| brm-debian:~# more /etc/ssl/openssl.cnf |
#
# 第一步:制作服务器证书
# 第一步:制作服务器证书
#
brm-debian:~# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
.++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
brm-debian:~# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Xicheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:baomi
Organizational Unit Name (eg, section) []:dev
Common Name (eg, YOUR name) []:JLB
Email Address []:
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Xicheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:baomi
Organizational Unit Name (eg, section) []:dev
Common Name (eg, YOUR name) []:JLB
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:hello
An optional company name []:
to be sent with your certificate request
A challenge password []:hello
An optional company name []:
#
# 第二步:制作客户端证书
#
brm-debian:~# openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
....................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
Generating RSA private key, 1024 bit long modulus
....................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
brm-debian:~# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Xicheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:baomi
Organizational Unit Name (eg, section) []:dev
Common Name (eg, YOUR name) []:JLB
Email Address []:
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Xicheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:baomi
Organizational Unit Name (eg, section) []:dev
Common Name (eg, YOUR name) []:JLB
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:hello
An optional company name []:
to be sent with your certificate request
A challenge password []:hello
An optional company name []:
#
# 第三步:生成CA证书
#
brm-debian:~# openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
...........++++++
.............................................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Xicheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:baomi
Organizational Unit Name (eg, section) []:dev
Common Name (eg, YOUR name) []:JLB
Email Address []:
Generating a 1024 bit RSA private key
...........++++++
.............................................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Xicheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:baomi
Organizational Unit Name (eg, section) []:dev
Common Name (eg, YOUR name) []:JLB
Email Address []:
#
# 第四步:对证书签名
#
brm-debian:~# mkdir demoCA
brm-debian:~# mkdir demoCA/newcerts
brm-debian:~# touch demoCA/index.txt
brm-debian:~# touch demoCA/serial
brm-debian:~# echo 5566 >> demoCA/serial
brm-debian:~# chmod -R 777 demoCA/
brm-debian:~# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 21862 (0x5566)
Validity
Not Before: Jul 8 05:16:57 2010 GMT
Not After : Jul 8 05:16:57 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = baomi
organizationalUnitName = dev
commonName = JLB
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
05:CD:2F:1B:38:68:2D:28:B8:4F:E2:54:1D:71:3A:7F:AF:EC:97:F6
X509v3 Authority Key Identifier:
keyid:A8:D8:4D:BD:29:4D:41:14:64:AA:3A:1F:4D:4B:33:3C:93:0D:9A:8F
brm-debian:~# mkdir demoCA/newcerts
brm-debian:~# touch demoCA/index.txt
brm-debian:~# touch demoCA/serial
brm-debian:~# echo 5566 >> demoCA/serial
brm-debian:~# chmod -R 777 demoCA/
brm-debian:~# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 21862 (0x5566)
Validity
Not Before: Jul 8 05:16:57 2010 GMT
Not After : Jul 8 05:16:57 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = baomi
organizationalUnitName = dev
commonName = JLB
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
05:CD:2F:1B:38:68:2D:28:B8:4F:E2:54:1D:71:3A:7F:AF:EC:97:F6
X509v3 Authority Key Identifier:
keyid:A8:D8:4D:BD:29:4D:41:14:64:AA:3A:1F:4D:4B:33:3C:93:0D:9A:8F
Certificate is to be certified until Jul 8 05:16:57 2011 GMT (365 days)
Sign the certificate? [y/n]:y
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
brm-debian:~# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 21863 (0x5567)
Validity
Not Before: Jul 8 05:22:19 2010 GMT
Not After : Jul 8 05:22:19 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = baomi
organizationalUnitName = dev
commonName = JLB
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D9:AE:AC:00:C0:BE:38:9F:44:B8:53:F4:7C:B7:86:92:56:DC:6D:4A
X509v3 Authority Key Identifier:
keyid:A8:D8:4D:BD:29:4D:41:14:64:AA:3A:1F:4D:4B:33:3C:93:0D:9A:8F
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 21863 (0x5567)
Validity
Not Before: Jul 8 05:22:19 2010 GMT
Not After : Jul 8 05:22:19 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = baomi
organizationalUnitName = dev
commonName = JLB
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D9:AE:AC:00:C0:BE:38:9F:44:B8:53:F4:7C:B7:86:92:56:DC:6D:4A
X509v3 Authority Key Identifier:
keyid:A8:D8:4D:BD:29:4D:41:14:64:AA:3A:1F:4D:4B:33:3C:93:0D:9A:8F
Certificate is to be certified until Jul 8 05:22:19 2011 GMT (365 days)
Sign the certificate? [y/n]:y
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#
# demoCA 的内容
#
brm-debian:~# tree demoCA/
demoCA/
|-- index.txt
|-- index.txt.attr
|-- index.txt.attr.old
|-- index.txt.old
|-- newcerts
| |-- 5566.pem
| `-- 5567.pem
|-- serial
`-- serial.old
demoCA/
|-- index.txt
|-- index.txt.attr
|-- index.txt.attr.old
|-- index.txt.old
|-- newcerts
| |-- 5566.pem
| `-- 5567.pem
|-- serial
`-- serial.old
1 directory, 8 files
