本文主要借鑑和引用了下面2個地址的內容,然後在自己的機器上進行了測試和執行,並做了如下記錄。
ref:
創建測試目錄
mkdir /tmp/create_key/ca
cd /tmp/create_key/
證書文件生成:
一.服務器端
1.生成服務器端 私鑰(key文件);
openssl genrsa -des3 -out server.key 1024
運行時會提示輸入密碼,此密碼用於加密key文件(參數des3是加密算法,也可以選用其他安全的算法),以後每當需讀取此文件(通過openssl提供的命令或API)都需輸入口令.如果不要口令,則去除口令:openssl rsa -in server.key -out server.key
一.服務器端
1.生成服務器端 私鑰(key文件);
openssl genrsa -des3 -out server.key 1024
運行時會提示輸入密碼,此密碼用於加密key文件(參數des3是加密算法,也可以選用其他安全的算法),以後每當需讀取此文件(通過openssl提供的命令或API)都需輸入口令.如果不要口令,則去除口令:openssl rsa -in server.key -out server.key
2.生成服務器端 證書籤名請求文件(csr文件);
openssl req -new -key server.key -out server.csr
生成Certificate Signing Request(CSR),生成的csr文件交給CA簽名後形成服務端自己的證書.屏幕上將有提示,依照其 提示一步一步輸入要求的個人信息即可(如:Country,province,city,company等).
二.客戶端
1.生成客戶端 私鑰(key文件);
openssl genrsa -des3 -out client.key 1024
openssl req -new -key server.key -out server.csr
生成Certificate Signing Request(CSR),生成的csr文件交給CA簽名後形成服務端自己的證書.屏幕上將有提示,依照其 提示一步一步輸入要求的個人信息即可(如:Country,province,city,company等).
二.客戶端
1.生成客戶端 私鑰(key文件);
openssl genrsa -des3 -out client.key 1024
2.生成客戶端
證書籤名請求文件(csr文件);
openssl req -new -key client.key -out client.csr
cd /tmp/create_key/ca
三.生成CA證書文件
#server.csr與client.csr文件必須有CA的簽名纔可形成證書.
1.首先生成CA的key文件:
openssl genrsa -des3 -out ca.key 1024
2.生成CA自簽名證書:
openssl req -new -x509 -key ca.key -out ca.crt
可以加證書過期時間選項 "-days 365".
openssl req -new -key client.key -out client.csr
cd /tmp/create_key/ca
三.生成CA證書文件
#server.csr與client.csr文件必須有CA的簽名纔可形成證書.
1.首先生成CA的key文件:
openssl genrsa -des3 -out ca.key 1024
2.生成CA自簽名證書:
openssl req -new -x509 -key ca.key -out ca.crt
可以加證書過期時間選項 "-days 365".
四.利用CA證書進行簽名
openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key
openssl
ca -in ../client.csr -out ../client.crt -cert ca.crt -keyfile ca.key
這兩條執行的時候因爲沒有指定openssl.cnf
會報錯,不過沒關係,我們用默認的 /etc/pki/tls/openssl.cnf 就可以。
不過用默認的時候需要先執行下面兩行:
touch
/etc/pki/CA/index.txt
echo
00 > /etc/pki/CA/serial
下面有錯誤案例分析
#############################################################
根據server.csr 通過CA的ca.crt
ca.key 生成server.crt文件
openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140423531685704:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')
140423531685704:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
[root@monitor ca]# touch /etc/pki/CA/index.txt #創建index文件,因爲不存在
[root@monitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
139949960836936:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/serial','r')
139949960836936:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
[root@monitor ca]# echo 00 > /etc/pki/CA/serial #創建serial號文件
[root@monitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (homelink-ca) and the request (homelink)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140423531685704:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')
140423531685704:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
[root@monitor ca]# touch /etc/pki/CA/index.txt #創建index文件,因爲不存在
[root@monitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
139949960836936:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/serial','r')
139949960836936:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
[root@monitor ca]# echo 00 > /etc/pki/CA/serial #創建serial號文件
[root@monitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (homelink-ca) and the request (homelink)
#此處報錯是因爲創建CA的ca.crt 時候 和創建server的server.csr時候
#Organization Name (eg, company) [Default Company Ltd]:homelink-ca 和
#Organization Name (eg, company) [Default Company Ltd]:homelink
#配置的不再一個域,所以不行,下面重建ca.crt
[root@monitor ca]# openssl req -new -x509 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:homelink
Organizational Unit Name (eg, section) []:homelink-lft
Common Name (eg, your name or your server's hostname) []:lft
Email Address []:
[root@monitor ca]# ls -lrt
total 8
-rw-r--r-- 1 root root 963 May 22 14:39 ca.key
-rw-r--r-- 1 root root 944 May 22 16:16 ca.crt
#重新創建ca.crt後,重新執行,生成成功
[root@monitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: May 22 08:16:25 2015 GMT
Not After : May 21 08:16:25 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = bj
organizationName = homelink
organizationalUnitName = homelink-lft
commonName = lft
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
00:2C:34:0A:73:5C:1A:E6:39:48:28:6F:8F:02:F6:BC:58:6F:25:55
X509v3 Authority Key Identifier:
keyid:83:70:9D:4E:3F:39:01:3E:7A:CE:B9:2B:0E:1A:FB:00:2A:C3:11:D9
Certificate is to be certified until May 21 08:16:25 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@monitor ca]# ls -lrt
total 8
-rw-r--r-- 1 root root 963 May 22 14:39 ca.key
-rw-r--r-- 1 root root 944 May 22 16:16 ca.crt
[root@monitor ca]# ls -lrt ..
total 28
-rw-r--r-- 1 root root 963 May 22 13:51 server.key
-rw-r--r-- 1 root root 672 May 22 13:52 server.csr
-rw-r--r-- 1 root root 963 May 22 14:36 client.key
-rw-r--r-- 1 root root 672 May 22 14:37 client.csr
drwxr-xr-x 2 root root 4096 May 22 14:40 ca
-rw-r--r-- 1 root root 238 May 22 15:07 readme.txt
-rw-r--r-- 1 root root 3036 May 22 16:16 server.crt
[root@monitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: May 22 08:16:25 2015 GMT
Not After : May 21 08:16:25 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = bj
organizationName = homelink
organizationalUnitName = homelink-lft
commonName = lft
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
00:2C:34:0A:73:5C:1A:E6:39:48:28:6F:8F:02:F6:BC:58:6F:25:55
X509v3 Authority Key Identifier:
keyid:83:70:9D:4E:3F:39:01:3E:7A:CE:B9:2B:0E:1A:FB:00:2A:C3:11:D9
Certificate is to be certified until May 21 08:16:25 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@monitor ca]# ls -lrt
total 8
-rw-r--r-- 1 root root 963 May 22 14:39 ca.key
-rw-r--r-- 1 root root 944 May 22 16:16 ca.crt
[root@monitor ca]# ls -lrt ..
total 28
-rw-r--r-- 1 root root 963 May 22 13:51 server.key
-rw-r--r-- 1 root root 672 May 22 13:52 server.csr
-rw-r--r-- 1 root root 963 May 22 14:36 client.key
-rw-r--r-- 1 root root 672 May 22 14:37 client.csr
drwxr-xr-x 2 root root 4096 May 22 14:40 ca
-rw-r--r-- 1 root root 238 May 22 15:07 readme.txt
-rw-r--r-- 1 root root 3036 May 22 16:16 server.crt
#然後生成客戶端的client.crt 文件
openssl ca -in ../client.csr -out ../client.crt -cert ca.crt -keyfile ca.key