| 知乎专栏 | 多维度架构 |
以下适合个人使用
openssl genrsa -out ca.pem 1024 openssl req -new -out neo.csr -key ca.pem openssl x509 -req -in neo.csr -out neo.cer -signkey ca.pem -days 365 openssl pkcs12 -export -clcerts -in neo.cer -inkey ca.pem -out neo.p12
安装cer与p12两个证书,然后打开outlook测试
例 7.3. 快速创建自签名证书
<![CDATA[ [root@localhost smime]# openssl genrsa -out ca/ca.pem 1024 Generating RSA private key, 1024 bit long modulus ...............++++++ ...................++++++ e is 65537 (0x10001) [root@localhost smime]# openssl req -new -out ca/ca.csr -key ca/ca.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GD Locality Name (eg, city) [Default City]:SZ Organization Name (eg, company) [Default Company Ltd]:XXX Ltd Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:neo Email Address []:neo.chan@live.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost smime]# openssl x509 -req -in ca/ca.csr -out ca/ca-cert.cer -signkey ca/ca.pem -days 365 Signature ok subject=/C=CN/ST=GD/L=SZ/O=XXX Ltd/CN=neo/emailAddress=neo.chan@live.com Getting Private key [root@localhost smime]# openssl pkcs12 -export -clcerts -in ca/ca-cert.cer -inkey ca/ca.pem -out ca/ca.p12 Enter Export Password: Verifying - Enter Export Password:
更便捷的方法
openssl genrsa -out ca.pem 1024 openssl req -new -out neo.csr -key ca.pem -subj "/C=CN/ST=GD/L=SZ/O=Internet Widgits Pty Ltd/OU=IT/CN=neo/emailAddress=neo@668x.net" openssl x509 -req -in neo.csr -out neo.cer -signkey ca.pem -days 365 openssl pkcs12 -export -in neo.cer -inkey ca.pem -out neo.p12 -name "neo"
% mkdir keys % cd keys/
建立空文件 index.txt 用来保存以后的证书信息,这是OpenSSL的证书数据库:
touch index.txt
建立一个文件 serial 在文件中输入一个数字,做为以后颁发证书的序列号,颁发证书序列号就从你输入的数字开始递增:
echo 01 > serial
首先创建CA根证书私钥文件,使用RSA格式,1024位:
% openssl genrsa -des3 -out ca.key 1024
例 7.4. 创建CA根证书
% openssl genrsa -des3 -out ca.key 1024 Generating RSA private key, 1024 bit long modulus ...........................++++++ ...........................................++++++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key:
私钥在建立时需要输入一个密码用来保护私钥文件,私钥文件使用3DES加密; 也可以不进行加密,这样不安全,因为一旦ca证书遗失,别人就可以随意颁发用户证书:
openssl genrsa -out ca.key 1024
利用建立RSA私钥,为CA自己建立一个自签名的证书文件:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
生成证书的过程中需要输入证书的信息,
例 7.5. 创建自签名的证书
% openssl req -new -x509 -days 365 -key ca.key -out ca.crt Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:GD Locality Name (eg, city) []:Shenzhen Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Ltd Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:Neo Chan Email Address []:neo.chan@live.com
生成客户证书的私钥文件,与生成CA根证书文件的方法一样,
openssl genrsa -des3 -out client.key 1024
OpenSSL生成客户端证书的时候,不能直接生成证书,而是必须通过证书请求文件来生成,因此现在我们来建立客户端的证书请求文件,生成的过程中一样要输入客户端的信息:
openssl req -new -key client.key -out client.csr
有了证书请求文件之后,就可以使用CA的根证书、根私钥来对请求文件进行签名,生成客户端证书 client.pem 了:
openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -days 365 -CAserial serial
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
![[注意]](/graphics/note.png) | 注意 |
|---|---|
| 到这里为止,根CA为客户端签发证书的过程就结束了。 |