| 知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
以下適合個人使用
openssl genrsa -out ca.pem 1024 openssl req -new -out neo.csr -key ca.pem openssl x509 -req -in neo.csr -out neo.cer -signkey ca.pem -days 365 openssl pkcs12 -export -clcerts -in neo.cer -inkey ca.pem -out neo.p12
安裝cer與p12兩個證書,然後打開outlook測試
例 208.3. 快速創建自簽名證書
<![CDATA[ [root@localhost smime]# openssl genrsa -out ca/ca.pem 1024 Generating RSA private key, 1024 bit long modulus ...............++++++ ...................++++++ e is 65537 (0x10001) [root@localhost smime]# openssl req -new -out ca/ca.csr -key ca/ca.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GD Locality Name (eg, city) [Default City]:SZ Organization Name (eg, company) [Default Company Ltd]:XXX Ltd Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:neo Email Address []:neo.chan@live.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost smime]# openssl x509 -req -in ca/ca.csr -out ca/ca-cert.cer -signkey ca/ca.pem -days 365 Signature ok subject=/C=CN/ST=GD/L=SZ/O=XXX Ltd/CN=neo/emailAddress=neo.chan@live.com Getting Private key [root@localhost smime]# openssl pkcs12 -export -clcerts -in ca/ca-cert.cer -inkey ca/ca.pem -out ca/ca.p12 Enter Export Password: Verifying - Enter Export Password:
更便捷的方法
openssl genrsa -out ca.pem 1024 openssl req -new -out neo.csr -key ca.pem -subj "/C=CN/ST=GD/L=SZ/O=Internet Widgits Pty Ltd/OU=IT/CN=neo/emailAddress=neo@668x.net" openssl x509 -req -in neo.csr -out neo.cer -signkey ca.pem -days 365 openssl pkcs12 -export -in neo.cer -inkey ca.pem -out neo.p12 -name "neo"
% mkdir keys % cd keys/
建立空檔案 index.txt 用來保存以後的證書信息,這是OpenSSL的證書資料庫:
touch index.txt
建立一個檔案 serial 在檔案中輸入一個數字,做為以後頒發證書的序列號,頒發證書序列號就從你輸入的數字開始遞增:
echo 01 > serial
首先創建CA根證書私鑰檔案,使用RSA格式,1024位:
% openssl genrsa -des3 -out ca.key 1024
例 208.4. 創建CA根證書
% openssl genrsa -des3 -out ca.key 1024 Generating RSA private key, 1024 bit long modulus ...........................++++++ ...........................................++++++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key:
私鑰在建立時需要輸入一個密碼用來保護私鑰檔案,私鑰檔案使用3DES加密; 也可以不進行加密,這樣不安全,因為一旦ca證書遺失,別人就可以隨意頒發用戶證書:
openssl genrsa -out ca.key 1024
利用建立RSA私鑰,為CA自己建立一個自簽名的證書檔案:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
生成證書的過程中需要輸入證書的信息,
例 208.5. 創建自簽名的證書
% openssl req -new -x509 -days 365 -key ca.key -out ca.crt Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:GD Locality Name (eg, city) []:Shenzhen Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Ltd Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:Neo Chan Email Address []:neo.chan@live.com
生成客戶證書的私鑰檔案,與生成CA根證書檔案的方法一樣,
openssl genrsa -des3 -out client.key 1024
OpenSSL生成客戶端證書的時候,不能直接生成證書,而是必須通過證書請求檔案來生成,因此現在我們來建立客戶端的證書請求檔案,生成的過程中一樣要輸入客戶端的信息:
openssl req -new -key client.key -out client.csr
有了證書請求檔案之後,就可以使用CA的根證書、根私鑰來對請求檔案進行簽名,生成客戶端證書 client.pem 了:
openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -days 365 -CAserial serial
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
![[注意]](/graphics/note.png) | 注意 |
|---|---|
| 到這裡為止,根CA為客戶端簽發證書的過程就結束了。 |