安装OPENSSL后,可以使用它们来生成各种证书,现简单记录如下:
一 ) 首先创建CA根证书
1) 生成RSA private key 给CA (3 DES 加密, PEM 格式):
$ openssl genrsa -des3 -out ca.key 1024
2) 查看生成KEY的详细内容
$ openssl rsa -noout -text -in ca.key
3) 将该KEY改成不加密,PEM格式
$ openssl rsa -in ca.key -out ca.key.unsecure
4) 产生一个X509结构,PEM格式的自签名证书
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
5) 查看该根证书的详细内容
$ openssl x509 -noout -text -in ca.crt
二 ) 产生CLIENT端证书
1) 生成一个3DES 加密,PEM格式的RSA private KEY .
$ openssl genrsa -des3 -out server.key 1024
2) 查看其内容
$ openssl rsa -noout -text -in server.key
3) 将该文件改为不加密的PEM格式
$ openssl rsa -in server.key -out server.key.unsecure
4) 产生证书签名请求文件(PEM格式)
$ openssl req -new -key server.key -out server.csr
5) 查看生成的CSR文件内容
$ openssl req -noout -text -in server.csr
6) 使用CA证书签名
A 生成配置文件如下ca.config :
[ ca ]
default_ca=CA_own
[ CA_own ]
dir=/etc/ssl
certs=/etc/ssl/certs
new_certs_dir=/etc/ssl/ca.db.certs
database=/etc/ssl/ca.db.index
serial=/etc/ssl/ca.db.serial
RANDFILE=/etc/ssl/ca.db.rand
certificate=/etc/ssl/ca.crt
private_key=/etc/ssl/ca.key
default_days=365
default_crl_days=30
default_md=md5
preserve=no
policy=policy_anything
[ policy_anything ]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional
B 执行如下命令来签名
openssl ca -config ca.config -out server.crt -infiles server.csr
检查已签名证书的内容:
openssl verify -CAfile /etc/ssl/ca.crt server.crt
可使用的脚本(不一定能成功,但可初始化环境)
sign.sh
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
##
# argument line handling
CSR=
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
# create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = /etc/ssl
certs = /etc/ssl/certs
new_certs_dir = /etc/ssl/ca.db.certs
database = /etc/ssl/ca.db.index
serial = /etc/ssl/ca.db.serial
RANDFILE = /etc/ssl/ca.db.rand
certificate = /etc/ssl/certs/ca.crt
private_key = /etc/ssl/private/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0
评论