用openssl创建签名数字证书：准备环境

 

写在前面
准备环境
创建CA
创建证书并安装到apache
创建证书并安装到tomcat
创建证书和导入到Thunderbird
创建证书并签名.net文件
创建证书并签名jar文件

 

OS和Openssl

简单的说，一个LINUX的环境即可。因为openssl一般是标配。比如，我的CentOS里，通过

yum -y install openssl openssl-devel

即可安装好openssl套件。

目录

我这里，把工作目录设置在/etc/openssl/。

mkdir –p /etc/openssl/

签名脚本

另外，为了简化工作，我还用用到了一个脚本sign.sh。我把它放在/sbin/里的。它的内容是

#!/bin/sh
##
##  sign.sh -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
##

#   argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign. <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac

#   make sure environment exists
if [ ! -d /etc/openssl/ca.db.certs ]; then
mkdir /etc/openssl/ca.db.certs
fi
if [ ! -f /etc/openssl/ca.db.serial ]; then
echo '01' &gt;/etc/openssl/ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null /etc/openssl/ca.db.index
fi

#   create an own SSLeay config
cat &gt;ca.config <&lt;EOT
[ ca ]
default_ca      = CA_own
[ CA_own ]
dir     = /etc/openssl
certs   = /etc/openssl/certs
new_certs_dir   = /etc/openssl/ca.db.certs
database        = /etc/openssl/ca.db.index
serial  = /etc/openssl/ca.db.serial
RANDFILE        = /etc/openssl/ca.db.rand
certificate     = /etc/openssl/root/ca.crt
private_key     = /etc/openssl/root/ca.key
default_days    = 365
default_crl_days        = 30
default_md      = md5
preserve        = no
policy  = policy_anything
[ policy_anything ]
countryName     = optional
stateOrProvinceName     = optional
localityName    = optional
organizationName        = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress    = optional
EOT

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile /etc/openssl/root/ca.crt $CERT

#  cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

#  die gracefully
exit 0