利用設定檔方式修改並產生CA、CSR、CRT
Fedora Core release 6 (Zod) + OpenSSL 0.9.8b 04 May 2006
[1.] 製作 CA
/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
(enter)
Making CA certificate …
Generating a 1024 bit RSA private key
……………….++++++
……………………………………………………………….++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase: (輸入密碼)
Verifying – Enter PEM pass phrase: (輸入密碼)
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]: ssorc
Organizational Unit Name (eg, section) []: (可空白)
Common Name (eg, your name or your server's hostname) []:ssorc.tw
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (enter)
An optional company name []: (enter)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem: (輸入密碼)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Sep 6 15:30:35 2007 GMT
Not After : Sep 5 15:30:35 2010 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = ssorc
commonName = ssorc.tw
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A0:75:F0:23:0B:54:37:9E:AB:A0:DC:68:AD:B2:33:06:23:16:E9:27
X509v3 Authority Key Identifier:
keyid:A0:75:F0:23:0B:54:37:9E:AB:A0:DC:68:AD:B2:33:06:23:16:E9:27
Certificate is to be certified until Sep 5 15:30:35 2010 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
於目前目錄下的上上一個目錄產生CA 目錄 (../../CA)
[2.] 憑證申請
/etc/pki/tls/misc/CA -newreq
Generating a 1024 bit RSA private key
….++++++
………………….++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: (輸入密碼)
Verifying – Enter PEM pass phrase: (輸入密碼)
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:ssorc2
Organizational Unit Name (eg, section) []: (可空白)
Common Name (eg, your name or your server's hostname) []:ssorc2.idv.tw
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (enter)
An optional company name []: (enter)
Request is in newreq.pem, private key is in newkey.pem
於目前目錄下產生 newkey.pem 與 newreq.pem
[3.] 簽發憑證
/etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:(輸入密碼)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 6 15:48:34 2007 GMT
Not After : Sep 5 15:48:34 2008 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
localityName = Taipei
organizationName = ssorc2
commonName = ssorc2.idv.tw
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
27:6B:C2:B6:9A:B0:68:8D:1A:37:29:1C:13:9D:57:C9:22:BE:C5:52
X509v3 Authority Key Identifier:
keyid:D4:E7:F0:48:CB:CE:D2:C1:D4:EA:70:7B:DF:F7:DE:85:2A:A3:81:9C
Certificate is to be certified until Sep 5 15:48:34 2008 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TW, ST=Taiwan, O=ssorc, CN=ssorc.tw/[email protected]
Validity
Not Before: Sep 6 15:48:34 2007 GMT
Not After : Sep 5 15:48:34 2008 GMT
Subject: C=TW, ST=Taiwan, L=Taipei, O=ssorc2, CN=ssorc2.tw/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c7:1f:75:53:fe:21:16:78:48:22:db:a0:bb:fe:
70:5e:18:fc:f9:9a:46:e7:0d:5a:03:59:e2:be:ac:
0a:c6:c8:cc:05:48:1e:d6:3b:f1:53:61:6a:8f:41:
34:36:e2:2b:f3:bf:91:89:32:5b:65:cd:1d:32:b1:
4b:c5:54:42:55:55:69:b9:3b:43:3a:c3:82:d8:4e:
15:bf:54:34:d8:ca:3a:6a:9c:78:a6:03:49:b7:25:
78:4f:c7:24:2f:e0:6c:42:8e:95:9a:da:74:5c:6d:
35:3d:a1:5d:e6:e4:b2:2f:ac:70:39:ca:4f:62:e6:
52:ee:9e:4f:dd:d9:d3:eb:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
27:6B:C2:B6:9A:B0:68:8D:1A:37:29:1C:13:9D:57:C9:22:BE:C5:52
X509v3 Authority Key Identifier:
keyid:D4:E7:F0:48:CB:CE:D2:C1:D4:EA:70:7B:DF:F7:DE:85:2A:A3:81:9C
Signature Algorithm: sha1WithRSAEncryption
66:76:62:31:74:a7:9a:a4:de:4c:9c:37:a4:fc:a8:26:31:13:
00:d6:c0:9f:47:ab:d8:95:b2:6d:fe:61:05:97:88:13:3f:9b:
30:83:8e:f9:d7:82:ef:ab:06:0c:24:a6:87:a9:03:79:09:50:
8f:cc:25:ee:eb:91:86:5f:79:24:4f:fc:b7:99:a6:ca:e9:35:
99:09:9e:bf:2c:b4:37:46:31:63:d2:69:ea:81:1f:61:da:58:
b6:9f:ef:69:f0:7e:c0:a7:ed:15:38:e4:40:90:d6:ce:a9:2e:
e3:e7:ea:e0:17:c3:72:5e:51:b6:db:3a:eb:6f:0e:0e:fe:c4:
69:5e
—–BEGIN CERTIFICATE—–
MIIC1TCCAj6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJUVzEP
MA0GA1UECBMGVGFpd2FuMQ4wDAYDVQQKEwVzc29yYzEVMBMGA1UEAxMMc3NvcmMu
aWR2LnR3MSEwHwYJKoZIhvcNAQkBFhJjcm9zc0Bzc29yYy5pZHYudHcwHhcNMDcw
OTA2MTU0ODM0WhcNMDgwOTA1MTU0ODM0WjB8MQswCQYDVQQGEwJUVzEPMA0GA1UE
CBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxDzANBgNVBAoTBnNzb3JjMjEWMBQG
A1UEAxMNc3NvcmMyLmlkdi50dzEiMCAGCSqGSIb3DQEJARYTY3Jvc3NAc3NvcmMy
Lmlkdi50dzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxx91U/4hFnhIItug
u/5wXhj8+ZpG5w1aA1nivqwKxsjMBUge1jvxU2Fqj0E0NuIr87+RiTJbZc0dMrFL
xVRCVVVpuTtDOsOC2E4Vv1Q02Mo6apx4pgNJtyV4T8ckL+BsQo6Vmtp0XG01PaFd
5uSyL6xwOcpPYuZS7p5P3dnT61kCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FCdrwraasGiNGjcpHBOdV8kivsVSMB8GA1UdIwQYMBaAFNTn8EjLztLB1Opwe9/3
3oUqo4GcMA0GCSqGSIb3DQEBBQUAA4GBAGZ2YjF0p5qk3kycN6T8qCYxEwDWwJ9H
q9iVsm3+YQWXiBM/mzCDjvnXgu+rBgwkpoepA3kJUI/MJe7rkYZfeSRP/LeZpsrp
NZkJnr8stDdGMWPSaeqBH2HaWLaf72nwfsCn7RU45ECQ1s6pLuPn6uAXw3JeUbbb
OutvDg7+xGle
—–END CERTIFICATE—–
Signed certificate is in newcert.pem
於目前目錄下產生 newcert.pem
以上的流程為一開始產生 CA,再產生CSR,再來再用CA 來簽證產生 CRT
如果你要直接產生 PRIVATE KEY 與 CERTIFICATE,可下: /etc/pki/tls/misc/CA -newcert
-verify 參數為驗證 CRT 與 CA 是配對的
如果另有一 CSR,但要用 CA 來簽證,只要將這 CSR 檔名改成 newreq.pem,再下 /etc/pki/tls/misc/CA -sign 即可
想要更進階的了解請直接參考 /etc/pki/tls/misc/CA、/etc/pki/tls/openssl.cnf
vi /etc/pki/tls/openssl.cnf
[ CA_default ]
# CA 產生路徑
dir = /CA# 憑證到期天數
default_days = 3650[ req ]
# 加密多少 bits
default_bits = 2048[ req_distinguished_name ]
countryName_default = TW
stateOrProvinceName_default = Taiwan
localityName_default = Taipei
vi /etc/pki/tls/misc/CA
# 憑證到期天數,只適用於 -newcert 時,-newreq 與 -sign 則是從 openssl.cnf 套用上來
DAYS="-days 3650"# CA 產生路徑
CATOP=/CA
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
留言