zoukankan      html  css  js  c++  java
  • openssl产生自认证证书

    1. 新建一个ca目录
        mkdir ca
       
    2. 新建一个openssl.cnf文件。内容如下:

    dir = .

    [ req ]
    default_bits = 1024 # Size of keys
    default_keyfile = key.pem # name of generated keys
    default_md = md5 # message digest algorithm
    string_mask = nombstr # permitted characters
    distinguished_name = req_distinguished_name
    req_extensions = v3_req

    [ req_distinguished_name ]
    # Variable name   Prompt string
    #----------------------   ----------------------------------
    0.organizationName = Organization Name (company)
    organizationalUnitName = Organizational Unit Name (department, division)
    emailAddress = Email Address
    emailAddress_max = 40
    localityName = Locality Name (city, district)
    stateOrProvinceName = State or Province Name (full name)
    countryName = Country Name (2 letter code)
    countryName_min = 2
    countryName_max = 2
    commonName = Common Name (hostname, IP, or your name)
    commonName_max = 64

    # Default values for the above, for consistency and less typing.
    # Variable name   Value
    #------------------------------   ------------------------------
    0.organizationName_default = EB Company
    localityName_default = Shen Zhen
    stateOrProvinceName_default = Guan Dong
    countryName_default = CN

    [ v3_ca ]
    basicConstraints = CA:TRUE
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer:always

    [ v3_req ]
    basicConstraints = CA:FALSE
    subjectKeyIdentifier = hash


    [ ca ]
    default_ca = CA_default

    [ CA_default ]
    serial = $dir/serial
    database = $dir/index.txt
    new_certs_dir = $dir/newcerts
    certificate = $dir/cacert.pem
    private_key = $dir/private/cakey.pem
    default_days = 365
    default_md = md5
    preserve = no
    email_in_dn = no
    nameopt = default_ca
    certopt = default_ca
    policy = policy_match

    [ policy_match ]
    countryName = match
    stateOrProvinceName = match
    organizationName = match
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional

    3.新建一个空的index.txt文件
        touch index.txt
       
    4.建立一个文件serial.在文件中输入一个数字,做为以后颁发证书的序列号,
      以后颁发的证书序列号就从你输入的数字开始.
        echo 01 > serial

    5.生成CA的公私密钥对
        openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf
      将产生
        1. private/cakey.pem    ca私钥
        2. cacert.pem            ca公钥,即为ca证书。服务器和客户端公用。

    6.生成证书请求Certificate Signing Request(CSR).
        openssl req -new -nodes -out req.pem -config ./openssl.cnf
      将产生
          1. key.pem                私钥
          2. req.pem                公钥,用于产生证书

    7.生成证书,即用"ca私钥"对req.pem签名
        openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
      去除可读信息部分
        mv cert.pem tmp.pem
        openssl x509 -in tmp.pem -out cert.pem
      产生
          1. cert.pem                最终的用户证书

    8. 获得证书文件
        1. 服务端的密钥文件:
            server.pem(cat key.pem cert.pem > server.pem)
            cacert.pem
        2. 客户端证书文件:
            cacert.pem

  • 相关阅读:
    汇编-实验9
    Starling开源手势库AcheGesture
    Robotlegs2的Starling扩展
    Flash Builder 4.6/4.7 注释以及字体大小修改
    js中函数的理解
    js对象引用赋值后
    var声明提前 undefined
    光棍节程序员闯关秀
    body和普通div背景图宽高百分比的区别
    笔试题
  • 原文地址:https://www.cnblogs.com/linxr/p/2215303.html
Copyright © 2011-2022 走看看