Chinaunix首页 | 论坛 | 博客
  • 博客访问: 315657
  • 博文数量: 174
  • 博客积分: 3061
  • 博客等级: 中校
  • 技术积分: 1740
  • 用 户 组: 普通用户
  • 注册时间: 2006-05-04 22:43
文章分类

全部博文(174)

文章存档

2011年(54)

2010年(14)

2009年(30)

2008年(26)

2007年(27)

2006年(23)

我的朋友

分类: WINDOWS

2007-05-23 11:19:26

1. echo '01' > serial
2. touch index.txt
3.
---Begin---

[ req ]
default_bits		= 1024			# Size of keys
default_keyfile		= key.pem		# name of generated keys
default_md		= md5			# message digest algorithm
string_mask		= nombstr		# permitted characters
distinguished_name	= req_distinguished_name

[ req_distinguished_name ]
# Variable name		  Prompt string
#----------------------	  ----------------------------------
0.organizationName	= Organization Name (company)
organizationalUnitName	= Organizational Unit Name (department, division)
emailAddress		= Email Address
emailAddress_max	= 40
localityName		= Locality Name (city, district)
stateOrProvinceName	= State or Province Name (full name)
countryName		= Country Name (2 letter code)
countryName_min		= 2
countryName_max		= 2
commonName		= Common Name (hostname, IP, or your name)
commonName_max		= 64

# Default values for the above, for consistency and less typing.
# Variable name			  Value
#------------------------------	  ------------------------------
0.organizationName_default	= The Sample Company
localityName_default		= Metropolis
stateOrProvinceName_default	= New York
countryName_default		= US

[ v3_ca ]
basicConstraints	= CA:TRUE
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer:always

----End----
 
4. 
Our overrides to the "openssl req" command are:
 
  • Create a new self-signed certificate: -new -x509
  • Create a CA certificate: -extensions v3_ca
  • Make it valid for more than 30 days: -days 3650
  • Write output to specific locations: -keyout, -out
  • Use our configuration file: -config ./openssl.cnf
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem 
-out cacert.pem -days 3650 -config ./openssl.cnf
 openssl x509 -in cacert.pem -noout -text
# openssl x509 -in cacert.pem -noout -dates
# openssl x509 -in cacert.pem -noout -purpose
 
openssl rsa -in ... -out  can view key info
 
starting create certificate
5. 
[ v3_req ]
basicConstraints	= CA:FALSE
subjectKeyIdentifier	= hash
distinguished_name	= req_distinguished_name
req_extensions		= v3_req
 
6. 
openssl req -new -nodes -out req.pem -config ./openssl.cnf
 
 openssl req -in req.pem -text -verify -noout
 
7. 
[ ca ]
default_ca		= CA_default

[ CA_default ]
serial			= $dir/serial
database		= $dir/index.txt
new_certs_dir		= $dir/newcerts
certificate		= $dir/cacert.pem
private_key		= $dir/private/cakey.pem
default_days		= 365
default_md		= md5
preserve		= no
email_in_dn		= no
nameopt			= default_ca
certopt			= default_ca
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
8. 
openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
 
9. 
openssl x509 -in cert.pem -noout -text -purpose | more
 
10.
 The certificate has both the encoded version and a human-readable version in the same file. You can strip off the human-readable portion as follows:

# mv cert.pem tmp.pem
# openssl x509 -in tmp.pem -out cert.pem

 
一。 建立自签名的CA
 
1. 产生CA私钥.
   openssl genrsa -out private/cakey.pem 1024
 
2. 产生CA的私钥证书请求
   openssl req -new -out cacert.csr -key private/cakey.pem -config ./openssl.cnf
 
3. 自签名
  openssl x509 -req -in cacert.csr -out cacert.pem -signkey private/cakey.pem -days 365
 
二. 给其它人颁发证书
 
1. 产生私钥. 这个由客户自行产生.
 
2. CA得到client发给的公钥.
   openssl req -new -out client.csr -key client.pem  -config /etc/ssl/openssl.cnf  
  
阅读(1587) | 评论(0) | 转发(0) |
0

上一篇:perl-gtk

下一篇:perl 对于编码的一些处理!

给主人留下些什么吧!~~