如何在linux下使用openssl生成證書

 

這兩天在配置一個SSL環境，也發了些時間。下面是我自己在配置中的一個流水過程，有需要朋友可以參考，如有不對的地方還望指出。

安裝openssl

sudo apt-get install openssl

按照 OpenSSL 的默認配置建立 一個目錄ssl（eg. mkdir /home/jecks/ssl） ，需要在ssl下建立相應的目錄結構。相關的配置內容一般位於/etc/ssl/openssl.cnf 內。在終端中使用如下命令建立目錄結構：

$ mkdir -p ./demoCA/{private,newcerts}
$ touch ./demoCA/index.txt
$ touch ./demoCA/serial

注：在文件serial中寫入01，index.txt為空文件。

進入/hone/jecks/ssl/下面，執行命令

[[email protected]~/ssl]# pwd

/home/jecks/ssl

[[email protected]~/ssl]# ls

demoCA

 

1.首先要生成服務器端的私鑰(key文件):

[[email protected]~/ssl]#openssl genrsa -des3 -out server.key 1024

運行時會提示輸入密碼,此密碼用於加密key文件(參數des3便是指加密算法,當然也可以選用其他你認為安全的算法.),以後每當需讀取此文件(通過openssl提供的命令或API)都需輸入口令.如果覺得不方便,也可以去除這個口令,但一定要采取其他的保護措施!

去除key文件口令的命令:

[[email protected]~/ssl]#openssl rsa -in server.key -out server.key

 

2.用server.key生成一個證書：

[[email protected]~/ssl]#openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:12345

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:Zhuhai

Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....

Organizational Unit Name (eg, section) []:jecks

Common Name (eg, YOUR name) []:www.qiuicai.com

Email Address []:[email protected]

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:12345

An optional company name []:[email protected]

生成Certificate Signing Request（CSR）,生成的csr文件交給CA簽名後形成服務端自己的證書.屏幕上將有提示,依照其指示一步一步輸入要求的個人信息即可.

 

3.對客戶端也作同樣的命令生成key及csr文件(在這兩步寫在一起):

A： [[email protected]~/ssl]#openssl genrsa -des3 -out client.key 1024

Generating RSA private key, 1024 bit long modulus

...........++++++

..++++++

e is 65537 (0x10001)

Enter pass phrase for client.key:12345

Verifying - Enter pass phrase for client.key:12345

 

B： [[email protected]~/ssl]# openssl req -new -key client.key -out client.csr

Enter pass phrase for client.key:12345

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....

Organizational Unit Name (eg, section) []:jecks

Common Name (eg, YOUR name) []:www.qiuicai.com

Email Address []:[email protected]

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:12345

An optional company name []:[email protected]

 

4.生成的CSR證書文件必須有CA的簽名才可形成證書.這時生成一個KEY文件ca.key 和根證書ca.crt

[[email protected]~/ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt

Generating a 1024 bit RSA private key

...++++++

...................++++++

writing new private key to 'ca.key'

Enter PEM pass phrase:12345

Verifying - Enter PEM pass phrase:

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:china

Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....

Organizational Unit Name (eg, section) []:jecks

Common Name (eg, YOUR name) []:www.qiuicai.com

Email Address []:[email protected]

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:12345

An optional company name []:[email protected]

5.用生成的CA的證書為剛才生成的server.csr,client.csr文件簽名（這也是兩寫在一起）:

A： [[email protected]~/ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Feb 26 04:15:02 2010 GMT

Not After : Feb 26 04:15:02 2011 GMT

Subject:

countryName = CN

stateOrProvinceName = china

organizationName = xxx.Ltd.C

organizationalUnitName = jecks

commonName = www.qiujicai.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

30:70:D2:EB:9B:73:AE:7B:0E:8E:F6:94:33:7C:53:5B:EF:93:FC:38

X509v3 Authority Key Identifier:

keyid:DB:D6:83:BB:7F:28:C2:A9:40:6A:D8:32:FC:01:E0:5C:48:27:51:19

 

Certificate is to be certified until Feb 26 04:15:02 2010 GMT (365 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

B： [[email protected]~/ssl]#openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key

 

[root@airwaySSL bin]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

The countryName field needed to be the same in the

CA certificate (CN) and the request (cn)

..................

另外，這個certificate是BASE64形式的,要轉成PKCS12才能裝到IE,/NETSCAPE上.所以還要:

[[email protected]~/ssl]# openssl pkcs12 -export -in client.pem -inkey client.key -out client.pfx

Enter pass phrase for client.key:

Enter Export Password: # 設置client.pfx密碼

Verifying - Enter Export Password:

現在我們所需的全部文件便生成了.

另：

client使用的文件有：ca.crt,client.crt,client.key,client.pfx

server使用的文件有：ca.crt,server.crt,server.key

6.最後

編輯/etc/apache2/sites-enabled/000-default

NameVirtualHost *:443


<VirtualHost *:443>


ServerSignature


OnSSLEngine On


SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt #指定服務器證書位置


SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key #指定服務器證書key位置


SSLCACertificatePath /usr/local/apache/conf/ssl.crt #證書目錄


SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.csr #根證書位置


#開啟客戶端SSL請求


SSLVerifyClient require


SSLVerifyDepth 1


ServerAdmin webmaster@localhost

ServerName www.qiujicai.com

DocumentRoot /var/www/test

ErrorDocument 404 http://www.qiujicai.com/err.php

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

<Directory /var/www/test/>

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

</Directory>

</VirtualHOst>

證書安裝及使用
把剛才生成的證書：根證書ca.crt和客戶證書client.crt(client.pfx)安裝到客戶端， ca.crt安裝到信任的機構，client.crt直接在windows安裝或安裝到個人證書位置，然後用IP訪問HTTP和https服務器。在IE中我們一般導入client.pfx證書，導入時會提示上面設置的密碼。