X.509与OpenSSL

jjhjim

X.509与OpenSSL

OpenSSL命令行常用功能


1、为CA创建一个RSA私钥

D:\openssl\bin>openssl genrsa -des3 -out -ca.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
............................................................................++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for -ca.key:123456
Verifying - Enter pass phrase for -ca.key:123456

2、利用CA的RSA私钥创建一个自签名的CA证书

D:\openssl\bin>openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config openssl.cnf
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:sh
Locality Name (eg, city) []:sh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ciso
Organizational Unit Name (eg, section) []:ciso
Common Name (eg, YOUR name) []:infosecurity.org.cn
Email Address []:webmaster@infosecurity.org.cn

3、生成证书请求

D:\openssl\bin>openssl req -config openssl.cnf -new -keyout webmaster.key -out wm_req.pem -days 365

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....++++++
......................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:123456(自己输)
Verifying - Enter PEM pass phrase:123456(自己输)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:sh
Locality Name (eg, city) []:sh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ciso
Organizational Unit Name (eg, section) []:ciso
Common Name (eg, YOUR name) []:webmaster
Email Address []:webmaster@infosecurity.org.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(不输)
An optional company name []:(不输)

4、签发证书

D:\openssl\bin>openssl ca -config openssl.cnf -out webmaster.pem -infiles wm_req.pem
Using configuration from openssl.cnf
Loading 'screen' into random state - done
1896:error:0E06D06C:configuration file routines:NCONF_get_string:no value:.\crypto\conf\conf_lib.c:329:group=CA_defa
ult name=unique_subject
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName     :PRINTABLE:'cn'
stateOrProvinceName   :PRINTABLE:'sh'
localityName     :PRINTABLE:'sh'
organizationName   :PRINTABLE:'ciso'
organizationalUnitName:PRINTABLE:'ciso'
commonName       :PRINTABLE:'webmaster'
emailAddress     :IA5STRING:&#39webmaster@infosecurity.org.cn'
Certificate is to be certified until Aug 23 10:01:35 2005 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

5、重复步骤3与4可以创建个人证书。

6、包成pfx文件格式。
输入：z1.key与z1.crt
输出：z1.pfx

D:\openssl\bin>openssl pkcs12 -export -inkey z1.key -in z1.crt -out z1.pfx
Loading 'screen' into random state - done
Enter pass phrase for z1.key:(输入密码)
Enter Export Password: :(输入密码)

Verifying - Enter Export Password::(输入密码)

7、去除私钥的密码。
D:\openssl\bin>openssl rsa -in z1.key -out z1_nopwd.key
Enter pass phrase for z1.key:(输入密码)
writing RSA key


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u3/104128/showart_2054125.html