erp系统与网站对接长沙,王烨涛,佛山市住房与城乡建设局网站,揭阳企业网页制作公司linux下使用openssl生成 csr crt CA证书#xff0c;opensslcsr本文主要借鉴和引用了下面2个地址的内容#xff0c;然后在自己的机器上进行了测试和执行#xff0c;并做了如下记录。ref:http://blog.chinaunix.net/uid-26760055-id-3128132.htmlhttp://www.111cn.net/sys/lin…linux下使用openssl生成 csr crt CA证书opensslcsr本文主要借鉴和引用了下面2个地址的内容然后在自己的机器上进行了测试和执行并做了如下记录。ref:http://blog.chinaunix.net/uid-26760055-id-3128132.htmlhttp://www.111cn.net/sys/linux/61591.htm创建测试目录mkdir /tmp/create_key/cacd /tmp/create_key/证书文件生成:一.服务器端1.生成服务器端 私钥(key文件);openssl genrsa -des3 -out server.key 1024运行时会提示输入密码,此密码用于加密key文件(参数des3是加密算法,也可以选用其他安全的算法),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果不要口令,则去除口令:openssl rsa -in server.key -outserver.key2.生成服务器端 证书签名请求文件(csr文件);openssl req -new -key server.key -out server.csr生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其 提示一步一步输入要求的个人信息即可(如:Country,province,city,company等).二.客户端1.生成客户端 私钥(key文件);openssl genrsa -des3 -out client.key 10242.生成客户端证书签名请求文件(csr文件);openssl req -new -key client.key -out client.csrcd /tmp/create_key/ca三.生成CA证书文件#server.csr与client.csr文件必须有CA的签名才可形成证书.1.首先生成CA的key文件:openssl genrsa -des3 -out ca.key 10242.生成CA自签名证书:openssl req -new -x509 -key ca.key -out ca.crt可以加证书过期时间选项 -days 365.四.利用CA证书进行签名openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.keyopensslca -in ../client.csr -out ../client.crt -cert ca.crt -keyfile ca.key这两条执行的时候因为没有指定openssl.cnf会报错不过没关系我们用默认的 /etc/pki/tls/openssl.cnf 就可以。不过用默认的时候需要先执行下面两行touch/etc/pki/CA/index.txtecho00 /etc/pki/CA/serial下面有错误案例分析#############################################################根据server.csr 通过CA的ca.crtca.key 生成server.crt文件openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.keyUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:/etc/pki/CA/index.txt: No such file or directoryunable to open /etc/pki/CA/index.txt140423531685704:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen(/etc/pki/CA/index.txt,r)140423531685704:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:[rootmonitor ca]# touch /etc/pki/CA/index.txt #创建index文件因为不存在[rootmonitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.keyUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:/etc/pki/CA/serial: No such file or directoryerror while loading serial number139949960836936:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen(/etc/pki/CA/serial,r)139949960836936:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:[rootmonitor ca]# echo 00 /etc/pki/CA/serial #创建serial号文件[rootmonitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.keyUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:Check that the request matches the signatureSignature okThe organizationName field needed to be the same in theCA certificate (homelink-ca) and the request (homelink)#此处报错是因为创建CA的ca.crt 时候 和创建server的server.csr时候#Organization Name (eg, company) [Default Company Ltd]:homelink-ca 和#Organization Name (eg, company) [Default Company Ltd]:homelink#配置的不再一个域所以不行下面重建ca.crt[rootmonitor ca]# openssl req -new -x509 -key ca.key -out ca.crtEnter pass phrase for ca.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:bjLocality Name (eg, city) [Default City]:bjOrganization Name (eg, company) [Default Company Ltd]:homelinkOrganizational Unit Name (eg, section) []:homelink-lftCommon Name (eg, your name or your servers hostname) []:lftEmail Address []:[rootmonitor ca]# ls -lrttotal 8-rw-r--r-- 1 root root 963 May 22 14:39 ca.key-rw-r--r-- 1 root root 944 May 22 16:16 ca.crt#重新创建ca.crt后重新执行生成成功[rootmonitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.keyUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:Check that the request matches the signatureSignature okCertificate Details:Serial Number: 0 (0x0)ValidityNot Before: May 22 08:16:25 2015 GMTNot After : May 21 08:16:25 2016 GMTSubject:countryName CNstateOrProvinceName bjorganizationName homelinkorganizationalUnitName homelink-lftcommonName lftX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:00:2C:34:0A:73:5C:1A:E6:39:48:28:6F:8F:02:F6:BC:58:6F:25:55X509v3 Authority Key Identifier:keyid:83:70:9D:4E:3F:39:01:3E:7A:CE:B9:2B:0E:1A:FB:00:2A:C3:11:D9Certificate is to be certified until May 21 08:16:25 2016 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[rootmonitor ca]# ls -lrttotal 8-rw-r--r-- 1 root root 963 May 22 14:39 ca.key-rw-r--r-- 1 root root 944 May 22 16:16 ca.crt[rootmonitor ca]# ls -lrt ..total 28-rw-r--r-- 1 root root 963 May 22 13:51 server.key-rw-r--r-- 1 root root 672 May 22 13:52 server.csr-rw-r--r-- 1 root root 963 May 22 14:36 client.key-rw-r--r-- 1 root root 672 May 22 14:37 client.csrdrwxr-xr-x 2 root root 4096 May 22 14:40 ca-rw-r--r-- 1 root root 238 May 22 15:07 readme.txt-rw-r--r-- 1 root root 3036 May 22 16:16 server.crt#然后生成客户端的client.crt 文件openssl ca -in ../client.csr -out ../client.crt -cert ca.crt -keyfile ca.key
