Openssl生成CA证书及服务器签名证书

环境:

CentOS linux2.6.18-164.el5

CentOS linux2.6.18-164.el5openssl version
OpenSSL 1.0.0d 8 Feb 2011

1. 给CA生成一个私匙

[root@localhost SSL]# openssl genrsa 2046 > ./cakey.pem
Generating RSA private key, 2046 bit long modulus
...............+++
..................................................................+++
e is 65537 (0x10001)
[root@localhost SSL]# ls
cakey.pem
2.用CA生成一个自签名证书

[root@localhost SSL]# openssl req -new -x509 -key ./cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HUBEI
Locality Name (eg, city) []:XIANGFAN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AD
Organizational Unit Name (eg, section) []:AD
Common Name (eg, YOUR name) []:*.xxx.com
Email Address []:[email protected]
[root@localhost SSL]# ls
cacert.pem  cakey.pem
[root@localhost SSL]# 
3,将PEM格式的CA证书转换成DER格式的,导入到IE浏览器里面

[root@localhost SSL]# openssl x509 -in cacert.pem -inform PEM -outform DER -out cacert.der
[root@localhost SSL]# ls
cacert.der  cacert.pem  cakey.pem

4.可以看下 vim /etc/pki/tls/openssl.cnf  里面的配置,主要关注下 [ CA_default ]段里面的内容 

5.创建个server目录,生成一个服务器私钥

[root@localhost SSL]# mkdir server
[root@localhost SSL]# ls
cacert.der  cacert.pem  cakey.pem  server
[root@localhost SSL]# cd server/
[root@localhost server]# openssl genrsa 2048 > ./server.key
Generating RSA private key, 2048 bit long modulus
.......................................+++
.............+++
e is 65537 (0x10001)
[root@localhost server]# ls
server.key
6.创建一个服务器证书请求
[root@localhost server]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HUBEI    
Locality Name (eg, city) []:XIANGFAN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AD
Organizational Unit Name (eg, section) []:AD
Common Name (eg, YOUR name) []:www.xxx.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
[root@localhost server]# ls
server.csr  server.key

7.利用证书请求生成一个crt证书

[root@localhost server]# openssl ca -in server.csr -out server.crt
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4 (0x4)
        Validity
            Not Before: Dec 13 09:46:31 2013 GMT
            Not After : Dec 13 09:46:31 2014 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HUBEI
            organizationName          = AD
            organizationalUnitName    = AD
            commonName                = www.xxx.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                8E:01:29:FF:D5:86:97:B4:CA:C3:B9:F9:BF:27:1C:C2:B6:7C:42:51
            X509v3 Authority Key Identifier: 
                keyid:2A:A8:D2:2C:3D:45:05:92:9B:93:0A:F9:AA:F7:9F:B6:E1:C9:5B:53

Certificate is to be certified until Dec 13 09:46:31 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost server]# ls
server.crt  server.csr  server.key  
[root@localhost server]# 

  
如果以前CA用过,报了类似下面错误:

[root@localhost server]# openssl ca -in server.csr -out server.crt
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (AAA) and the request (AD)
报错是因为在openssl.cfg中的policy_match里面的前三个都选了match,相应修改成
stateOrProvinceName = optional
organizationName = optional
就可以了。

7.服务器用上server.crt证书,在客户端IE浏览器导入上面生成cacert.der,

再在windows的C:\Windows\System32\drivers\etc\hosts文件里面加上

4.4.4.4  www.xxx.com

4.4.4.4是以前https://4.4.4.4/index.html访问的IP,在浏览器中访问https://www.xxx.com之后,就再也不会报出证书不受信任了。


/*生成一个crl*/
[root@localhost SSL]# mkdir crl
[root@localhost SSL]# cd crl
/*证书撤销*/
[root@localhost crl]# openssl ca -keyfile ../cakey.pem -cert ../cacert.pem -revoke ../server/server.crt 
Using configuration from /usr/local/openssl/ssl/openssl.cnf
Revoking Certificate 04.
Data Base Updated

/*数据库已更新,证书被标记上撤销的标志,需要生成新的证书撤销列表*/
[root@localhost crl]# openssl ca -gencrl -keyfile ../cakey.pem -cert ../cacert.pem -out ./crl.crl
Using configuration from /usr/local/openssl/ssl/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
6555276:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/crlnumber','r')
6555276:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
/*缺少个文件,随便生成一个*/
[root@localhost crl]# echo 12 > /etc/pki/CA/crlnumber
/*再来一次*/
[root@localhost crl]# openssl ca -gencrl -keyfile ../cakey.pem -cert ../cacert.pem -out ./crl.crl
Using configuration from /usr/local/openssl/ssl/openssl.cnf
[root@localhost crl]# ls
crl.crl

/*查看crl内容*/
[root@localhost crl]# openssl crl -noout -text -in crl.crl 
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=CN/ST=HUBEI/L=XIANGFAN/O=AD/OU=AD/CN=*.xxx.com/[email protected]
        Last Update: Dec 16 08:27:02 2013 GMT
        Next Update: Jan 15 08:27:02 2014 GMT
        CRL extensions:
            X509v3 CRL Number: 
                18
Revoked Certificates:
    Serial Number: 04
        Revocation Date: Dec 16 08:22:12 2013 GMT
    Signature Algorithm: sha1WithRSAEncryption
	。。。
	。。。
	




你可能感兴趣的:(Openssl生成CA证书及服务器签名证书)