Posted in Secutiry

建置SSL憑證 – OpenSSL

建置SSL憑證 – OpenSSL Posted on 2006 年 11 月 14 日Leave a comment

利用設定檔方式修改並產生CA、CSR、CRT

Fedora Core release 6 (Zod) + OpenSSL 0.9.8b 04 May 2006

[1.] 製作 CA
         /etc/pki/tls/misc/CA -newca

CA certificate filename (or enter to create)
 (enter)
Making CA certificate …
Generating a 1024 bit RSA private key
……………….++++++
……………………………………………………………….++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase: (輸入密碼)
Verifying – Enter PEM pass phrase: (輸入密碼)
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]: ssorc
Organizational Unit Name (eg, section) []: (可空白)
Common Name (eg, your name or your server's hostname) []:ssorc.tw
Email Address []:cross@ssorc.tw
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (enter)
An optional company name []: (enter)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem: (輸入密碼)
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Sep  6 15:30:35 2007 GMT
            Not After : Sep  5 15:30:35 2010 GMT
        Subject:
            countryName               = TW
            stateOrProvinceName       = Taiwan
            organizationName          = ssorc
            commonName                = ssorc.tw
            emailAddress              = cross@ssorc.tw
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                A0:75:F0:23:0B:54:37:9E:AB:A0:DC:68:AD:B2:33:06:23:16:E9:27
            X509v3 Authority Key Identifier:
                keyid:A0:75:F0:23:0B:54:37:9E:AB:A0:DC:68:AD:B2:33:06:23:16:E9:27
Certificate is to be certified until Sep  5 15:30:35 2010 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated

      於目前目錄下的上上一個目錄產生CA 目錄 (../../CA)


[2.]
憑證申請
         /etc/pki/tls/misc/CA -newreq

Generating a 1024 bit RSA private key
….++++++
………………….++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: (輸入密碼)
Verifying – Enter PEM pass phrase: (輸入密碼)
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:ssorc2
Organizational Unit Name (eg, section) []: (可空白)
Common Name (eg, your name or your server's hostname) []:ssorc2.idv.tw
Email Address []:cross@ssorc2.idv.tw
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (enter)
An optional company name []: (enter)
Request is in newreq.pem, private key is in newkey.pem

       於目前目錄下產生 newkey.pem 與 newreq.pem

[3.] 簽發憑證

         /etc/pki/tls/misc/CA -sign

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:(輸入密碼)
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  6 15:48:34 2007 GMT
            Not After : Sep  5 15:48:34 2008 GMT
        Subject:
            countryName               = TW
            stateOrProvinceName       = Taiwan
            localityName              = Taipei
            organizationName          = ssorc2
            commonName                = ssorc2.idv.tw
            emailAddress              = cross@ssorc2.idv.tw
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                27:6B:C2:B6:9A:B0:68:8D:1A:37:29:1C:13:9D:57:C9:22:BE:C5:52
            X509v3 Authority Key Identifier:
                keyid:D4:E7:F0:48:CB:CE:D2:C1:D4:EA:70:7B:DF:F7:DE:85:2A:A3:81:9C
Certificate is to be certified until Sep  5 15:48:34 2008 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=TW, ST=Taiwan, O=ssorc, CN=ssorc.tw/emailAddress=cross@ssorc.tw
        Validity
            Not Before: Sep  6 15:48:34 2007 GMT
            Not After : Sep  5 15:48:34 2008 GMT
        Subject: C=TW, ST=Taiwan, L=Taipei, O=ssorc2, CN=ssorc2.tw/emailAddress=cross@ssorc2.tw
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c7:1f:75:53:fe:21:16:78:48:22:db:a0:bb:fe:
                    70:5e:18:fc:f9:9a:46:e7:0d:5a:03:59:e2:be:ac:
                    0a:c6:c8:cc:05:48:1e:d6:3b:f1:53:61:6a:8f:41:
                    34:36:e2:2b:f3:bf:91:89:32:5b:65:cd:1d:32:b1:
                    4b:c5:54:42:55:55:69:b9:3b:43:3a:c3:82:d8:4e:
                    15:bf:54:34:d8:ca:3a:6a:9c:78:a6:03:49:b7:25:
                    78:4f:c7:24:2f:e0:6c:42:8e:95:9a:da:74:5c:6d:
                    35:3d:a1:5d:e6:e4:b2:2f:ac:70:39:ca:4f:62:e6:
                    52:ee:9e:4f:dd:d9:d3:eb:59
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                27:6B:C2:B6:9A:B0:68:8D:1A:37:29:1C:13:9D:57:C9:22:BE:C5:52
            X509v3 Authority Key Identifier:
                keyid:D4:E7:F0:48:CB:CE:D2:C1:D4:EA:70:7B:DF:F7:DE:85:2A:A3:81:9C
    Signature Algorithm: sha1WithRSAEncryption
        66:76:62:31:74:a7:9a:a4:de:4c:9c:37:a4:fc:a8:26:31:13:
        00:d6:c0:9f:47:ab:d8:95:b2:6d:fe:61:05:97:88:13:3f:9b:
        30:83:8e:f9:d7:82:ef:ab:06:0c:24:a6:87:a9:03:79:09:50:
        8f:cc:25:ee:eb:91:86:5f:79:24:4f:fc:b7:99:a6:ca:e9:35:
        99:09:9e:bf:2c:b4:37:46:31:63:d2:69:ea:81:1f:61:da:58:
        b6:9f:ef:69:f0:7e:c0:a7:ed:15:38:e4:40:90:d6:ce:a9:2e:
        e3:e7:ea:e0:17:c3:72:5e:51:b6:db:3a:eb:6f:0e:0e:fe:c4:
        69:5e
—–BEGIN CERTIFICATE—–
MIIC1TCCAj6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJUVzEP
MA0GA1UECBMGVGFpd2FuMQ4wDAYDVQQKEwVzc29yYzEVMBMGA1UEAxMMc3NvcmMu
aWR2LnR3MSEwHwYJKoZIhvcNAQkBFhJjcm9zc0Bzc29yYy5pZHYudHcwHhcNMDcw
OTA2MTU0ODM0WhcNMDgwOTA1MTU0ODM0WjB8MQswCQYDVQQGEwJUVzEPMA0GA1UE
CBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxDzANBgNVBAoTBnNzb3JjMjEWMBQG
A1UEAxMNc3NvcmMyLmlkdi50dzEiMCAGCSqGSIb3DQEJARYTY3Jvc3NAc3NvcmMy
Lmlkdi50dzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxx91U/4hFnhIItug
u/5wXhj8+ZpG5w1aA1nivqwKxsjMBUge1jvxU2Fqj0E0NuIr87+RiTJbZc0dMrFL
xVRCVVVpuTtDOsOC2E4Vv1Q02Mo6apx4pgNJtyV4T8ckL+BsQo6Vmtp0XG01PaFd
5uSyL6xwOcpPYuZS7p5P3dnT61kCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FCdrwraasGiNGjcpHBOdV8kivsVSMB8GA1UdIwQYMBaAFNTn8EjLztLB1Opwe9/3
3oUqo4GcMA0GCSqGSIb3DQEBBQUAA4GBAGZ2YjF0p5qk3kycN6T8qCYxEwDWwJ9H
q9iVsm3+YQWXiBM/mzCDjvnXgu+rBgwkpoepA3kJUI/MJe7rkYZfeSRP/LeZpsrp
NZkJnr8stDdGMWPSaeqBH2HaWLaf72nwfsCn7RU45ECQ1s6pLuPn6uAXw3JeUbbb
OutvDg7+xGle
—–END CERTIFICATE—–
Signed certificate is in newcert.pem

      於目前目錄下產生 newcert.pem

以上的流程為一開始產生 CA,再產生CSR,再來再用CA 來簽證產生 CRT

如果你要直接產生 PRIVATE KEY 與 CERTIFICATE,可下: /etc/pki/tls/misc/CA -newcert

-verify 參數為驗證 CRT 與 CA 是配對的

如果另有一 CSR,但要用 CA 來簽證,只要將這 CSR 檔名改成 newreq.pem,再下 /etc/pki/tls/misc/CA -sign 即可

想要更進階的了解請直接參考 /etc/pki/tls/misc/CA、/etc/pki/tls/openssl.cnf

vi /etc/pki/tls/openssl.cnf

[ CA_default ]
# CA 產生路徑
dir = /CA

# 憑證到期天數
default_days = 3650

[ req ]
# 加密多少 bits
default_bits = 2048

[ req_distinguished_name ]
countryName_default = TW
stateOrProvinceName_default = Taiwan
localityName_default = Taipei

vi /etc/pki/tls/misc/CA

# 憑證到期天數,只適用於 -newcert 時,-newreq 與 -sign 則是從 openssl.cnf 套用上來
DAYS="-days 3650"

# CA 產生路徑
CATOP=/CA
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *