OpenSSL 簽發憑證方式

<xtermrtf> [jonathan@pd920 ca]$ openssl genrsa -des3 -out RootCA.key 2048 Generating RSA private key, 2048 bit long modulus ……………………………………….+ .+++ e is 65537 (0x10001) Enter pass phrase for RootCA.key: <-- 設定 RootCA 密鑰的密碼 Verifying - Enter pass phrase for RootCA.key: <-- 再次輸入 RootCA 密鑰的密碼 [jonathan@pd920 ca]$ chmod og-rwx RootCA.key <-- 讓 RootCA 只有自己可以讀寫 </xtermrtf> ++++ ==== - 產生根憑證的申請檔 RootCA.req ==== <code sh> openssl req -new -key RootCA.key -out RootCA.req </code> ++++看產生結果 <xtermrtf> [jonathan@pd920 ca]$ openssl req -new -key RootCA.key -out RootCA.req Enter pass phrase for RootCA.key: ←- 輸入 RootCA 密鑰的密碼 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. —– Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taiwan Locality Name (eg, city) [Newbury]:Taipei Organization Name (eg, company) [My Company Ltd]:Trysoft Corp. Organizational Unit Name (eg, section) []: ←- 可以不輸入 Common Name (eg, your name or your server's hostname) []: ←- 不是當 Server 憑證不需要輸入 Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ←- 可以不輸入 An optional company name []: ←- 可以不輸入 [jonathan@pd920 ca]$ </xtermrtf> ==== - 產生效期十年的根憑證檔 RootCA.crt ==== <code sh> openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt rm -f RootCA.req </code> ++++看產生結果 <xtermrtf> [jonathan@pd920 ca]$ openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt Signature ok subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./[email protected] Getting Private key Enter pass phrase for RootCA.key: ←- 輸入 RootCA 密鑰的密碼 [jonathan@pd920 ca]$ rm -f RootCA.req </xtermrtf> <style> | | | </style> ===== - 伺服器憑證 (Server CA) 作法：===== ==== - 建立伺服器憑證 Private Key 檔 ServerCA.key ====

openssl genrsa -out ServerCA.key 2048
chmod og-rwx ServerCA.key

看產生結果 <xtermrtf> [jonathan@pd920 ca]$ openssl genrsa -out ServerCA.key 2048 Generating RSA private key, 2048 bit long modulus ………………………………………+ ……………………………………………………………………………………………..+ e is 65537 (0x10001) 不會出現輸入密碼的訊息，因為 Server CA 不需要輸入密碼，否則啟動 Service 時會需要輸入密碼後，才可繼續執行服務 </xtermrtf> ++++ ==== - 產生伺服器憑證的申請檔 ServerCA.req ==== <code sh> openssl req -new -key ServerCA.key -out ServerCA.req </code> ++++看產生結果 <xtermrtf> [jonathan@pd920 ca]$ openssl req -new -key ServerCA.key -out ServerCA.req You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. —– Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taiwan Locality Name (eg, city) [Newbury]:Taipei Organization Name (eg, company) [My Company Ltd]:Trysoft Corp. Organizational Unit Name (eg, section) []: ←- 可以不輸入 Common Name (eg, your name or your server's hostname) []:mail.ichiayi.com ←- 輸入 Server 的 Domain Name Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ←- 可以不輸入 An optional company name []: ←- 可以不輸入 </xtermrtf> ==== - 產生效期兩年的伺服器憑證檔 ServerCA.crt ==== <code sh> openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt rm -f ServerCA.req </code> ++++看產生結果 <xtermrtf> [jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt Signature ok subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./CN=mail.ichiayi.com/[email protected] Getting CA Private Key Enter pass phrase for RootCA.key: ←- 輸入 RootCA 密鑰的密碼 [jonathan@pd920 ca]$ rm -f ServerCA.req </xtermrtf> <style> | | | </style> ===== - 用戶憑證 (Client CA) 作法：===== ==== - 建立用戶憑證 Private Key 檔 ClientCA.key ====

openssl genrsa -des3 -out ClientCA.key 2048
chmod og-rwx ClientCA.key

看產生結果 <xtermrtf> [jonathan@pd920 ca]$ openssl genrsa -des3 -out ClientCA.key 2048 Generating RSA private key, 2048 bit long modulus ………..+ …………………………………………+ e is 65537 (0x10001) Enter pass phrase for ClientCA.key: <- 設定用戶憑證密碼 Verifying - Enter pass phrase for ClientCA.key: <- 再次輸入確認密碼 [jonathan@pd920 ca]$ chmod og-rwx ClientCA.key </xtermrtf> ++++ ==== - 產生用戶憑證的申請檔 ClientCA.req ==== <code sh> openssl req -new -key ClientCA.key -out ClientCA.req </code> ++++看產生結果 <xtermrtf> [jonathan@pd920 ca]$ openssl req -new -key ClientCA.key -out ClientCA.req Enter pass phrase for ClientCA.key: ← 輸入用戶憑證密碼 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. —– Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taiwan Locality Name (eg, city) [Newbury]:Taipei Organization Name (eg, company) [My Company Ltd]:Trysoft Corp. Organizational Unit Name (eg, section) []:Tech. Common Name (eg, your name or your server's hostname) []:Jonathan Tsai Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ←- 可以不輸入 An optional company name []: ←- 可以不輸入 </xtermrtf> ==== - 產生效期兩年的用戶憑證檔 ClientCA.crt ==== <code sh> openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt rm -f ClientCA.req </code> ++++看產生結果 <xtermrtf> [jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt Signature ok subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech./CN=Jonathan Tsai/[email protected] Getting CA Private Key Enter pass phrase for RootCA.key: ←- 輸入 RootCA 密鑰的密碼 [jonathan@pd920 ca]$ rm -f ClientCA.req </xtermrtf> ==== - 將 ClientCA.crt 與 ClientCA.key 轉成 ClientCA.pfx ==== <code sh> openssl pkcs12 -export -in ClientCA.crt -inkey ClientCA.key -out ClientCA.pfx </code> ++++看產生結果 <xtermrtf> [jonathan@pd920 ca]$ openssl pkcs12 -export -in ClientCA.crt -inkey ClientCA.key -out ClientCA.pfx Enter pass phrase for ClientCA.key: ←- 輸入用戶憑證密碼 Enter Export Password: ←- 設定匯出用戶憑證時的密碼, 可以和用戶憑證密碼相同 Verifying - Enter Export Password: ←- 輸入確認匯出用戶憑證時的密碼 </xtermrtf> ++

• 看到 apache 的 ssl_request_log 發現 IE7 使用 TLSv1 RC4-MD5, Firefox3 使用 SSLv3 DHE-RSA-AES256-SHA, cURL 7.15.5 使用 TLSv1 DHE-RSA-AES256-SHA

<xtermrtf> [root@pd920 httpd]# cat ssl_request_log [20/Aug/2008:16:28:12 +0800] 192.168.11.248 TLSv1 RC4-MD5 “GET /t.txt HTTP/1.1” 25 ←- IE7 [20/Aug/2008:16:46:14 +0800] 192.168.11.248 SSLv3 DHE-RSA-AES256-SHA “GET /t.txt HTTP/1.1” 25 ←- Firefox3 [21/Aug/2008:12:18:55 +0800] 127.0.0.1 TLSv1 DHE-RSA-AES256-SHA “GET /t.txt HTTP/1.1” 5 ←- cURL 7.15.5 [root@pd920 httpd]# </xtermrtf>

參考網址

• http://www.uniorg.net/redirect.php?fid=8&goto=nextoldset&tid=48
• http://chinaunix.net/jh/13/523585.html