Home | 简体中文 | 繁体中文 | 杂文 | 打赏(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎专栏 | Search | Email

7.5. Outlook smime x509 证书

7.5.1. 快速创建自签名证书

以下适合个人使用

openssl genrsa -out ca.pem 1024
openssl req -new -out neo.csr -key ca.pem
openssl x509 -req -in neo.csr -out neo.cer -signkey ca.pem -days 365
openssl pkcs12 -export -clcerts -in neo.cer -inkey ca.pem -out neo.p12
			

安装cer与p12两个证书,然后打开outlook测试

Example 7.3. 快速创建自签名证书

				
[root@localhost smime]# openssl genrsa -out ca/ca.pem 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
...................++++++
e is 65537 (0x10001)

[root@localhost smime]# openssl req -new -out ca/ca.csr -key ca/ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:XXX Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:neo
Email Address []:neo.chan@live.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@localhost smime]# openssl x509 -req -in ca/ca.csr -out ca/ca-cert.cer -signkey ca/ca.pem -days 365
Signature ok
subject=/C=CN/ST=GD/L=SZ/O=XXX Ltd/CN=neo/emailAddress=neo.chan@live.com
Getting Private key

[root@localhost smime]# openssl pkcs12 -export -clcerts -in ca/ca-cert.cer -inkey ca/ca.pem -out ca/ca.p12
Enter Export Password:
Verifying - Enter Export Password:
				
				

更便捷的方法

openssl genrsa -out ca.pem 1024
openssl req -new -out neo.csr -key ca.pem -subj  "/C=CN/ST=GD/L=SZ/O=Internet Widgits Pty Ltd/OU=IT/CN=neo/emailAddress=neo@668x.net"
openssl x509 -req -in neo.csr -out neo.cer -signkey ca.pem -days 365
openssl pkcs12 -export -in neo.cer -inkey ca.pem -out neo.p12 -name "neo"
				

7.5.2. 企业或集团方案

7.5.2.1. 证书环境

% mkdir keys
% cd keys/
				

建立空文件 index.txt 用来保存以后的证书信息,这是OpenSSL的证书数据库:

touch  index.txt
				

建立一个文件 serial 在文件中输入一个数字,做为以后颁发证书的序列号,颁发证书序列号就从你输入的数字开始递增:

echo 01 > serial
				

7.5.2.2. 颁发CA证书

首先创建CA根证书私钥文件,使用RSA格式,1024位:

% openssl genrsa -des3 -out ca.key 1024
				

Example 7.4. 创建CA根证书

% openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
...........................++++++
...........................................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
					

私钥在建立时需要输入一个密码用来保护私钥文件,私钥文件使用3DES加密; 也可以不进行加密,这样不安全,因为一旦ca证书遗失,别人就可以随意颁发用户证书:

openssl genrsa -out ca.key 1024
				

利用建立RSA私钥,为CA自己建立一个自签名的证书文件:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt
				

生成证书的过程中需要输入证书的信息,

Example 7.5. 创建自签名的证书

% openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:Neo Chan
Email Address []:neo.chan@live.com
					

7.5.2.3. 颁发客户证书

生成客户证书的私钥文件,与生成CA根证书文件的方法一样,

openssl genrsa -des3 -out client.key 1024
				

OpenSSL生成客户端证书的时候,不能直接生成证书,而是必须通过证书请求文件来生成,因此现在我们来建立客户端的证书请求文件,生成的过程中一样要输入客户端的信息:

openssl req -new -key client.key -out client.csr
				

有了证书请求文件之后,就可以使用CA的根证书、根私钥来对请求文件进行签名,生成客户端证书 client.pem 了:

openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -days 365 -CAserial serial
				
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
				
[Note]Note
到这里为止,根CA为客户端签发证书的过程就结束了。

7.5.2.4. 吊销已签发的证书

使用ca中的 -revoke 命令:

openssl ca -revoke client.pem -keyfile ca.key -cert ca.crt
				

证书被吊销之后,还需要发布新的CRL文件:

openssl ca -gencrl  -out ca.crl -keyfile ca.key -cert ca.crt