标签:ssl
在Linux下,我们进行下面的操作前都须确认已安装OpenSSL软件包。1.创建根证书密钥文件root.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl?genrsa?-des3?-out?root.key?1024 Generating?RSA?private?key,?1024?bit?long?modulus ...............................................................++++++ ..........++++++ e?is?65537?(0x10001) Enter?pass?phrase?for?root.key:????<--输入一个密码 Verifying?-?Enter?pass?phrase?for?root.key:????<--再次输入密码
2.创建根证书的申请文件root.csr:
[root@mrlapulga:/etc/pki/CA]#openssl?req?-new?-key?root.key?-out?root.csr Enter?pass?phrase?for?root.key:????<--输入前面创建的密码 You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?‘.‘,?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN????<--输入国家名 State?or?Province?Name?(full?name)?[]:BeiJing????<--输入省份 Locality?Name?(eg,?city)?[Default?City]:haidian????<--输入城市名 Organization?Name?(eg,?company)?[Default?Company?Ltd]:mrlapulga????<--输入公司名 Organizational?Unit?Name?(eg,?section)?[]:????<--可不输入 Common?Name?(eg,?your?name?or?your?server‘s?hostname)?[]:????<--可不输入 Email?Address?[]:haha@126.com????<--输入邮件地址 Please?enter?the?following?‘extra‘?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]:????<--可不输入 An?optional?company?name?[]:????<--可不输入
3.创建一个为期十年的根证书root.crt:
[root@mrlapulga:/etc/pki/CA]#openssl?x509?-req?-days?3650?-sha1?-extensions?v3_ca?-signkey?private/root.key?-in?root.csr?-out?root.crt Signature?ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=haha@126.com Getting?Private?key Enter?pass?phrase?for?private/root.key:????<--输入之前创建的密码
4.创建服务器证书密钥server.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl?genrsa?-des3?-out?server.key?1024 Generating?RSA?private?key,?2014?bit?long?modulus ............+++ ................................................+++ e?is?65537?(0x10001) Enter?pass?phrase?for?server.key:????<--输入一个密码 Verifying?-?Enter?pass?phrase?for?server.key:????<--再次输入密码
5.创建服务器证书的申请文件server.csr:
[root@mrlapulga:/etc/pki/CA]#openssl?req?-new?-key?private/server.key?-out?server.csr Enter?pass?phrase?for?private/server.key:????<--输入前面创建的密码 You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?‘.‘,?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN????<--输入国家名 State?or?Province?Name?(full?name)?[]:BeiJing????<--输入省份 Locality?Name?(eg,?city)?[Default?City]:haidian????<--输入城市名 Organization?Name?(eg,?company)?[Default?Company?Ltd]:mrlapulga????<--输入公司名 Organizational?Unit?Name?(eg,?section)?[]:????<--可不输入 Common?Name?(eg,?your?name?or?your?server‘s?hostname)?[]:????<--可不输入 Email?Address?[]:haha@126.com????<--输入邮件地址 Please?enter?the?following?‘extra‘?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]:????<--可不输入 An?optional?company?name?[]:????<--可不输入
6.创建一个为期一年的服务器证书server.crt:
[root@mrlapulga:/etc/pki/CA]#openssl?x509?-req?-days?365?-sha1?-extensions?v3_req?-CA?root.crt?-CAkey?private/root.key?-CAcreateserial?-in?server.csr?-out?server.crt Signature?ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=haha@126.com Getting?CA?Private?Key Enter?pass?phrase?for?private/root.key:????<--输入之前创建的密码
7.创建客户端证书密钥文件client.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl?genrsa?-des3?-out?client.key?1024 Generating?RSA?private?key,?1024?bit?long?modulus ..............................++++++ ..................................................++++++ e?is?65537?(0x10001) Enter?pass?phrase?for?client.key:????<--输入一个密码 Verifying?-?Enter?pass?phrase?for?client.key:???<--再次输入密码
8.创建客户端证书的申请文件client.csr:
[root@mrlapulga:/etc/pki/CA]#openssl?req?-new?-key?private/client.key?-out?client.csr Enter?pass?phrase?for?private/client.key:????<--输入前面创建的密码 You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?‘.‘,?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN????<--输入国家名 State?or?Province?Name?(full?name)?[]:BeiJing????<--输入省份 Locality?Name?(eg,?city)?[Default?City]:haidian????<--输入城市名 Organization?Name?(eg,?company)?[Default?Company?Ltd]:mrlapulga????<--输入公司名??? Organizational?Unit?Name?(eg,?section)?[]:????<--可不输入 Common?Name?(eg,?your?name?or?your?server‘s?hostname)?[]:????<--可不输入 Email?Address?[]:haha@126.com????<--输入邮件地址 Please?enter?the?following?‘extra‘?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]:????<--可不输入 An?optional?company?name?[]:????<--可不输入
9.创建一个有效期为一年的客户端证书client.crt:
[root@mrlapulga:/etc/pki/CA]#openssl?x509?-req?-days?365?-sha1?-extensions?v3_req?-CA?root.crt?-CAkey?private/root.key?-CAcreateserial?-in?client.csr?-out?client.crt Signature?ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=haha@126.com Getting?CA?Private?Key Enter?pass?phrase?for?private/root.key:????<--输入之前创建的密码
10.现在可将客户端证书文件client.crt和客户端证书密钥文件client.key合并为客户端的client.pfx安装包文件:
[root@mrlapulga:/etc/pki/CA]#openssl?pkcs12?-export?-in?client.crt?-inkey?private/client.key?-out?client.pfx Enter?pass?phrase?for?private/client.key:????<--输入之前创建的密码 Enter?Export?Password:????<--创建一个新密码 Verifying?-?Enter?Export?Password:????<--确认密码
client.pfx是配置双向SSL时需要客户端安装的证书文件。
标签:ssl
原文地址:http://blog.51cto.com/12205781/2049223
