差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

兩邊的前次修訂版 前次修改
tech:openssl_cacrl [2008/08/21 21:23] jonathantech:openssl_cacrl [2008/08/22 14:37] (目前版本) jonathan
行 1: 行 1:
 +====== OpenSSL 廢止憑證方式 ======
 +===== - 修改 openssl.cnf 參數檔 =====
 +  * openssl.cnf 參數檔 : /etc/pki/tls/openssl.cnf
 +  * 建立自己的憑證參數 Exp.  CA_trysoft 
 +++++ 看修改 openssl.cnf 內容|
 +<file>
 +:
 +[ca]
 +default_ca      = CA_default            # The default ca section
 +trysoft_ca      = CA_trysoft            # Trysoft Corp. ca section
 +:
 +[ CA_trysoft ]
 +
 +dir             = /home/jonathan/ca/trysoft
 +certs           = $dir/certs            # Where the issued certs are kept
 +crl_dir         = $dir/crl              # Where the issued crl are kept
 +database        = $dir/index.txt        # database index file.
 +new_certs_dir   = $dir/newcerts         # default place for new certs.
 +certificate     = $dir/RootCA.crt       # The CA certificate
 +serial          = $dir/RootCA.srl       # The current serial number
 +crlnumber       = $dir/CRL.srl          # the current crl number
 +                                        # must be commented out to leave a V1 CRL
 +crl             = $dir/crl/trysoft.crl  # The current CRL
 +private_key     = $dir/private/RootCA.key # The private key
 +RANDFILE        = $dir/private/.rand    # private random number file
 +
 +x509_extensions = usr_cert              # The extentions to add to the cert
 +
 +# Comment out the following two lines for the "traditional"
 +# (and highly broken) format.
 +name_opt        = ca_default            # Subject Name options
 +cert_opt        = ca_default            # Certificate field options
 +
 +# Extension copying option: use with caution.
 +# copy_extensions = copy
 +
 +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 +# so this is commented out by default to leave a V1 CRL.
 +# crlnumber must also be commented out to leave a V1 CRL.
 +# crl_extensions        = crl_ext
 +
 +default_days    = 365                   # how long to certify for
 +default_crl_days= 30                    # how long before next CRL
 +default_md      = sha1                  # which md to use.
 +preserve        = no                    # keep passed DN ordering
 +
 +# A few difference way of specifying how similar the request should look
 +# For type CA, the listed attributes must be the same, and the optional
 +# and supplied fields are just that :-)
 +policy          = policy_match
 +:
 +:
 +[ req ]
 +default_bits            = 2048
 +:
 +[ req_distinguished_name ]
 +:
 +countryName_default             = TW
 +:
 +stateOrProvinceName_default     = Taiwan
 +:
 +localityName_default            = Taipei
 +:
 +</file>
 +++++
 +  * 將 **[[tech:openssl_caserver]]** 所產生的相關憑證資料放入相對應的目錄內。
 +<code>
 +/home/jonathan/ca/trysoft/
 +|-- RootCA.crt
 +|-- RootCA.srl
 +|-- certs
 +|   |-- ClientCA.crt
 +|-- crl
 +|-- jonathan
 +|   |-- ClientCA.crt
 +|   |-- ClientCA.key
 +|   |-- ClientCA.pem
 +|   `-- ClientCA.pfx
 +|-- mail.ichiayi.com
 +|   |-- ServerCA.crt
 +|   `-- ServerCA.key
 +|-- newcerts
 +`-- private
 +    `-- RootCA.key
 +</code>
 +
 +===== - 產生設定檔內相關檔案 =====
 +<code sh>
 +cd /home/jonathan/ca/trysoft/
 +touch index.txt
 +cp RootCA.srl CRL.srl
 +</code>
 +
 +===== - 測試進行廢止 ClientCA =====
 +  * 廢止以下這個憑證
 +<code>
 +/home/jonathan/ca/trysoft/
 +|-- certs
 +    |-- ClientCA.crt
 +</code>
 +
 +<code sh>
 +cd /home/jonathan/ca/trysoft/certs
 +openssl ca -name CA_trysoft -revoke ClientCA.crt
 +</code>
 +++++看執行結果|
 +<file>
 +[jonathan@pd920 certs]$ openssl ca -name CA_trysoft -revoke ClientCA.crt
 +Using configuration from /etc/pki/tls/openssl.cnf
 +Enter pass phrase for /home/jonathan/ca/trysoft/private/RootCA.key: <-- 輸入 RootCA 密碼
 +Adding Entry with serial number E0B893FC9733381E to DB for /C=TW/ST=Taiwan/L=Taipei/O=Test Corp./CN=Test Corp./[email protected]
 +Revoking Certificate E0B893FC9733381E.
 +Data Base Updated
 +</file>
 +++++
 +
 +===== - 產生 CRL 檔 trysoft.crl =====
 +<code sh>
 +cd /home/jonathan/ca/trysoft/crl
 +openssl ca -name CA_trysoft -gencrl -out trysoft.crl
 +</code>
 +++++看執行結果|
 +<file>
 +[jonathan@pd920 certs]$ cd /home/jonathan/ca/trysoft/crl
 +[jonathan@pd920 crl]$ openssl ca -name CA_trysoft -gencrl -out trysoft.crl
 +Using configuration from /etc/pki/tls/openssl.cnf
 +Enter pass phrase for /home/jonathan/ca/trysoft/private/RootCA.key: <-- 輸入 RootCA 密碼
 +</file>
 +++++
 +  * 要轉成 DER 格式可執行以下命令<code sh>
 +openssl crl -in trysoft.crl -outform DER -out trysoft.crl
 +</code>
 +
 +===== - 執行後檔案目錄結果 =====
 +<code>
 +/home/jonathan/ca/trysoft/
 +|-- CRL.srl
 +|-- CRL.srl.old
 +|-- RootCA.crt
 +|-- RootCA.srl
 +|-- certs
 +|   |-- ClientCA.crt
 +|-- crl
 +|   `-- trysoft.crl
 +|-- index.txt
 +|-- index.txt.attr
 +|-- index.txt.attr.old
 +|-- index.txt.old
 +|-- jonathan
 +|   |-- ClientCA.crt
 +|   |-- ClientCA.key
 +|   |-- ClientCA.pem
 +|   `-- ClientCA.pfx
 +|-- mail.ichiayi.com
 +|   |-- ServerCA.crt
 +|   `-- ServerCA.key
 +|-- newcerts
 +`-- private
 +    `-- RootCA.key
 +</code>
 +
 +|  {{:tech:ca_ssl_01.png?300}}  |  {{:tech:ca_ssl_02.png?300}}  |
 +
 +===== 參考網址 =====
 +  * http://www.javaworld.com.tw/roller/snpshu/entry/2006_11_2_dis_cert_by_openssl
 +
 +{{tag>ca openssl crl pki}}