编辑: 会说话的鱼 | 2014-10-12 |
[email protected] 取得 Openssl Openssl 是一套公布原始码(Open source)之套件,可以从 http://www.openssl.org/ 取得.此文件撰写时,Openssl 之版本为 0.9.7e. 安装 Openssl 首先必须先下载 openssl 原始码. wget http://www.openssl.org/source/openssl-0.9.7e.tar.gz 解压缩. tar zxvf openssl-0.9.7e.tar.gz 设定Openssl安装,「--prefix」参数为欲安装之目录,也就是安装后的档案会出现在该目录下. cd openssl-0.9.7e ./config --prefix=/home/blave/openssl 将「/home/blave/openssl」指定到你自己的目录下. 编译 Openssl. make 安装 Openssl. make install 修改 ~/openssl/ssl/openssl.cnf. dir= /home/blave/openssl/ssl/misc/demoCA #设定存取CA凭证 #的路径 #并将blave改成您自己 default_days=
3650 #设定凭证可使用之天数 default_bits =
2048 #设定金钥长度(bits) 产生 CA 凭证 我们所产生的CA凭证,将放置在 ~/openssl/ssl/misc/demoCA 下,以下我们将介绍如何产生出最上层的CA凭证. 执行CA凭证产生程式. cd ~/openssl/ssl/misc ./CA.sh -newca CA certificate filename (or enter to create) [enter] Making CA certificate ... Generating a
1024 bit RSA private key ..++++++ writing new private key to '
./demoCA/private/./cakey.pem'
Enter PEM pass phrase:[设定通行码] Verifying - Enter PEM pass phrase:[确认通行码] ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '
.'
, the field will be left blank. ----- Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taiwan Locality Name (eg, city) [Newbury]:Taichung Organization Name (eg, company) [My Company Ltd]:Tung-hai University Organizational Unit Name (eg, section) []:ISLAB Common Name (eg, your name or your server'
s hostname) []:ISLAB_CA Email Address []:[email protected] 确定CA凭证及金钥是否产生. cd ~/openssl/ssl/misc/demoCA ls cacert.pem certs crl index.txt newcerts private serial 可见「cacert.pem」即是CA之凭证,而「private」目录即是存放CA私钥之处. 设定CA凭证之存取权限,仅允许本人能存取,他人必须限制其存取权限. chmod -R
660 ~/openssl/ssl/misc/demoCA 以CA产生次级凭证 在CA凭证产生完之后,我们便可以产生使用者或公司所需要之凭证,此次级凭证产生后,使用者便可应用於Email签章加密或https等ssl传输加密. 产生使用者之金钥档及CSR档(Certificate Signing Request). cd ~/openssl/ssl/misc/demoCA ~/openssl/bin/openssl req -nodes -new -keyout islab_key.pem \ -out islab_req.pem -days
3650 -config ~/openssl/ssl/openssl.cnf #此处「-keyout」即为产生Private key之档名,我们以「islab_key.pem」为例 #,您可自行设定.而「-out」则产生CSR档,我们以「islab_req.pem」为例. Generating a
2048 bit RSA private key writing new private key to '
islab_key.pem'
----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '
.'
, the field will be left blank. ----- Country Name (2 letter code) [TW]:TW State or Province Name (full name) [TAIWAN]:Taiwan Locality Name (eg, city) []:Taichung Organization Name (eg, company) [THU]:THU Organizational Unit Name (eg, section) []:ISLAB Common Name (eg, YOUR name) []:[email protected] #Common Name请输入您所欲使用之名称,如此凭证产生后欲使用在Email #签章,则必须填入email名称;