Chinaunix首页 | 论坛 | 博客
  • 博客访问: 528370
  • 博文数量: 81
  • 博客积分: 8020
  • 博客等级: 中将
  • 技术积分: 1085
  • 用 户 组: 普通用户
  • 注册时间: 2007-09-08 10:36
文章分类

全部博文(81)

文章存档

2010年(3)

2009年(25)

2008年(53)

我的朋友

分类: 系统运维

2009-04-19 17:53:04

Home

Start off in your home directory and create a temporary folder so we can work from one place and not have files scattered all over the shop:

mkdir /home/demo/temp
...
cd /home/demo/temp

Key

First we need to create a private key. Note that this process will require a passphrase for the key - don't worry, we'll remove it later to make things easier:

openssl genrsa -des3 -out myssl.key 1024

As said, this will require you to enter a passphrase.

CSR

Now we need to create a CSR (Certificate Signing Request):

openssl req -new -key myssl.key -out myssl.csr

The process will ask for various details for the certificate. I entered the following for each question:

Country Name: GB

State or Province Name: Nottinghamshire

Locality Name: Nottingham

Organization Name: PickledOnion Ltd

Organizational Unit Name: Web Development

Common Name: admin.domain.com

Email Address: webadmin@domain.com

For the 'extra' attributes I simply pressed 'return' (i.e. I left them blank).

Note: For the Common Name I entered the domain name I want to associate with the certificate. In this case I want it for my administration area so I entered 'admin.domain.com'.

You are not restricted to using the certificate with just that domain but it will produce extra warnings if the Common Name does not match the URI.

Remove Passphrase

When we generated the myssl.key file, we had to enter a passphrase. One disadvantage of this is the need to enter the passphrase if the Slice is rebooted.

This is especially problematic if an unexpected reboot occurs as the boot sequence will simply stop until you enter the console via the SliceManager and enter it.

So unless you see a particular need to keep the passphrase, let's remove it:

cp myssl.key myssl.key.org
openssl rsa -in myssl.key.org -out myssl.key

You will be asked for the passphrase one last time to confirm it is a genuine request.

Now we have three files in the temp folder:

ls
...
myssl.csr myssl.key myssl.key.org

CRT

The last file we need generate is the actual ssl certificate:

openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crt

Good. Now we have the final piece in place as that generated our myssl.crt file.

阅读(1972) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~