Openssl的功能十分強大,在這裡我只是給大家講一些openssl的幾個簡單的命令使用:生成密鑰,生成證書請求,生成證書,及作為CA來說,來生成一個自簽證書。
1:生成ca的自簽證書:
#cd /etc/pki/CA 進入該目錄,CA證書必須建立在該目錄中
#openssl genrsa 2048 > /privat/my.key
生成一個密鑰
#vim /etc/pki/tls/openssl.cnf
將[ CA_default ]中的dir 選項改為:/etc/pki/CA
#mkdir ./newcerts
證書生成後會自動生成一些序列號文件和信息文件,而這些文件要放在newcerts目錄中,所以要是先創建它,否則生成證書時會報錯提示說沒有改文件,以致無法完成
#touch ./{serial ,index.txt}
建立序列號文件和index文檔
#echo “00” > ./serial
給定一個序列號初始值
#openssl –x509 –new –key private/cakey.pem –out ./cacert.pem –days 1000
生成ca證書
2:證書的簽署
#mkdir /root/testcrt
#cd /root/testcrt
#openssl genrsa 1024 > my.key
生成密鑰
Generating RSA private key, 1024 bit long modulus
..........................++++++
...++++++
e is 65537 (0x10001)
----------------------------------
#openssl rsa –in my.key –pubout –out test.pub
查看剛剛生成的密鑰文件
#openssl req –new –key my.key –out my.csr
生成證書請求
--------------------------------------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:NA
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:CA
Organizational Unit Name (eg, section) []:station173.example.com
Common Name (eg, your name or your server's hostname) []:a.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
---------------------------------------------------
#openssl ca –in my.csr –out my.crt –days 1000
由ca給其生成證書
----------------------------------------------------
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Feb 25 15:28:21 2010 GMT
Not After : Nov 21 15:28:21 2012 GMT
Subject:
countryName = CN
stateOrProvinceName 12下一頁