Openssl을 사용하여 인증서 생성
6541 단어 인증서 생성openssl.cnf서버 ssl네트워크 기술
openssl genrsa -des3 -outserver.key 1024// key
openssl req -new -keyserver.key -out server.csr -config openssl.cnf// csr
openssl req -new -x509 -keyoutca.key -out ca.crt -config openssl.cnf// CA
openssl ca -in server.csr -outserver.crt -cert ca.crt -keyfile ca.key -config openssl.cnf//
penssl pkcs12 -export -inkeyserver.key -in server.crt -out server.pfx// pfx
준비
1, 프로필 openss를 준비합니다.cnf(전제는 Openssl을 먼저 설치하는 것);
openssl.cnf 파일은 기본적으로/etc/pki/tls 디렉터리에 설치되어 있으며 openssl입니다.cnf 파일을 현재 디렉터리로 복사합니다.
[root@localhost openssl]# cp /etc/pki/tls/openssl.cnfopenssl.cnf
2, 현재 작업 디렉토리에 필요한 디렉토리 및 파일을 만듭니다.
[root@localhost openssl]# mkdir ./demoCA
[root@localhost openssl]# cd ./demoCA
[root@localhost demoCA]# mkdir newcerts private
[root@localhost demoCA]# chmod g-rwx,o-rwx private
[root@localhost demoCA]# echo "01" > serial
[root@localhost demoCA]# touch index.txt
3, openssl을 수정합니다.cnf 프로필.
[root@localhost demoCA]# cd ..
[root@localhost openssl]# vim openssl.cnf
。。。。。。
dir = /home/test/workspace/openssl/demoCA //
。。。。。。。。
3. 준비 작업이 끝나면 인증서를 생성할 수 있습니다. 구체적인 절차
1, 개인 키 파일 생성: 서버.키 파일이나prvtkey.pem(둘은 본질적인 차이가 없고 linux 시스템에서는 접두사 이름을 보지 않는다).
[root@localhostopenssl]# openssl genrsa -out server.key 2048
\\
GeneratingRSA private key, 2048 bit long modulus
................................................................+++
...........+++
e is65537 (0x10001)
암호 보호를 먼저 구성한 다음 암호를 제거할 수도 있습니다.
[root@localhostopenssl]# openssl genrsa -des3 -out server.key 1024 //1024
GeneratingRSA private key, 1024 bit long modulus
.........................................++++++
...................++++++
e is65537 (0x10001)
Enterpass phrase for server.key: //
Verifying- Enter pass phrase for server.key: //
[root@localhostopenssl]# openssl rsa -in server.key -out server.key
//
Enterpass phrase for server.key:
writing RSA key
2, 인증서 요청 파일 생성(Certificate Signing Request) 서버.csr
[root@localhost openssl]# openssl req -new -key server.key -out server.csr -config openssl.cnf
You areabout to be asked to enter information that will be incorporated
into yourcertificate request.
What youare about to enter is what is called a Distinguished Name or a DN.
There arequite a few fields but you can leave some blank
For somefields there will be a default value,
If youenter '.', the field will be left blank.
-----
CountryName (2 letter code) [XX]:cn
State orProvince Name (full name) []:beijing
LocalityName (eg, city) [Default City]:haidian
OrganizationName (eg, company) [Default Company Ltd]:test
OrganizationalUnit Name (eg, section) []:
CommonName (eg, your name or your server's hostname) []:www.test.com
EmailAddress []:[email protected]
Pleaseenter the following 'extra' attributes
to besent with your certificate request
Achallenge password []: //
An optional company name []://
3, csr CA 。 CA
[root@localhost openssl]# openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
Generatinga 2048 bit RSA private key
................................+++
..................................+++
writingnew private key to 'ca.key'
Enter PEMpass phrase: //
Verifying- Enter PEM pass phrase: //
-----
You areabout to be asked to enter information that will be incorporated
into yourcertificate request.
What youare about to enter is what is called a Distinguished Name or a DN.
There arequite a few fields but you can leave some blank
For somefields there will be a default value,
If youenter '.', the field will be left blank.
-----
CountryName (2 letter code) [XX]:cn
State orProvince Name (full name) []:beijing
LocalityName (eg, city) [Default City]:hd
OrganizationName (eg, company) [Default Company Ltd]:test
OrganizationalUnit Name (eg, section) []:
CommonName (eg, your name or your server's hostname) []:www.test.com
Email Address []:[email protected]
4, CA가 있으면 방금 생성된 인증서에 대해 서버를 신청할 수 있습니다.csr가 서명했습니다.
[root@localhost openssl]# openssl ca -in server.csr -outserver.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Usingconfiguration from openssl.cnf
Enterpass phrase for ca.key: // CA
Checkthat the request matches the signature
Signatureok
CertificateDetails:
Serial Number: 2 (0x2)
Validity
Not Before: Jun 28 13:25:03 2015GMT
Not After : Jun 27 13:25:03 2016GMT
Subject:
countryName = cn
stateOrProvinceName = beijing
organizationName = test
commonName = www.test.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C9:67:D2:3B:4A:55:58:7C:D2:55:BD:DB:77:06:5B:0F:4B:57:02:8A
X509v3 Authority Key Identifier:
keyid:CF:49:6B:CB:7A:A3:0F:30:A0:87:CD:04:CE:03:D7:90:6F:5E:3D:EF
Certificateis to be certified until Jun 27 13:25:03 2016 GMT (365 days)
Sign thecertificate? [y/n]:y
1 out of1 certificate requests certified, commit? [y/n]y
Write outdatabase with 1 new entries
Data Base Updated
5, 일반 윈도우즈에서는 pfx 파일의 인증서 (key 포함) 를 사용합니다. 우리는 명령을 통해 인증서crt와 key를 pfx 파일로 통합할 수 있습니다.
[root@localhost openssl]# openssl pkcs12 -export-inkey server.key -in server.crt -out server.pfx
Enter Export Password: // ,
Verifying - Enter Export Password:
6, 이로써 우리가 필요로 하는 서류는 모두 다 나았다.
[root@localhost openssl]# ls
ca.crt ca.key demoCA openssl.cnf server.crt server.csr server.key server.pfx
4. 보충
1, Microsoft의 PFX 디지털 인증서를 X509 형식으로 변환
opensslpkcs12 -in server.pfx -nodes -out server.pem #
opensslrsa -in server.pem -out server.key # key
opensslx509 -in server.pem -out server.crt #
2, 다중 체인 인증서 openssl 생성.cnf 구성: basicConstraints=critical, CA:TRUE, pathlen:20
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=critical,CA:TRUE,pathlen:20