差異處
這裏顯示兩個版本的差異處。
兩邊的前次修訂版 前次修改 下次修改 | 前次修改 | ||
tech:openssl_caserver [2008/08/20 16:54] – jonathan | tech:openssl_caserver [2021/01/17 16:46] (目前版本) – [- 產生效期兩年的伺服器憑證檔 ServerCA.crt] jonathan | ||
---|---|---|---|
行 1: | 行 1: | ||
+ | ====== OpenSSL 簽發憑證方式 ====== | ||
+ | * OpenSSL 版本 : openssl-0.9.8b-10.el5 | ||
+ | ===== - 根憑證 (Root CA) 作法:===== | ||
+ | ==== - 建立根憑證 Private Key 檔 RootCA.key ==== | ||
+ | <code sh> | ||
+ | openssl genrsa -des3 -out RootCA.key 2048 | ||
+ | chmod og-rwx RootCA.key | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl genrsa -des3 -out RootCA.key 2048 | ||
+ | Generating RSA private key, 2048 bit long modulus | ||
+ | ..............................................+++ | ||
+ | .+++ | ||
+ | e is 65537 (0x10001) | ||
+ | Enter pass phrase for RootCA.key: | ||
+ | Verifying - Enter pass phrase for RootCA.key: <-- 再次輸入 RootCA 密鑰的密碼 | ||
+ | [jonathan@pd920 ca]$ chmod og-rwx RootCA.key | ||
+ | </ | ||
+ | ++++ | ||
+ | |||
+ | ==== - 產生根憑證的申請檔 RootCA.req ==== | ||
+ | <code sh> | ||
+ | openssl req -new -key RootCA.key -out RootCA.req | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl req -new -key RootCA.key -out RootCA.req | ||
+ | Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼 | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [GB]:TW | ||
+ | State or Province Name (full name) [Berkshire]: | ||
+ | Locality Name (eg, city) [Newbury]: | ||
+ | Organization Name (eg, company) [My Company Ltd]: | ||
+ | Organizational Unit Name (eg, section) []: <-- 可以不輸入 | ||
+ | Common Name (eg, your name or your server' | ||
+ | Email Address []: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: <-- 可以不輸入 | ||
+ | An optional company name []: <-- 可以不輸入 | ||
+ | [jonathan@pd920 ca]$ | ||
+ | </ | ||
+ | ++++ | ||
+ | ==== - 產生效期十年的根憑證檔 RootCA.crt ==== | ||
+ | <code sh> | ||
+ | openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt | ||
+ | rm -f RootCA.req | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt | ||
+ | Signature ok | ||
+ | subject=/ | ||
+ | Getting Private key | ||
+ | Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼 | ||
+ | [jonathan@pd920 ca]$ rm -f RootCA.req | ||
+ | </ | ||
+ | ++++ | ||
+ | | {{: | ||
+ | |||
+ | ===== - 伺服器憑證 (Server CA) 作法:===== | ||
+ | ==== - 建立伺服器憑證 Private Key 檔 ServerCA.key ==== | ||
+ | <code sh> | ||
+ | openssl genrsa -out ServerCA.key 2048 | ||
+ | chmod og-rwx ServerCA.key | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl genrsa -out ServerCA.key 2048 | ||
+ | Generating RSA private key, 2048 bit long modulus | ||
+ | .............................................+++ | ||
+ | ...........................................................................................................+++ | ||
+ | e is 65537 (0x10001) | ||
+ | 不會出現輸入密碼的訊息,因為 Server CA 不需要輸入密碼,否則啟動 Service 時會需要輸入密碼後,才可繼續執行服務 | ||
+ | </ | ||
+ | ++++ | ||
+ | |||
+ | ==== - 產生伺服器憑證的申請檔 ServerCA.req ==== | ||
+ | <code sh> | ||
+ | openssl req -new -key ServerCA.key -out ServerCA.req | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl req -new -key ServerCA.key -out ServerCA.req | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [GB]:TW | ||
+ | State or Province Name (full name) [Berkshire]: | ||
+ | Locality Name (eg, city) [Newbury]: | ||
+ | Organization Name (eg, company) [My Company Ltd]: | ||
+ | Organizational Unit Name (eg, section) []: <-- 可以不輸入 | ||
+ | Common Name (eg, your name or your server' | ||
+ | Email Address []: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: <-- 可以不輸入 | ||
+ | An optional company name []: <-- 可以不輸入 | ||
+ | </ | ||
+ | ++++ | ||
+ | |||
+ | ==== - 產生效期兩年的伺服器憑證檔 ServerCA.crt ==== | ||
+ | <code sh> | ||
+ | openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key | ||
+ | rm -f ServerCA.req | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key | ||
+ | Signature ok | ||
+ | subject=/ | ||
+ | Getting CA Private Key | ||
+ | Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼 | ||
+ | [jonathan@pd920 ca]$ rm -f ServerCA.req | ||
+ | </ | ||
+ | ++++ | ||
+ | |||
+ | | {{: | ||
+ | |||
+ | ===== - 用戶憑證 (Client CA) 作法:===== | ||
+ | ==== - 建立用戶憑證 Private Key 檔 ClientCA.key ==== | ||
+ | <code sh> | ||
+ | openssl genrsa -des3 -out ClientCA.key 2048 | ||
+ | chmod og-rwx ClientCA.key | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl genrsa -des3 -out ClientCA.key 2048 | ||
+ | Generating RSA private key, 2048 bit long modulus | ||
+ | ...........+++ | ||
+ | ................................................+++ | ||
+ | e is 65537 (0x10001) | ||
+ | Enter pass phrase for ClientCA.key: | ||
+ | Verifying - Enter pass phrase for ClientCA.key: | ||
+ | [jonathan@pd920 ca]$ chmod og-rwx ClientCA.key | ||
+ | </ | ||
+ | ++++ | ||
+ | |||
+ | ==== - 產生用戶憑證的申請檔 ClientCA.req ==== | ||
+ | <code sh> | ||
+ | openssl req -new -key ClientCA.key -out ClientCA.req | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl req -new -key ClientCA.key -out ClientCA.req | ||
+ | Enter pass phrase for ClientCA.key: | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [GB]:TW | ||
+ | State or Province Name (full name) [Berkshire]: | ||
+ | Locality Name (eg, city) [Newbury]: | ||
+ | Organization Name (eg, company) [My Company Ltd]: | ||
+ | Organizational Unit Name (eg, section) []:Tech. | ||
+ | Common Name (eg, your name or your server' | ||
+ | Email Address []: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: <-- 可以不輸入 | ||
+ | An optional company name []: <-- 可以不輸入 | ||
+ | </ | ||
+ | ++++ | ||
+ | |||
+ | ==== - 產生效期兩年的用戶憑證檔 ClientCA.crt ==== | ||
+ | <code sh> | ||
+ | openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key | ||
+ | rm -f ClientCA.req | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key | ||
+ | Signature ok | ||
+ | subject=/ | ||
+ | Getting CA Private Key | ||
+ | Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼 | ||
+ | [jonathan@pd920 ca]$ rm -f ClientCA.req | ||
+ | </ | ||
+ | ++++ | ||
+ | ==== - 將 ClientCA.crt 與 ClientCA.key 轉成 ClientCA.pfx ==== | ||
+ | <code sh> | ||
+ | openssl pkcs12 -export -in ClientCA.crt -inkey ClientCA.key -out ClientCA.pfx | ||
+ | </ | ||
+ | ++++看產生結果| | ||
+ | <cli> | ||
+ | [jonathan@pd920 ca]$ openssl pkcs12 -export -in ClientCA.crt -inkey ClientCA.key -out ClientCA.pfx | ||
+ | Enter pass phrase for ClientCA.key: | ||
+ | Enter Export Password: <-- 設定匯出用戶憑證時的密碼, | ||
+ | Verifying - Enter Export Password: <-- 輸入確認匯出用戶憑證時的密碼 | ||
+ | </ | ||
+ | ++++ | ||
+ | |||
+ | {{gallery> | ||
+ | |||
+ | * 看到 apache 的 ssl_request_log 發現 IE7 使用 **TLSv1 RC4-MD5**, Firefox3 使用 **SSLv3 DHE-RSA-AES256-SHA**, | ||
+ | <cli> | ||
+ | [root@pd920 httpd]# cat ssl_request_log | ||
+ | [20/ | ||
+ | [20/ | ||
+ | [21/ | ||
+ | [root@pd920 httpd]# | ||
+ | </ | ||
+ | |||
+ | ===== 參考網址 ===== | ||
+ | * http:// | ||
+ | * http:// | ||
+ | |||
+ | {{tag> |