安装环境:win7 64位,VS2013
安装前的准备:首先下载到http://www.openssl.org/source/ 下载最新版本的openssl-1.0.2.tar.gz, 解压到C: openssl-1.0.2
其次 http://www.activestate.com/ActivePerl 下载ActivePerl,点击安装到C盘,然后在命令行里面执行目录C:Perl64eg下的example.pl,
若结果显示“Hello from ActivePerl!”,则说明Perl安装成功,可以开始使用Perl的相关命令来进行OpenSSL的安装了,准备工作做完了。
使用管理员权限打开VS2013的命令提示窗口,然后进入OpenSSL的目录,按照以下步骤就可以进行编译了:
执行" perl Configure VC-WIN32 no-asm -DOPENSSL_USE_IPV6=0" no-asm表示没有用NASM编译,DOPENSSL_USE_IPV6=0 禁用IPV6,避免出现NMAKE : fatal error U1077: 'cl' :
return code '0x2'错误;
执行nmake -f ms tdll.mak;
检查下是否成功,执行命令:“nmake -f ms tdll.mak test”。或者“> cd out32dll
编译完成后会在 out32dll 目录下生成库文件、动态链接库文件、Openssl执行文件和测试程序 openssl.exe libeay32.dll ssleay32.dll 。
建文件[c:/usr/local/ssl, 拷贝 opensslapps 下的 openssl.cnf文档到out32dll 目录下,就可以使用 Openssl了。
产生金钥对 (public-private key pair)
首先您需要产生一对 RSA 金钥对 (public-private key pair),可以使命令「openssl -out 私钥档案 genrsa [-des|des3|-idea] 大小」:
$ openssl genrsa -out www.example.com.key -des3 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..............................................................................+++
e is 65537 (0x10001)
Enter pass phrase for www.example.com.key: Don't show my passphrase
Verifying - Enter pass phrase for www.example.com.key: Don't show my passphrase
命令中最尾的参数表示要产生的金钥对位元大小,以现今计算机的效能,建议使用 2048 位元会较安全。此外,在命令中因为加入选项 -des3, 产生出来的金钥对会以 TriDES 加密来加强私钥 (private key) 的安全性。您亦可以使用 -des 或 -idea 取代 -des3 来改用 DES 或 IDEA 对私钥进行加密。(当然 DES 加密算法大弱,绝不应使用) 加密了的私钥在会次被使用时都会输入密码解密才可以使用,会较安全。如果您的电子证书是用在 Apache HTTTd 等服务器中,每次启动服务器时都要输入密码一次。不少人会选择省去选项 -des3 来产生一个不被加密的私钥 (即是不会问您输入密码,也不会把私钥加密) :
$ openssl genrsa -out www.example.com.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..............................................................................+++
e is 65537 (0x10001)
这个命令和上面几乎没有分别,只是这次不会问您输入密码了。这方法当然免却每次要输入密码的麻烦,但如果别人只要抄走有私钥档案就可以较易真接盗用电子证书,非常危险。
完成后,新金钥会以 PKCS#1 PEM 格式记录在金钥档案 www.example.com.key 中 (虽然金钥的标头为 RSA PRIVATE KEY,意思为 RSA 私钥,但内容载有产生对应公钥 public key 的资料):
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5xcy3JVptzucvBQI2tzK9HkQ7pVhdqf4x8dID9K2z6A5W4Uc
/NByWOq80EGSetm/hZxj/JIPwOoOSlV2DZx423wtM8xfV9/7nkdiE1FwBVOZTprN
l1KgHY9rvcakNFclUU1xyTcLRWATrAKq4YU8TiR7yuvsNy0CxsZNX7zJszuX8aoQ
SbKTr3ckhJveDXPGGu96TebE146MRuFo1LNZ42AjVVXF0U5RqNtzdRJjxwjgMnQ5
1xEVb4InkW2Zgy/bJDYwCuQcgvswH+43EEou/eOLPeZDp8j2VZjLk/MDcDatEDFQ
Ayd8T3Cg+YSdYj/jLSEc17ZD0r5KSzRwYRa26QIDAQABAoIBAQDfTERib6ICY4D1
ICraSWV3zBB3ajMOdArqCH9ygrsRb5JdBAhZppYHo3OljOcc/JGbat4W7ZB5afE7
FM+JIXyLIbeQCNjMUeuSKwny/stO6lQGZ4Fnynhbd/21GGAND3RI1puvwheLBuab
XMyANL1sCMbx8vyC6GR5bJ7Rdtwz6fiyPOvOBmZV920R3ZnuScI4kWwxz6dzwLP3
wzFVqozD8RiPdP5mWEmEXTDEProNEPqUA0D0ydQg+OwanrUUhavnDu1fvJ5VdWqV
K9HgHJ1PSWJEsiRe9PkDmcFrjyLdgf36pl61CTOGMyhWj7lq9zT3SQxOdtXe4Hsp
wfhKkbY9AoGBAPbPKUAIkDecHwTE5ZkVyQg7W9U6H4iPYowlOMfnntP5+arhq5cl
/CJnzIEd55tgIWgJCjtptG1qodJU52kFL0rR4Z1ce9dRPSMY2Z7hEPl1PkMeRooo
Wr8+FrXhakONQ3Kro0cH5qMkBekwXxFJ+ZQ29O+3EMLaR69iHPNi4lwjAoGBAO+y
MRIeh43qB985ps23yNDfL6FL69besKcNiuMyDc6GfBNg9j4hZVrPPiJjVDvHsqnc
RHiuO6MvXOT9atXAyyX6/h00CVoU5mxbEe4mEbpvivqaosW64eAkqdSj2HInkG9u
lTeZGPZwleK9EDgTmVZ7lFEoBgRxNSUEkXJPfLuDAoGAArkIWHd/t81WHkRZ0BWI
cTnOaozImkYSrT8f4Dyy6N3CHlt8/B7kKDEC9Y2x52npFG+9GCizX92kSWC8aNEw
0197YLQLfbWcug1lITaUbFwZwr3Lw2xsi92QfJMvC+28B8DS/U6eAcC8+/SXp+Ys
BbGRhC991Nh5n/qyHRFDNAcCgYBmH1NM1vkF+5nS/2sT5qOGajCO1hvq9gHpipmL
5r1/KkkesIb5PZ1DLVzZpdwzhAeY2yHJEOKTyhAX9+hWncdvrRorMwpw+Mqbi8l9
33ZaKj/aOZv0BoVJzBUXZZ9IM5cUAtdMUswR4zHY4phQa/k+oXQ1h4nYxqrP1Lxr
KXaJJQKBgQDVLfOLgH6sN+I1f4B3/n6pOgjiosQd1c1K6NyjD3E8lnL5W/wI0CfP
SK80ZkUwAlrGFMpL9K/qyswc0ejaswvQGTcra0V0DVzfZ4DhCOYC3shAGV3lsWzD
VQAG4iwwf61wNBVuXBKl6xBIIzu1JoqB+in+IJ3MP4u0y9IF3VV+/w==
-----END RSA PRIVATE KEY-----
以上金钥是没有被加密。加密的金钥会有「Proc-Type: 4,ENCRYPTED」
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B5400D0F10CAF72B
Gkxpb1n8M3cQBH3J/l5ZzLE9GyYE+nv9+2Fk7jSJZM0W+ek/aeQYnE37OaGrabRD
1hCk0j5BoH8xa5hlwxpHM48cJbLsFmuMlVag1FTdtPozXNRBLHCNWUFWq9qQoa6K
IY/efrkzTx5WFXmidroKUPAA1kTXNjpSAjO0kLO/sqwS57bTMKb4cwxu21p3Crcy
Z1BBUPHaRdunK2Q/Gj05NO0ARX0VScKbr/sY9tt/D/viH89zwBAKmGVr3+RQlUP0
Lx9vhKK2S+Ut+GvWYPzitgrlE1txHywe9pLJ/LzJEZsBVm7M4HmNq1yoeoy95jo+
p974utG9MerlS84Wy5T4neNn2LamWCOFgOTIOfNfpvkan4KTEw5okvHCWQ+/pHcT
wDionMztMaExj4XHbtutUMVZVjsNhR3zzuZ62KQNkwLUYNHTGCKwZYc+5JJ5dWMU
dZyxHqJ+qcO4UTFoMKT1HxoYZUWhH6V2keS0NaULLXuJq5D4GZkIAl3Zb/4u83kK
0siqoIdd/97s5PnSKfsrztF8zZHxrFl8CGQp6iht+tI68m9t1WONSQ38nxzDZlWu
TA6vX78229dOs+HiQzwRYayPvC541re9ZQuj49aVWcU1oi8JcdvxlbV7cXl/Z6JB
j6PL481fiRiCSBW4WxmfNldrlNRXa7nULmwaM9dyFENE0zmWJaMfmnTAQAtZ3Bhq
p4rtRG9sDIbNvF3HPmPy/cRfwFWFE/KiW4yhodrmj6IgrB+VwK7Es7UraFWhclZk
wsVVQNAEn/22RlyHvkpN9bMuXQuiBPMPsP51TnXsy0SBBgE1bUpOxkIG3EbQ4W5Z
aPVki2Aa8gJQ5UeRv1ob4M3nkYeJjEUwo4qV5PyQnAlaEiqTCKKuFa4IdHxOeAlB
PIs5bsKMZwsBFrWGyy15W7LnHbhodvHhAyw3bGOZ0hwODAKOAaXgvN1K1fO/TqNa
DCTCm1OfDuZQVU1cS2n/HTxAOptD0XLBWQKUuQ7HX2BVbifsjAhnYIkzxq2yLafv
MRxPfrYTh1frZkUYYkQ6C9m0vkhl0vqBygeBuQLK6mMaP09uOggJklLg86roAVn9
5ZGlc5tWqnlmDqusFDvUOGJVfPTGDI7aFYn9AGS2nDGT16pGDnUgQwpMZX2Tp0Pm
iafdI8jKQjWLyDsVInfl19QytOwM2sAWegsgt2FG+KhvTQyuUbOBX+fmKaxCkL4R
3Op6nFYFGHJGiTrkNThRWDpzXYnoyl38S6rV6cmA1Oq6oD1O0W9qF1l4oHP1aKty
iMTml39UepVtvG88b/MN8sK3LsCFZ5B7flNLjnRgiyeI8rBi9Bj+TUeE/wFYUFqP
Jm6u0fWuN/RPyXaMBtfzGpBUk7If9lSpVj/36iVYxn5OCcgtncUk8JE8+hXEoV7J
InD+CAlA/RQhxgHRXUQmBJpKHhBmMFph8OwTTExLrEzO+VlxHqaXPUYfM9XaMYQl
KBzZUPMvI9TkEzVD00OH6J1J7tr8fDCvK/OoIFQQVZ1sbK+jJpEIwPlsu/gPNyWQ
EdRUrYSRJhocOwtym4+Bvq6Bed4QXeIQJbYv4t3nOQywXNzkotJ46ODAcPoa5aAA
-----END RSA PRIVATE KEY-----
产生 Certificate Signing Request (CSR)
产生了金钥对后,您需要有公信加的人当中的公钥 (public key) 为您所有。所以您需要产生这个公钥的 Certificate Signing Request (CSR) 给一个 Certificate Authority (CA) 签署才可以使用。要产生 CSR ,可以使用命令「openssl req -new -key 金钥档案 > CSR档案」:
$ openssl req -new -key www.example.com.key > www.example.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HK
State or Province Name (full name) [Some-State]:HKSAR
Locality Name (eg, city) []:Hong Kong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd.
Organizational Unit Name (eg, section) []:Web Team
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:webmaster@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc123
An optional company name []:Example Ltd.
以上命令会询问要产生电子证书的资料并由金钥档案抽出有关公钥并产生 CSR。记谨 Common Name 必须填上将会使用此电子证书网站的全名 (FQDN, Full Qualified Domain Name),填错了又已送去 CA 将会浪费金钱。
产生出来的 CSR 会放在 www.example.com.csr 中:
-----BEGIN CERTIFICATE REQUEST-----
MIICEDCCAXkCAQAwgZsxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIEwVIS1NBUjESMBAG
A1UEBxMJSG9uZyBLb25nMRUwEwYDVQQKEwxFeGFtcGxlIEx0ZC4xETAPBgNVBAsT
CFdlYiBUZWFtMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20xJDAiBgkqhkiG9w0B
CQEWFXdlYm1hc3RlckBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAucC/Gxdd1v/5kGMLr6OoQN3BHFsFuAaNRUZs4/JITGaw7fhKwOyZux04
AUQTjeyVTfH6TTX1A0GWISwfKkqxNg4jx9LOqiecMnjKH/fzBvCZE1iNhz1mtkPh
pxWV9K6keuf6nuLXfU/NSWd9EY/VWUQX0PUDmjynrVYI29Zl1sMCAwEAAaA0MBUG
CSqGSIb3DQEJBzEIEwZhYmMxMjMwGwYJKoZIhvcNAQkCMQ4TDEV4YW1wbGUgTHRk
LjANBgkqhkiG9w0BAQQFAAOBgQAxdevQ9KuHhUf+XYHrDS04+yhesSmg2muC65mq
WHn9iIMQZIcWlcm5WtZZlamDnSxui8Utyh15U0cJDeIo8jebht+DDfC3BXc5LUaV
1TjbieB5gaM+oCNJFI3STC77ldwowCqgrbAQTpO3mx84M1gunJgGPKy/SHR3DwfN
Drzq2A==
-----END CERTIFICATE REQUEST-----
您只要把这个 CSR 档案提交给 CA ,CA 核实您的资料后就会签署并产生您的电子证书。