OpenSSL

PLACEHOLDER

  1. OpenSSL 基本配置
  2. 生成自签名CA证书及密钥
  3. 为域名生成CSR及密钥 – dev.ymeng.net
  4. 用CA的私钥为dev.ymeng.net签名,生成用户证书
  5. 转换证书为pkcs12格式
  6. 查看pkcs12证书
  7. 使用openssl验证SSL双向认证
  8. 根据已有的证书和私钥生成CSR

1. OpenSSL基本配置  TOP

dir = /etc/apache2/ssl-cert/ca
 
[ req ]
default_bits = 2048 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req 
 
[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64 
 
# Default values for the above, for consistency and less typing.
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = Company Technologies Co., Ltd.
organizationalUnitName_default = Development Dept.
emailAddress_default = ca@company.com
localityName_default = Helsinki
# stateOrProvinceName_default =
countryName_default = FI
 
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always 
 
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash 
 
[ ca ]
default_ca = CA_default 
 
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match 
 
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

2. 生成自签名CA证书及密钥  TOP

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.conf

查看证书:

openssl x509 -in cacert.pem -noout -text

3. 为域名生成CSR及密钥 – dev.ymeng.net  TOP

openssl req -new -nodes -out dev.ymeng.net-csr.pem -keyout private/dev.ymeng.net-key.pem -config ./openssl.conf

查看CSR:

openssl req -in dev.ymeng.net-csr.pem -text -verify -noout

4. 用CA的私钥为dev.ymeng.net签名,生成用户证书  TOP

openssl ca -out dev.ymeng.net-cert.pem -config ./openssl.conf -infiles dev.ymeng.net-csr.pem

签名用到的CA密钥在配置文件中指定 [ CA_default ]

5. 转换证书为pkcs12格式  TOP

openssl pkcs12 -export -in dev.ymeng.net-cert.pem -out dev.ymeng.net-cert.p12 -inkey private/dev.ymeng.net-key.pem

6. 查看pkcs12证书  TOP

openssl pkcs12 -info -in keyStore.p12

7. 使用openssl验证SSL双向认证  TOP

openssl s_client -connect testgw.girogate.de:443 -cert customer.crt -key customer.key -CAfile ca.crt

8. 根据已有的证书和私钥生成CSR  TOP

openssl x509 -x509toreq -in certificate.crt -out certificate-request.csr -signkey private-key.key

《OpenSSL》有一个想法

发表评论

电子邮件地址不会被公开。 必填项已用*标注