1，安装openssl

tar zxvf openssl-1.0.0a.tar.gz
cd openssl-1.0.0a
./config --prefix=/usr/local/openssl
make && make install

2,安装apache

tar zxvf httpd-2.2.16.tar.gz
cd httpd-2.2.16
./configure --prefix=/usr/local/apache --enable-ssl --enable-rewrite --enable-so --with-ssl=/usr/local/openssl
make && make install

如果你是yum install ,apt-get,pacman这样的软件管理工具进行安装的话，上面的二步可以省掉。

3，创建主证书

在/usr/local/apache/conf/下面建个目录ssl

3.1，mkdir ssl

3.2，cp /openssl的安装目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/

3.3 用CA.sh来创建证书

查看复制打印?

[root@BlackGhost ssl]# ./CA.sh -newca   //建立主证书

CA certificate filename (or enter to create)

 

Making CA certificate ...

Generating a 1024 bit RSA private key

............++++++

......++++++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

Verify failure

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:cn

Locality Name (eg, city) []:cn

Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn

Organizational Unit Name (eg, section) []:cn

Common Name (eg, YOUR name) []:localhost

Email Address []:xtaying@gmail.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:******************

An optional company name []:

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem:       //填的是上面的PEM密码

Check that the request matches the signature

Signature ok

Certificate Details:

 Serial Number:

 89:11:9f:a6:ca:03:63:ab

 Validity

 Not Before: Aug  7 12:35:28 2010 GMT

 Not After : Aug  6 12:35:28 2013 GMT

 Subject:

 countryName               = cn

 stateOrProvinceName       = cn

 organizationName          = cn

 organizationalUnitName    = cn

 commonName                = localhost

 emailAddress              = xtaying@gmail.com

 X509v3 extensions:

 X509v3 Subject Key Identifier:

 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 X509v3 Authority Key Identifier:

 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com

 serial:89:11:9F:A6:CA:03:63:AB

 

 X509v3 Basic Constraints:

 CA:TRUE

Certificate is to be certified until Aug  6 12:35:28 2013 GMT (1095 days)

 

Write out database with 1 new entries

Data Base Updated

安装成功的话，会在ssl目录下面产生一个文件夹demoCA

4 生成服务器私钥和服务器证书

查看复制打印?

[root@BlackGhost ssl]# openssl genrsa -des3 -out server.key 1024    //产生服务器私钥

Generating RSA private key, 1024 bit long modulus

.....................++++++

.........++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

[root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr      //生成服务器证书

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:cn

Locality Name (eg, city) []:cn

Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn

Organizational Unit Name (eg, section) []:cn

Common Name (eg, YOUR name) []:localhost     //要填全域名

Email Address []:xtaying@gmail.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:*****************

An optional company name []:

4.1 对产生的服务器证书进行签证

cp server.csr newseq.pem

查看复制打印?

[root@BlackGhost ssl]# ./CA.sh -sign     //为服务器证书签名

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

 Serial Number:

 89:11:9f:a6:ca:03:63:ac

 Validity

 Not Before: Aug  7 12:39:41 2010 GMT

 Not After : Aug  7 12:39:41 2011 GMT

 Subject:

 countryName               = cn

 stateOrProvinceName       = cn

 localityName              = cn

 organizationName          = cn

 organizationalUnitName    = cn

 commonName                = localhost

 emailAddress              = xtaying@gmail.com

 X509v3 extensions:

 X509v3 Basic Constraints:

 CA:FALSE

 Netscape Comment:

 OpenSSL Generated Certificate

 X509v3 Subject Key Identifier:

 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81

 X509v3 Authority Key Identifier:

 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 

Certificate is to be certified until Aug  7 12:39:41 2011 GMT (365 days)

Sign the certificate? [y/n]:y

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Certificate:

 Data:

 Version: 3 (0x2)

 Serial Number:

 89:11:9f:a6:ca:03:63:ac

 Signature Algorithm: sha1WithRSAEncryption

 Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com

 Validity

 Not Before: Aug  7 12:39:41 2010 GMT

 Not After : Aug  7 12:39:41 2011 GMT

 Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com

 Subject Public Key Info:

 Public Key Algorithm: rsaEncryption

 Public-Key: (1024 bit)

 Modulus:

 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:

 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:

 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:

 a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:

 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:

 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:

 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:

 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:

 a1:7e:52:7b:cc:02:5e:e2:45

 Exponent: 65537 (0x10001)

 X509v3 extensions:

 X509v3 Basic Constraints:

 CA:FALSE

 Netscape Comment:

 OpenSSL Generated Certificate

 X509v3 Subject Key Identifier:

 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81

 X509v3 Authority Key Identifier:

 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 

 Signature Algorithm: sha1WithRSAEncryption

 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:

 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:

 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:

 cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:

 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:

 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:

 be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:

 59:22

-----BEGIN CERTIFICATE-----

MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV

BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw

EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu

Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC

Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV

BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp

bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu

ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3

bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh

kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG

CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV

HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+

zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3

MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy

IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03

Zrqc7Luv7rYE98UuWSI=

-----END CERTIFICATE-----

Signed certificate is in newcert.pem

cp newcert.pem server.crt

5,产生客户端证书

生成客户私钥：
openssl genrsa -des3 -out client.key 1024

生成客户证书
openssl req -new -key client.key -out client.csr

签证：
openssl ca -in client.csr -out client.crt

转换成pkcs12格式，为客户端安装所用
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx

这一步根安装服务器的证书差不多，不同的是签证，最后安装的时候，client.pfx的密码要记住，在客户端安装的时候要用到的。

[root@BlackGhost ssl]# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:

客户端和服务器端都可以使用服务器端证书，所以这一步不做也行。

6，集中所以证书和私私钥到一起

#cp demoCA/cacert.pem cacert.pem

同时复制一份证书，更名为ca.crt
#cp cacert.pem ca.crt

7，apache配置

vi /usr/local/apache/conf/extra/ssl.conf

查看复制打印?

ssl开启

SSLEngine on

 

指定服务器证书位置

SSLCertificateFile /usr/local/apache/conf/ssl/server.crt

 

指定服务器证书key位置

SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key

 

证书目录

SSLCACertificatePath /usr/local/apache/conf/ssl

 

根证书位置

SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem

 

要求客户拥有证书

SSLVerifyClient require

SSLVerifyDepth  1

SSLOptions +StdEnvVars

 

记录log

CustomLog "/usr/local/apache/logs/ssl_request_log" \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

vi /usr/local/apache/conf/extra/httpd_vhosts.conf

查看复制打印?

listen 443 https

 NameVirtualHost *:443

 

 

 DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"

 ServerName  *:443

 ErrorLog "/home/zhangy/apache/"

 CustomLog "/home/zhangy/apache/" common

 Include conf/extra/ssl.conf

 

 

vi /usr/local/apache/conf/httpd.conf把Include conf/extra/httpd-vhosts.conf前面的注释去掉

启动 /usr/local/apache/bin/apachectl -D SSL -k start

Server *:10000 (RSA)
Enter pass phrase:输入的是server的密钥

OK: Pass Phrase Dialog successful.

8,安装客户端证书

把ca.crt和client.pfx copy到客户端，双击client.pfx就会进入证书的安装向导，下一步就行了，中间会让你输入密码

四，安装所遇到的问题

1，生成的密码很多，一会让输入密码，会忘得，并且主证书的密码和下面的证书的密码不能重得，会报错的，所以要搞个文本记下来。

2，升级openssl引发的问题

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8: cannot open shared object file: No such file or directory

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory

用ln -s来建立软链接，就可以了。不过这种方法不是万能的，比如我把libpng从1.2升到1.4，libjpeg从7.0升到8.0结果是系统差点崩掉，用软链接不管用，我把他们弄掉，从网上下的低版本重装。

3，证书的国家名称，省名要相同不然生成空证书，

The countryName field needed to be the same in the
CA certificate (cn) and the request (sh)

4，提示CommonName时，要添写全域名，会提示警告

RSA server certificate CommonName (CN) `cn' does NOT match server name!?

5，相同的证书不能生成二次，名字不一样也不行，也就是说server.cst和client.csr信息不能完相同，不然会报

failed to update database
TXT_DB error number 2

6，页面浏览时，会看到提示，你的证书是不可信的，是因为我配置的不对，还是自己建的证书就是不要信的呢？

7，当我加了SSLVerifyClient require SSLVerifyDepth 1 这二个配置时，在windows下面，要你输入证书后，就可以看到页面了，但在用firefox就是不行呢？看下面的ssl_request_log日志，192.168.18.3是用windows的IE浏览器

[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505

 

 

 

加密解密

传统加密（对称加密）

openssl enc –ciphername(加密算法) –k password（口令） –in file（被加密的算法） -out （输出文件）file

解密

openssl enc –ciphername –k password -d –in file -out file

 

加密算法有：base64,des,des3,rc2,rc5,aes256

 

例如：

/bin/openssl enc –des3 –k boobooke –in pt.txt –out ct.bin           //加密

 

/bin/openssl enc –des3 –d –k boobooke –in ct.bin –out pt1.txt      //解密

 

 

非对称加密

 

Generate the private/public key

Openssl genrsa –out file 1024 

例如：

Openssl genrsa –out priv.key 1024      //用rsa算法生成私钥(priv.key)     

 

Openssl rsa –in file –pubout

例如：         

Openssl rsa –in priv.key –pubout>pub.key      //用私钥priv.key生成公钥,并重定向到pub.key这个文件里面

 

Encrypt the file with public key

Openssl rsautl –in file –out file –inkey file –pubin –encrypt

例如：

Openssl rsautl –in test.txt –out test.bin –inkey pub.key –pubin –encrypt      //利用公钥文件（pub.key）对text.txt文件进行加密，生成加密后的文件text.bin

 

Decrypt the file the private key

Openssl rsautl –in file –out file –inkey file –decrypt

例如：

Openssl rsautl –in text.bin –out text1.txt –inkey priv.key –decrypt     //利用私钥priv.key对公钥加密的text.bin进行加密的文件进行解密，生成解密后的文件是text1.txt

 

 

Use openssl sign/verify functions(数字签名)

 

Generate the private/public key

生成密钥对

Openssl genrsa –out file 1024 

Openssl rsa –in file –pubout

 

Sign the file with the private key

Openssl rsautl –in file –out file –inkey file –sign

例如：

Openssl rsatul –in test.txt –out test.sig –inkey priv.key –sign     //利用私钥对test.txt 进行加密也就是签名

Openssl rsautl –in file –out file –inkey file –pubin –verify

例如：

Openssl rsautl –in test.sig –out test2.txt –inkey pub.key –pubin –verify //利用公钥对私钥加密后的文件（test.sig）进行解密或是认证

 

Hash functions（hash函数）……MD5 SHA1

作用：主要是验证文件的完整性，没有被别人篡改！

Generate the md5 hash result

Openssl dgst –md5 file 或

Md5sum file

例如：

Openssl dgst –md5 openssl.tar.gz       //生成MD5值

Md5sum openssl.tar.gz

 

Generate the sha1 hash result

Openssl dgst –sha1file 或

Sha1sum file

例如：

Openssl –dgst –sha1 openssl.tar.gz        //生成sha1值

 

Install apache

Configure the environment

tar –zxvf httpd-2.0.63.tar.gz

cd httpd-2.0.63

./configure –prefix=/usr/local/apache –enable-ssl –with-ssl=/usr/local/openssl

make

make install

 

Configure ssl in apache

openssl req -new -x509 -days 30 -keyout server.key -out server.crt -subj '/CN=Test Only Certifiecate'

或者

Openssl req –new –x509 –days 365 –sha1 –nodes –newkey rsa:1024 keyout server.key –out server.crt –subj ‘/O=Seccure/OU=Seccure Labs/CN=’

 

Cpy the .key and .crt file to the proper directory      //一般都是存放在apache的conf 目录下面，具体存放路径是在apache的配置文件中定义的

 

Vi httpd.conf

Include conf/ssl.conf           //ssl 的配置文件被包含在conf/ssl.conf

 

Vi conf/ssl.conf

 

SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key     //server.key存放路径

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt            //server.crt 存放路径

 

Apache2.2直接启动apache服务就可以启动SSL

Apache2.0启动ssl：apachectl startssl                           //端口号为443端口

 

 

Vi conf/ssl.conf

SSLRequireSSL                               //此目录只允许使用https协议访问

 

       

SSLRequireSSL  

                                    //ssldemo这个目录必须使用https协议访

                                    问，应为利用ssl安全访问存在着密钥的

                                    加密解密以及传送，所以访问会很慢，所

                                    以一般都是把一些需要中到https协议访

                                    访问的程序放在一个目录中，而其他的站

                                    点依然用http协议访问

 

 

一、安装 Openssl

? 下载 openssl 源代码：

? wget openssl-0.9.8k.tar.gz

? 解压缩：

? tar zxvf openssl-0.9.8k.tar.gz

? 设定Openssl 安装，( --prefix )参数为欲安装之目录，也就是安装后的档案会出现在该目录下：

? cd openssl-0.9.8k

? ./config --prefix=/root/openssl

? 编译 Openssl:

? make

? 安装 Openssl:

? make install

? 修改配置文件：

? cat ~/openssl/ssl/openssl.cnf

? 修改其中的配置内容

1) dir= /home/blave/openssl/ssl/misc/demoCA # 设定存取凭证的路径, 并将blave 改成您自己

2) default_days= 3650 # 设定凭证可使用之天数

3) default_bits = 2048 # 设定密钥长度(bits)

二、产生 CA 凭证

? 我们所产生的 CA 凭证，将放置在 ~/openssl/ssl/misc/demoCA下，以下我们将介绍怎样产生出最上层的 CA 凭证。

? 执行CA 凭证产生程式:

? cd ~/openssl/ssl/misc

? ./CA.sh -newca

? 确定CA 凭证及密钥是否产生:

? cd ~/openssl/ssl/misc/demoCA

? ls

? cacert.pem certs crl index.txt newcerts private serial

? 可见「cacert.pem」即是CA 之凭证，而「private」目录即是存放CA 私钥之处。

? 对 CA 证书请求进行签名：

u openssl ca -selfsign -in careq.pem -out cacert.pem

? 设定CA 凭证之存取权限，仅允许本人能存取，他人必须限制其存取权限:

? chmod -R 660 ~/openssl/ssl/misc/ demoCA

三、以 CA 产生次级凭证

? 在CA 凭证产生完之后，我们便能够产生使用者或公司所需要之凭证，此次级凭证产生后，使用者便可应用于Email 签章加密或https 等ssl 传输加密。

? 产生使用者之密钥档及CSR 档(Certificate Signing Request) ：

? cd ~/openssl/ssl/misc/demoCA

? openssl req -nodes -new -keyout test_key.pem /-out test_req.pem -days 3650 -config ~/openssl/ssl/openssl.cnf

? 此处「-keyout 」即为产生Private key 之文档名，这里以「test_key.pem」为例，您可自行设定。而「-out 」则产生CSR 档，我们以「test_req.pem」为例。

? 产生使用者之凭证：

? openssl ca -config ~/openssl/ssl/openssl.cnf /-policy policy_anything –out test_cert.pem -infiles test_req.pem

? 检查凭证是否产生：

? cd ~/openssl/ssl/misc/demoCA

? ls

? 当前目录内容：cacert.pem

crl index.txt.attr test_cert.pem test_req.pem

private serial.old certs index.txt

index.txt.old test_key.pem newcerts serial

? 以上可见，test_cert.pem、test_req.pem及test_key.pem分别为刚刚所产生出来的凭证、CSR 及Private Key 。

四、 Openssl 应用

? 以cacert 验证产生出来的使用者cert ：

? openssl verify -CApath . /-CAfile cacert.pem test_cert.pem

? 检查产生的序号:

? openssl x509 -noout -serial -in test_cert.pem

? 检查发行者资讯：

? openssl x509 -noout -issuer -in test_cert.pem

? 检查凭证起始及终止日期时间：

? openssl x509 -noout -in test_cert.pem -dates

? 检查个人凭证资讯subject ：

? openssl x509 -noout -in test_cert.pem -subject

? 检查MD5 fingerprint 或SHA-1 fingerprint ：

? openssl x509 -noout -in islab_cert.pem -fingerprint -md5/-sha1

? 由PEM 转至PKCS12 。Microsoft Outlook Express 使用PKCS12 格式，因此欲使用Microsoft Outlook Express 寄出签章信件，只要将产生出来的“*.p12 ”文档安装在Windows 即可使用:

? openssl pkcs12 -export -in test_cert.pem -out test_cert.p12 -name "My Certificate" -inkey test_key.pem

? 由PKCS12 转至PEM:

? openssl pkcs12 -in test_cert.p12 -out test_key2.pem

? 再由Private Key 产生凭证：

? openssl x509 -in test_key2.pem -text /-out test_cert2.pem

? 文档加密: 「test_cert.pem 」为个人凭证，能够公开给大家，因此某人欲加密传送一文档给我，便能够依下列方式加密。编辑一个纯文字档，在此我们预设档名为「document.txt 」，而经加密码之档名为「document.enc 」：

? echo "This is a text file." > document.txt

? cat document.txt

? openssl smime -encrypt -in document.txt /-out document.enc islab_cert.pem

? cat document.enc

? 文档解密: 倘若我们收到了某人传送的「document.enc」，我们便能使用Private Key 来进行解密:

? openssl smime -decrypt -in document.enc /-recip test_cert.pem –inkey test_key.pem

? 文档签章: 为文档签章可证实文档的来源为本人无误，并且能够验证文档是否被篡改。我们依前例，为一纯文字档「document.txt」签章，签章后文档名为「document.sig」:

? openssl smime -sign -inkey test_key.pem /-signer test_cert.pem -in document.txt -out document.sig

? 文档签章验证: 当某人收到这份文档时，可利用我们的凭证(test_cert.pem) 连同CA 凭证(cacert.pem) 来验证文档：

? openssl smime -verify -in document.sig /-signer islab_cert.pem -out document.txt -CAfile cacert.pem

? 因此我们能够知道，验证方必须事先取得 CA 凭证( cacert.pem ) 方可验证文档。

? 文档加密并签章：我们已知怎样加解密连同签章验证的方法了，因此要将文档加密并签章实非难事。我们必须先将文档进行签章再加密，而收方则以相反步骤进行解密再验证即可。

 

 

 

 

 

 

Linux下Openssl的安装全过程

1、下载地址： 下一个新版本的OpenSSL，我下的版本是：openssl-1.0.0e.tar.gz

2、在下载的GZ目录中，用命令执行：tar -xzf openssl-openssl-1.0.0e.tar.gz

3、进入解压的目录：openssl-1.0.0e [.......]#cd openssl-1.0.0e

4、[.....openssl-1.0.0e]# ./config --prefix=/usr/local/openssl

5[...../openssl-1.0.0e]# ./config -t

6[...../openssl-1.0.0e]# make depend

7[...../openssl-1.0.0e]# cd /usr/local

8/usr/local]# ln -s openssl ssl

9在/etc/ld.so.conf文件的最后面，添加如下内容：

/usr/local/openssl/lib

10...]# ldconfig

11添加OPESSL的环境变量：

在etc／的profile的最后一行，添加：

export OPENSSL=/usr/local/openssl/bin

export PATH=$OPENSSL:$PATH:$HOME/bin

12退出命令界面，再从新登录。

13、以上OPENSSL就安装完毕，下面进行一些检查。

14依次如下执行：

[root@localhost /]# cd /usr/local

[root@localhost local]# ldd /usr/local/openssl/bin/openssl

会出现类似如下信息：

linux-vdso.so.1 => (0x00007fff3bc73000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fc5385d7000)
libc.so.6 => /lib64/libc.so.6 (0x00007fc538279000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc5387db000)
15查看路径

...]# which openssl

/usr/local/openssl/bin/openssl

16查看版本

...]# openssl version

OpenSSL 1.0.0e 6 Sep 2011