分类: LINUX
2010-12-21 11:37:31
自签发证书实现过程:
1. 首先要生成服务器端的私钥(key文件):
Shell#openssl genrsa -des3 -out server.key 2048
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
#openssl rsa -in server.key -out server.key
2. 用server.key生成一个证书:
[root@mail ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:cn
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:sfn
Organizational Unit Name (eg, section) []:sfn
Common Name (eg, your name or your server's hostname) []:mail.sfn.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:sfn
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.按照提示提供服务器证书基本信息
3. 对客户端也作同样的命令生成key及csr文件
[root@mail ssl]# openssl genrsa -des3 -out client.key 2048
[root@mail ssl]# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:cn
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:sfn
Organizational Unit Name (eg, section) []:sfn
Common Name (eg, your name or your server's hostname) []:client1.sfn.cn
Email Address []:test4@sfn.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:sfn
4. 生成的CSR证书文件必须有CA的签名才可形成证书.这里制作自己的CA 这时生成一个KEY文件ca.key 和根证书ca.crt
[root@mail ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
.............++++++
...........++++++
writing new private key to 'sfnca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:cn
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:ca
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:mail.ca.cn
Email Address []:admin@ca.cn
签署证书准备工作:
[root@mail ssl]# vim /etc/pki/tls/openssl.cnf
#dir = ../../CA //修改如下
dir = /etc/pki/CA
[root@mail ssl]# touch /etc/pki/CA/{index.txt,serial} //根据openssl.cnf生成配置文件
[root@mail ssl]#echo 01 > /etc/pki/CA/serial
5. 用生成的CA的证书(ca.crt)为刚才生成的server.csr,client.csr文件签名
[root@mail ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Nov 29 03:48:44 2010 GMT
Not After : Nov 29 03:48:44 2011 GMT
Subject:
countryName = cn
stateOrProvinceName = cn
organizationName = sfn
organizationalUnitName = sfn
commonName = mail.sfn.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
02:B3:76:13:64:EB:04:D2:6C:9E:72:86:F5:A3:CE:84:19:EA:C6:DB
X509v3 Authority Key Identifier:
keyid:25:F6:E6:C4:5D:AD:02:DA:76:9F:74:FF:E4:0F:CC:45:55:CC:06:A7
Certificate is to be certified until Nov 29 03:48:44 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mail ssl]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key //签署步骤同上
另外,这个certificate是BASE64形式的,要转成PKCS12才能装到IE,/NETSCAPE上.转换如下:
[root@mail ssl]# openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key: //客户端私钥密码
Enter Export Password: //pfx文件导入要求的密码
Verifying - Enter Export Password:
client使用的文件有:ca.crt,client.crt,client.key,client.pfx
server使用的文件有:ca.crt, server.crt,server.key
配置nginx如下:
ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
#ssl_client_certificate ssl/client/client.crt ;
ssl_client_certificate ssl/ca.crt ; //CA证书
ssl_verify_client on; //开启客户端双向认证
#ssl_protocols SSLv2 SSLv3 TLSv1;
#ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
#ssl_prefer_server_ciphers on;
证书安装及使用把刚才生成的证书:根证书ca.crt和客户证书client.crt(client.pfx)安装到客户端,