| |
Use OpenSSL to generate a certificate
Download and install OpenSSL, enter / bin / below, Run (the openssl.cnf ssl directory are copied to the bin directory)
1. First, you want to generate the server's private key (key file):
openssl genrsa -des3 -out server.key 1024
[Root @ airwaySSL openssl] # cd ssl /
[Root @ airwaySSL ssl] # pwd
/ Home / openssl / ssl
[Root @ airwaySSL ssl] # ls
certs man misc openssl.cnf private server.csr server.key
Runtime will be prompted for a password, the password used to encrypt the key file (encryption algorithm parameters des3 means is, of course, you think that you can use other security algorithms.), Later whenever needed (openssl command provides read this file or API) are required to enter a password. If inconvenient, this password can also be removed, but be sure to take other protective measures!
Removing the key file password command:
openssl rsa -in server.key -out server.key
2.openssl req -new -key server.key -out server.csr -config openssl.cnf
[Root @ airwaySSL bin] # openssl req -new -key server.key -out server.csr -config openssl.cnf
Enter pass phrase for server.key: 12345
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [AU]: CN
State or Province Name (full name) [Some-State]: china
Locality Name (eg, city) []: wuhan
Organization Name (eg, company) [Internet Widgits Pty Ltd]: airway
Organizational Unit Name (eg, section) []: airway
Common Name (eg, YOUR name) []: airway
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
After generating the Certificate Signing Request (CSR), the generated csr file to a CA-signed certificate form the service end of their display will be prompted, enter the required step by step in accordance with its instructions to personal information.
3. The client can also do the same key and csr command generates a file:
openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
........... ++++++
.. ++++++
e is 65537 (0x10001)
Enter pass phrase for client.key: 12345
Verifying - Enter pass phrase for client.key: 12345
openssl req -new -key client.key -out client.csr -config openssl.cnf
[Root @ airwaySSL bin] # openssl req -new -key client.key -out client.csr -config openssl.cnf
Enter pass phrase for client.key: 12345
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [AU]: cn
State or Province Name (full name) [Some-State]: china
Locality Name (eg, city) []: wuhan
Organization Name (eg, company) [Internet Widgits Pty Ltd]: airway
Organizational Unit Name (eg, section) []: airway
Common Name (eg, YOUR name) []: airway
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4.CSR file must have formed before the CA's signature certificate. This file can be sent to verisign other places by its verification, to pay a lot of money, why not do it yourself CA yet.
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
[Root @ airwaySSL bin] # openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
Generating a 1024 bit RSA private key
... ++++++
................... ++++++
writing new private key to 'ca.key'
Enter PEM pass phrase: 12345
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [AU]: CN
State or Province Name (full name) [Some-State]: china
Locality Name (eg, city) []: wuhan
Organization Name (eg, company) [Internet Widgits Pty Ltd]: airway
Organizational Unit Name (eg, section) []: airway
Common Name (eg, YOUR name) []: airway
Email Address []:
Continuing operations before the following will openssl.conf file open, view its dir path to modify dir = / home / openssl / bin / demoCA /, otherwise the following steps will prompt the path can not be found.
Create a directory structure to manually CA:
[Weigw @ TEST bin] $ mkdir ./demoCA
[Weigw @ TEST bin] $ mkdir demoCA / newcerts
Create an empty file:
[Weigw @ TEST bin] $ vi demoCA / index.txt
01 is written to the file:
[Weigw @ TEST bin] $ vi demoCA / serial
5. CA certificate generated for the earlier generation of server.csr, client.csr file signature:
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
[Root @ airwaySSL bin] # openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 26 04:15:02 2009 GMT
Not After: Feb 26 04:15:02 2010 GMT
Subject:
countryName = CN
stateOrProvinceName = china
organizationName = airway
organizationalUnitName = airway
commonName = airway
X509v3 extensions:
X509v3 Basic Constraints:
CA: FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
30: 70: D2: EB: 9B: 73: AE: 7B: 0E: 8E: F6: 94: 33: 7C: 53: 5B: EF: 93: FC: 38
X509v3 Authority Key Identifier:
keyid: DB: D6: 83: BB: 7F: 28: C2: A9: 40: 6A: D8: 32: FC: 01: E0: 5C: 48: 27: 51: 19
Certificate is to be certified until Feb 26 04:15:02 2010 GMT (365 days)
Sign the certificate [y / n]:? Y
1 out of 1 certificate requests certified, commit? [Y / n] y
Write out database with 1 new entries
Data Base Updated
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
[Root @ airwaySSL bin] # openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (CN) and the request (cn)
Now we need all the files will be generated.
another:
Client files used are: ca.crt, client.crt, client.key
File server used are: ca.crt, server.crt, server.key |
|
|
|