Openssl的功能十分强大,在这里我只是给大家讲一些openssl的几个简单的命令使用:生成密钥,生成证书请求,生成证书,及作为CA来说,来生成一个自签证书。
1:生成ca的自签证书:
#cd /etc/pki/CA 进入该目录,CA证书必须建立在该目录中
#openssl genrsa 2048 > /privat/my.key
生成一个密钥
#vim /etc/pki/tls/openssl.cnf
将[ CA_default ]中的dir 选项改为:/etc/pki/CA
#mkdir ./newcerts
证书生成后会自动生成一些序列号文件和信息文件,而这些文件要放在newcerts目录中,所以要是先创建它,否则生成证书时会报错提示说没有改文件,以致无法完成
#touch ./{serial ,index.txt}
建立序列号文件和index文档
#echo “00” > ./serial
给定一个序列号初始值
#openssl –x509 –new –key private/cakey.pem –out ./cacert.pem –days 1000
生成ca证书
2:证书的签署
#mkdir /root/testcrt
#cd /root/testcrt
#openssl genrsa 1024 > my.key
生成密钥
Generating RSA private key, 1024 bit long modulus
..........................++++++
...++++++
e is 65537 (0x10001)
----------------------------------
#openssl rsa –in my.key –pubout –out test.pub
查看刚刚生成的密钥文件
#openssl req –new –key my.key –out my.csr
生成证书请求
--------------------------------------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:NA
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:CA
Organizational Unit Name (eg, section) []:station173.example.com
Common Name (eg, your name or your server's hostname) []:a.example.com
Email Address []:root@a.example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
---------------------------------------------------
#openssl ca –in my.csr –out my.crt –days 1000
由ca给其生成证书
----------------------------------------------------
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Feb 25 15:28:21 2010 GMT
Not After : Nov 21 15:28:21 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = CA
organizationalUnitName = station173.example.com
commonName = a.example.com
emailAddress = root@a.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A6:66:7E:D6:4E:70:0F:60:3B:CE:D8:7F:56:B2:D7:7C:64:8A:4B:25
X509v3 Authority Key Identifier:
keyid:CB:79:BF:95:34:53:96:EE:79:8B:48:C2:6E:77:B4:E6:AB:23:C0:F3
Certificate is to be certified until Nov 21 15:28:21 2012 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
------------------------------------------------------------
#openssl x509 –in my.crt –noout –text