/ca.db.certs
database = /etc/ssl/ca.db.index
serial = /etc/ssl/ca.db.serial
RANDFILE = /etc/ssl/ca.db.rand
certificate = /etc/ssl/certs/ca.crt
private_key = /etc/ssl/private/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0

评论这张

转发至微博

阅读(3312)| 评论(1)

历史上的今天

this.p={  m:2,
              b:2,
              loftPermalink:'',
              id:'fks_087074082081086074086095094095080087087067085083082075',
              blogTitle:'OPENSSL根证书的生成及使用',
              blogAbstract:'<P\>安装OPENSSL后,可以使用它们来生成各种证书,现简单记录如下:</P\>\r\n<P\>一 )  首先创建CA根证书</P\>\r\n<P style=\"TEXT-INDENT: 2em\"\>1) 生成RSA private key 给CA (3 DES 加密, PEM 格式):</P\>\r\n<P style=\"TEXT-INDENT: 2em\"\>$ openssl genrsa -des3 -out ca.key 1024</P\>\r\n<P style=\"TEXT-INDENT: 2em\"\></P\>\r\n<P\>       2) 查看生成KEY的详细内容 </P\>\r\n<P\>       <STRONG\><FONT face=新宋体\>$ openssl rsa -noout -text -in ca.key</FONT\></STRONG\></P\>\r\n<P\>       3) 将该KEY改成不加密,PEM格式</P\>\r\n<P style=\"TEXT-INDENT: 2em\"\>$ openssl rsa -in ca.key -out ca.key.unsecure</P\>\r\n<P\></P\>',
              blogTag:'',
              blogUrl:'blog/static/41601548200812503248',
              isPublished:1,
              istop:false,
              type:0,
              modifyTime:1201944582586,
              publishTime:1201942832048,
              permalink:'blog/static/41601548200812503248',
              commentCount:1,
              mainCommentCount:1,
              recommendCount:0,
              bsrk:-100,
              publisherId:0,
              recomBlogHome:false,
              currentRecomBlog:false,
              attachmentsFileIds:[],
              vote:{},
              groupInfo:{},
              friendstatus:'none',
              followstatus:'unFollow',
              pubSucc:'',
              visitorProvince:'',
              visitorCity:'',
              visitorNewUser:false,
              postAddInfo:{},
              mset:'000',
              mcon:'',
              srk:-100,
              remindgoodnightblog:false,
              isBlackVisitor:false,
              isShowYodaoAd:false,
              hostIntro:'',
              hmcon:'0',
              selfRecomBlogCount:'0',
              lofter_single:'<iframe width="140" height="560" style="overflow:hidden;" src="http://www.lofter.com/mailEntry.do?blogad=1&blog" frameBorder="0"></iframe>'
            }

{list a as x}
    {if !!x}
    <div class="iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
      {if x.visitorName==visitor.userName}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        {if x.moveFrom=='wap'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/wapblog.html?frompersonalbloghome"><span title="来自网易手机博客" class="iblock wapIcon"> </span></a>
        {elseif x.moveFrom=='iphone'}
          <a class="noul pnt" target="_blank"><span title="来自iPhone客户端" class="iblock iphoneIcon"> </span></a>
        {elseif x.moveFrom=='android'}
          <a class="noul pnt" target="_blank"><span title="来自Android客户端" class="iblock androidIcon"> </span></a>
        {elseif x.moveFrom=='mobile'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/emsblog.html?frompersonalbloghome"><span title="来自网易短信写博" class="iblock wapIcon"> </span></a>
        {/if}
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
          ${fn(x.visitorNickname,8)|escape}
        </a>
      </div>
    </div>
    {/if}
    {/list}

<#--最新日志，群博日志--> <#--推荐日志-->

<p class="fc06">推荐过这篇日志的人：</p>
    <div>
      {list a as x}
      {if !!x}
      <div class="iblock nbw-fce nbw-f40">
        <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
        <img alt="${x.recommenderNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.recommenderName)}"/>
        </a>
        <div class="cwd thide">
          <a class="fc03 m2a" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
            ${fn(x.recommenderNickname,6)|escape}
          </a>
        </div>
      </div>
      {/if}
      {/list}
    </div>
    {if !!b&&b.length>0}
    <p  class="fc06">他们还推荐了：</p>
    <ul>
    {list b as y}
      {if !!y}
        <li class="rrb"><span class="iblock">·</span><a class="fc03 m2a" target="_blank" href="http://blog.163.com/${y.recommendBlogPermalink}/?from=blog/static/41601548200812503248">${y.recommendBlogTitle|escape}</a></li>
      {/if}
    {/list}
    </ul>
    {/if}

<#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇，下一篇--> <#-- 热度 -->

{list a as x}
    {if !!x}
    <div class="hotItem iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
      {if x.publisherUsername==visitor.userName}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
          ${fn(x.publisherNickname,8)|escape}
        </a>
      </div>
      <a class="f-myLikeIcons hottype {if x.type==1} js-liketype{elseif x.type==2} js-reblogtype{elseif x.type==3} js-sharetype{else}{/if}" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/"> </a>
    </div>
    {/if}
    {/list}

<#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->

页脚

我的照片书 - 手机博客 - 下载LOFTER APP - 订阅此博客

Flying的博客

导航

日志

OPENSSL根证书的生成及使用

历史上的今天

最近读者

热度

评论

页脚