在linux下使用openssl生成证书

• 在linux下使用openssl生成证书

[Linux]

post by 后山一根葱 / 2010-6-12 16:36 Saturday

内容：使用openssl自己生成证书

环境：ubuntu 9.10

来源：后山一根葱

 

这两天在配置一个SSL环境，也发了些时间。下面是我自己在配置中的一个流水过程，有需要朋友可以参考，如有不对的地方还望指出。

安装openssl

sudo apt-get install openssl

按照 OpenSSL 的默认配置建立 一个目录ssl（eg. mkdir /home/jecks/ssl） ，需要在ssl下建立相应的目录结构。相关的配置内容一般位于/etc/ssl/openssl.cnf  内。在终端中使用如下命令建立目录结构：

$ mkdir -p ./demoCA/{private,newcerts}
$ touch ./demoCA/index.txt
$ touch ./demoCA/serial

注：在文件serial中写入01，index.txt为空文件。

进入/hone/jecks/ssl/下面，执行命令

[root@~/ssl]# pwd

/home/jecks/ssl

[root@~/ssl]# ls

demoCA

 

1.首先要生成服务器端的私钥(key文件):

[root@~/ssl]#openssl genrsa -des3 -out server.key 1024

运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!

去除key文件口令的命令:

[root@~/ssl]#openssl rsa -in server.key -out server.key

2.用server.key生成一个证书：

[root@~/ssl]#openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:12345

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:Zhuhai

Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....

Organizational Unit Name (eg, section) []:jecks

Common Name (eg, YOUR name) []:www.qiuicai.com

Email Address []:xxx@

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:12345

An optional company name []:xxx@ 

生成Certificate Signing Request（CSR）,生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.

3.对客户端也作同样的命令生成key及csr文件(在这两步写在一起):

    A： [root@~/ssl]#openssl genrsa -des3 -out client.key 1024
 

Generating RSA private key, 1024 bit long modulus

...........++++++

..++++++

e is 65537 (0x10001)

Enter pass phrase for client.key:12345

Verifying - Enter pass phrase for client.key:12345

    B： [root@~/ssl]# openssl req -new -key client.key -out client.csr

Enter pass phrase for client.key:12345

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....

Organizational Unit Name (eg, section) []:jecks

Common Name (eg, YOUR name) []:www.qiuicai.com

Email Address []:xxx@

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:12345

An optional company name []:xxx@

 

4.生成的CSR证书文件必须有CA的签名才可形成证书.这时生成一个KEY文件ca.key 和根证书ca.crt

[root@~/ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt

Generating a 1024 bit RSA private key

...++++++

...................++++++

writing new private key to 'ca.key'

Enter PEM pass phrase:12345

Verifying - Enter PEM pass phrase:

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....

Organizational Unit Name (eg, section) []:jecks

Common Name (eg, YOUR name) []:www.qiuicai.com

Email Address []:xxx@

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:12345

An optional company name []:xxx@


5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名（这也是两写在一起）:

   A： [root@~/ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key 

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Feb 26 04:15:02 2010 GMT

            Not After : Feb 26 04:15:02 2011 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = china

            organizationName          = xxx.Ltd.C

            organizationalUnitName    = jecks

            commonName                = www.

        X509v3 extensions:

            X509v3 Basic Constraints:

            CA:FALSE

            Netscape Comment:

            OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

            30:70:D2:EB:9B:73:AE:7B:0E:8E:F6:94:33:7C:53:5B:EF:93:FC:38

            X509v3 Authority Key Identifier:

            keyid:DB:D6:83:BB:7F:28:C2:A9:40:6A:D8:32:FC:01:E0:5C:48:27:51:19

 

Certificate is to be certified until Feb 26 04:15:02 2010 GMT (365 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

   B：    [root@~/ssl]#openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key

 

[root@airwaySSL bin]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

The countryName field needed to be the same in the

CA certificate (CN) and the request (cn)

..................

另外，这个certificate是BASE64形式的,要转成PKCS12才能装到IE,/NETSCAPE上.所以还要: 

[root@~/ssl]# openssl pkcs12 -export -in client.pem -inkey client.key -out  client.pfx

Enter pass phrase for client.key:

Enter Export Password: # 设置client.pfx密码

Verifying - Enter Export Password:

现在我们所需的全部文件便生成了.

另：

client使用的文件有：ca.crt,client.crt,client.key,client.pfx

server使用的文件有：ca.crt,server.crt,server.key

6.最后

编辑/etc/apache2/sites-enabled/000-default

NameVirtualHost *:443

 

 
<VirtualHost *:443>

 

 
        ServerSignature 

 

 
        OnSSLEngine On 

 

 
        SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt  #指定服务器证书位置

 

 
        SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key #指定服务器证书key位置

 

 
        SSLCACertificatePath /usr/local/apache/conf/ssl.crt #证书目录

 

 
        SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.csr #根证书位置

 

 
        #开启客户端SSL请求

 

 
        SSLVerifyClient require

 

 
        SSLVerifyDepth  1

 

 
        ServerAdmin webmaster@localhost

 
        ServerName www.

 
        DocumentRoot /var/www/test

 
        ErrorDocument 404 http://www./err.php

 
        <Directory />

 
                Options FollowSymLinks

 
                AllowOverride None

 
        </Directory>

 
        <Directory /var/www/test/>

 
                Options Indexes FollowSymLinks MultiViews

 
                AllowOverride None

 
                Order allow,deny

 
                allow from all

 
        </Directory>

 

</VirtualHOst>

 

证书安装及使用

把刚才生成的证书：根证书ca.crt和客户证书client.crt(client.pfx)安装到客户端， ca.crt安装到信任的机构，client.crt直接在windows安装或安装到个人证书位置，然后用IP访问HTTP和https服务器。在IE中我们一般导入client.pfx证书，导入时会提示上面设置的密码。