位置:海鸟网 > IT > linux/Unix >

openssl几个简单使用方法介绍

  Openssl的功能十分强大,在这里我只是给大家讲一些openssl的几个简单的命令使用:生成密钥,生成证书请求,生成证书,及作为CA来说,来生成一个自签证书。

  1:生成ca的自签证书:

  #cd /etc/pki/CA 进入该目录,CA证书必须建立在该目录中

  #openssl genrsa 2048 > /privat/my.key

  生成一个密钥

  #vim /etc/pki/tls/openssl.cnf

  将[ CA_default ]中的dir 选项改为:/etc/pki/CA

  #mkdir ./newcerts

  证书生成后会自动生成一些序列号文件和信息文件,而这些文件要放在newcerts目录中,所以要是先创建它,否则生成证书时会报错提示说没有改文件,以致无法完成

  #touch ./{serial ,index.txt}

  建立序列号文件和index文档

  #echo “00” > ./serial

  给定一个序列号初始值

  #openssl –x509 –new –key private/cakey.pem –out ./cacert.pem –days 1000

  生成ca证书

  2:证书的签署

  #mkdir /root/testcrt

  #cd /root/testcrt

  #openssl genrsa 1024 > my.key

  生成密钥

  Generating RSA private key, 1024 bit long modulus

  ..........................++++++

  ...++++++

  e is 65537 (0x10001)

  ----------------------------------

  #openssl rsa –in my.key –pubout –out test.pub

  查看刚刚生成的密钥文件

  #openssl req –new –key my.key –out my.csr

  生成证书请求

  --------------------------------------

  You are about to be asked to enter information that will be incorporated

  into your certificate request.

  What you are about to enter is what is called a Distinguished Name or a DN.

  There are quite a few fields but you can leave some blank

  For some fields there will be a default value,

  If you enter '.', the field will be left blank.

  -----

  Country Name (2 letter code) [GB]:NA

  State or Province Name (full name) [Berkshire]:HA

  Locality Name (eg, city) [Newbury]:ZZ

  Organization Name (eg, company) [My Company Ltd]:CA

  Organizational Unit Name (eg, section) []:station173.example.com

  Common Name (eg, your name or your server's hostname) []:a.example.com

  Email Address []:root@a.example.com

  Please enter the following 'extra' attributes

  to be sent with your certificate request

  A challenge password []:

  An optional company name []:

  ---------------------------------------------------

  #openssl ca –in my.csr –out my.crt –days 1000

  由ca给其生成证书

  ----------------------------------------------------

  Using configuration from /etc/pki/tls/openssl.cnf

  Check that the request matches the signature

  Signature ok

  Certificate Details:

  Serial Number: 2 (0x2)

  Validity

  Not Before: Feb 25 15:28:21 2010 GMT

  Not After : Nov 21 15:28:21 2012 GMT

  Subject:

  countryName = CN

  stateOrProvinceName = HA

  organizationName = CA

  organizationalUnitName = station173.example.com

  commonName = a.example.com

  emailAddress = root@a.example.com

  X509v3 extensions:

  X509v3 Basic Constraints:

  CA:FALSE

  Netscape Comment:

  OpenSSL Generated Certificate

  X509v3 Subject Key Identifier:

  A6:66:7E:D6:4E:70:0F:60:3B:CE:D8:7F:56:B2:D7:7C:64:8A:4B:25

  X509v3 Authority Key Identifier:

  keyid:CB:79:BF:95:34:53:96:EE:79:8B:48:C2:6E:77:B4:E6:AB:23:C0:F3

  Certificate is to be certified until Nov 21 15:28:21 2012 GMT (1000 days)

  Sign the certificate? [y/n]:y

  1 out of 1 certificate requests certified, commit? [y/n]y

  Write out database with 1 new entries

  Data Base Updated

  ------------------------------------------------------------

  #openssl x509 –in my.crt –noout –text