Openssl的功能十分強(qiáng)大,在這里我只是給大家講一些openssl的幾個(gè)簡(jiǎn)單的命令使用:生成密鑰�,生成證書(shū)請(qǐng)求,生成證書(shū)����,及作為CA來(lái)說(shuō)����,來(lái)生成一個(gè)自簽證書(shū)。
1:生成ca的自簽證書(shū):
#cd /etc/pki/CA????? 進(jìn)入該目錄��,CA證書(shū)必須建立在該目錄中
#openssl genrsa 2048 > /privat/my.key
生成一個(gè)密鑰
#vim? /etc/pki/tls/openssl.cnf
將[ CA_default ]中的dir 選項(xiàng)改為:/etc/pki/CA
#mkdir ./newcerts
證書(shū)生成后會(huì)自動(dòng)生成一些序列號(hào)文件和信息文件�����,而這些文件要放在newcerts目錄中�,所以要是先創(chuàng)建它,否則生成證書(shū)時(shí)會(huì)報(bào)錯(cuò)提示說(shuō)沒(méi)有改文件�����,以致無(wú)法完成
#touch ./{serial ,index.txt}
建立序列號(hào)文件和index文檔
#echo "00" > ./serial
給定一個(gè)序列號(hào)初始值
#openssl –x509 –new –key private/cakey.pem –out ./cacert.pem –days 1000
生成ca證書(shū)
2:證書(shū)的簽署
#mkdir /root/testcrt
#cd /root/testcrt
#openssl genrsa??? 1024 > my.key
生成密鑰
Generating RSA private key, 1024 bit long modulus
..........................++++++
...++++++
e is 65537 (0x10001)
----------------------------------
#openssl rsa –in my.key –pubout –out test.pub
查看剛剛生成的密鑰文件
#openssl req –new –key my.key –out my.csr
生成證書(shū)請(qǐng)求
--------------------------------------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:NA
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:CA
Organizational Unit Name (eg, section) []:station173.example.com
Common Name (eg, your name or your server's hostname) []:a.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
---------------------------------------------------
#openssl ca –in my.csr –out my.crt –days 1000
由ca給其生成證書(shū)
----------------------------------------------------
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Feb 25 15:28:21 2010 GMT
Not After : Nov 21 15:28:21 2012 GMT
Subject:
countryName?? = CN
stateOrProvinceName = HA
organizationName??? = CA
organizationalUnitName??? = station173.example.com
commonName??? = a.example.com
emailAddress? = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A6:66:7E:D6:4E:70:0F:60:3B:CE:D8:7F:56:B2:D7:7C:64:8A:4B:25
X509v3 Authority Key Identifier:
keyid:CB:79:BF:95:34:53:96:EE:79:8B:48:C2:6E:77:B4:E6:AB:23:C0:F3
Certificate is to be certified until Nov 21 15:28:21 2012 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
------------------------------------------------------------
#openssl x509 –in my.crt –noout –text
查看生成的證書(shū)
關(guān)鍵詞標(biāo)簽:openssl,命令行工具
安裝紅帽子RedHat Linux9.0操作系統(tǒng)教程