内容发布更新时间 : 2024/5/7 2:00:00星期一 下面是文章的全部内容请认真阅读。
使用OpenSSL生成CA证书和签发用户证书
李志平
在这里我们使用OpenSSL自带的CA.pl来创建CA证书,使用它来签发用户证书,这个文件放在/usr/ssl/misc/CA.pl(我们假设把OpenSSL安装在/usr下)。
1. 创建文件夹ca,存放要生成的CA证书和用户证书
[root@localhost ~]# mkdir ca
[root@localhost ~]# cd ca [root@localhost ca]#
2. 将/usr/ssl/misc/CA.pl和/usr/ssl/openssl.cnf拷贝到当前目录ca中
[root@localhost ca]# cp /usr/ssl/misc/CA.pl ./ [root@localhost ca]# cp /usr/ssl/openssl.cnf ./
3. 创建CA证书。
执行./CA.pl –newca 需要填写如下:(红字部分是需要填写的,其中“按回车键”表示直接按回车键,有输入内容的,输入内容后再按回车键)
[root@localhost ca]# ./CA.pl -newca CA certificate filename (or enter to create)
(按回车键)
Making CA certificate ...
Generating a 1024 bit RSA private key ...........++++++ .............++++++
writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase:(输入密码,比如:1234) Verifying - Enter PEM pass phrase:(确认密码:1234) -----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM Organizational Unit Name (eg, section) []:IBM Common Name (eg, YOUR name) []:ben Email Address []:ben@ibm.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(按回车键)
An optional company name []:(按回车键) Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:(输入刚才的密码:1234) Check that the request matches the signature Signature ok
Certificate Details:
Serial Number:
f9:53:35:b7:23:ff:c0:04 Validity
Not Before: Jun 23 13:50:44 2010 GMT Not After : Jun 22 13:50:44 2013 GMT Subject:
countryName = CN stateOrProvinceName = BJ organizationName = IBM organizationalUnitName = IBM
commonName = ben
emailAddress = ben@ibm.com X509v3 extensions:
X509v3 Subject Key Identifier:
DD:F6:B8:17:6F:91:F6:33:BB:FB:8B:85:71:A4:70:47:E7:03:A5:0F X509v3 Authority Key Identifier:
keyid:DD:F6:B8:17:6F:91:F6:33:BB:FB:8B:85:71:A4:70:47:E7:03:A5:0F
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jun 22 13:50:44 2013 GMT (1095 days)
Write out database with 1 new entries Data Base Updated [root@localhost ca]#
至此,公共证书已经创建。
4. 创建服务端用户证书及私钥文件
./CA.pl –newreq
Using configuration from openssl.cnf Generating a 1024 bit RSA private key ..........++++++ ..............++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:(输入密码,如abcd) -----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IBM Organizational Unit Name (eg, section) []:IBM Common Name (eg, YOUR name) []:ben(证书ID) Email Address []:ben@ibm.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(按回车键)
An optional company name []:(按回车键) Request (and private key) is in newreq.pem