Home | Mirror | Search

15. Outlook smime x509 證書

15.1. 快速創建自簽名證書

以下適合個人使用

openssl genrsa -out ca.pem 1024
openssl req -new -out neo.csr -key ca.pem
openssl x509 -req -in neo.csr -out neo.cer -signkey ca.pem -days 365
openssl pkcs12 -export -clcerts -in neo.cer -inkey ca.pem -out neo.p12
			

安裝cer與p12兩個證書,然後打開outlook測試

Example 12.1. 快速創建自簽名證書

				
[root@localhost smime]# openssl genrsa -out ca/ca.pem 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
...................++++++
e is 65537 (0x10001)

[root@localhost smime]# openssl req -new -out ca/ca.csr -key ca/ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:XXX Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:neo
Email Address []:neo.chan@live.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@localhost smime]# openssl x509 -req -in ca/ca.csr -out ca/ca-cert.cer -signkey ca/ca.pem -days 365
Signature ok
subject=/C=CN/ST=GD/L=SZ/O=XXX Ltd/CN=neo/emailAddress=neo.chan@live.com
Getting Private key

[root@localhost smime]# openssl pkcs12 -export -clcerts -in ca/ca-cert.cer -inkey ca/ca.pem -out ca/ca.p12
Enter Export Password:
Verifying - Enter Export Password:
				
				

更便捷的方法

openssl genrsa -out ca.pem 1024
openssl req -new -out neo.csr -key ca.pem -subj  "/C=CN/ST=GD/L=SZ/O=Internet Widgits Pty Ltd/OU=IT/CN=neo/emailAddress=neo@668x.net"
openssl x509 -req -in neo.csr -out neo.cer -signkey ca.pem -days 365
openssl pkcs12 -export -in neo.cer -inkey ca.pem -out neo.p12 -name "neo"
				

15.2. 企業或集團方案

15.2.1. 證書環境

% mkdir keys
% cd keys/
				

建立空檔案 index.txt 用來保存以後的證書信息,這是OpenSSL的證書資料庫:

touch  index.txt
				

建立一個檔案 serial 在檔案中輸入一個數字,做為以後頒發證書的序列號,頒發證書序列號就從你輸入的數字開始遞增:

echo 01 > serial
				

15.2.2. 頒發CA證書

首先創建CA根證書私鑰檔案,使用RSA格式,1024位:

% openssl genrsa -des3 -out ca.key 1024
				

Example 12.2. 創建CA根證書

% openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
...........................++++++
...........................................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
					

私鑰在建立時需要輸入一個密碼用來保護私鑰檔案,私鑰檔案使用3DES加密; 也可以不進行加密,這樣不安全,因為一旦ca證書遺失,別人就可以隨意頒發用戶證書:

openssl genrsa -out ca.key 1024
				

利用建立RSA私鑰,為CA自己建立一個自簽名的證書檔案:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt
				

生成證書的過程中需要輸入證書的信息,

Example 12.3. 創建自簽名的證書

% openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:Neo Chan
Email Address []:neo.chan@live.com
					

15.2.3. 頒發客戶證書

生成客戶證書的私鑰檔案,與生成CA根證書檔案的方法一樣,

openssl genrsa -des3 -out client.key 1024
				

OpenSSL生成客戶端證書的時候,不能直接生成證書,而是必須通過證書請求檔案來生成,因此現在我們來建立客戶端的證書請求檔案,生成的過程中一樣要輸入客戶端的信息:

openssl req -new -key client.key -out client.csr
				

有了證書請求檔案之後,就可以使用CA的根證書、根私鑰來對請求檔案進行簽名,生成客戶端證書 client.pem 了:

openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -days 365 -CAserial serial
				
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
				

Note

到這裡為止,根CA為客戶端簽發證書的過程就結束了。

15.2.4. 吊銷已簽發的證書

使用ca中的 -revoke 命令:

openssl ca -revoke client.pem -keyfile ca.key -cert ca.crt
				

證書被吊銷之後,還需要發佈新的CRL檔案:

openssl ca -gencrl  -out ca.crl -keyfile ca.key -cert ca.crt
				
comments powered by Disqus