在Linux下,我们进行下面的操作前都须确认已安装OpenSSL软件包。
1.创建根证书密钥文件root.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out root.key 1024 Generating RSA private key, 1024 bit long modulus ...............................................................++++++ ..........++++++ e is 65537 (0x10001) Enter pass phrase for root.key: <--输入一个密码 Verifying - Enter pass phrase for root.key: <--再次输入密码
2.创建根证书的申请文件root.csr:
[root@mrlapulga:/etc/pki/CA]#openssl req -new -key root.key -out root.csr Enter pass phrase for root.key: <--输入前面创建的密码 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN <--输入国家名 State or Province Name (full name) []:BeiJing <--输入省份 Locality Name (eg, city) [Default City]:haidian <--输入城市名 Organization Name (eg, company) [Default Company Ltd]:mrlapulga <--输入公司名 Organizational Unit Name (eg, section) []: <--可不输入 Common Name (eg, your name or your server's hostname) []: <--可不输入 Email Address []:mrlapulga@126.com <--输入邮件地址 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <--可不输入 An optional company name []: <--可不输入
3.创建一个为期十年的根证书root.crt:
[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey private/root.key -in root.csr -out root.crt Signature ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com Getting Private key Enter pass phrase for private/root.key: <--输入之前创建的密码
4.创建服务器证书密钥server.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 2014 bit long modulus ............+++ ................................................+++ e is 65537 (0x10001) Enter pass phrase for server.key: <--输入一个密码 Verifying - Enter pass phrase for server.key: <--再次输入密码
5.创建服务器证书的申请文件server.csr:
[root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/server.key -out server.csr Enter pass phrase for private/server.key: <--输入前面创建的密码 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN <--输入国家名 State or Province Name (full name) []:BeiJing <--输入省份 Locality Name (eg, city) [Default City]:haidian <--输入城市名 Organization Name (eg, company) [Default Company Ltd]:mrlapulga <--输入公司名 Organizational Unit Name (eg, section) []: <--可不输入 Common Name (eg, your name or your server's hostname) []: <--可不输入 Email Address []:mrlapulga@126.com <--输入邮件地址 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <--可不输入 An optional company name []: <--可不输入
6.创建一个为期一年的服务器证书server.crt:
[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in server.csr -out server.crt
Signature ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com Getting CA Private Key Enter pass phrase for private/root.key: <--输入之前创建的密码
7.创建客户端证书密钥文件client.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out client.key 1024 Generating RSA private key, 1024 bit long modulus ..............................++++++ ..................................................++++++ e is 65537 (0x10001) Enter pass phrase for client.key: <--输入一个密码 Verifying - Enter pass phrase for client.key: <--再次输入密码
8.创建客户端证书的申请文件client.csr:
[root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/client.key -out client.csr Enter pass phrase for private/client.key: <--输入前面创建的密码 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN <--输入国家名 State or Province Name (full name) []:BeiJing <--输入省份 Locality Name (eg, city) [Default City]:haidian <--输入城市名 Organization Name (eg, company) [Default Company Ltd]:mrlapulga <--输入公司名 Organizational Unit Name (eg, section) []: <--可不输入 Common Name (eg, your name or your server's hostname) []: <--可不输入 Email Address []:mrlapulga@126.com <--输入邮件地址 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <--可不输入 An optional company name []: <--可不输入
9.创建一个有效期为一年的客户端证书client.crt:
[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in client.csr -out client.crt Signature ok subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/emailAddress=mrlapulga@126.com Getting CA Private Key Enter pass phrase for private/root.key: <--输入之前创建的密码
10.现在可将客户端证书文件client.crt和客户端证书密钥文件client.key合并为客户端的client.pfx安装包文件:
[root@mrlapulga:/etc/pki/CA]#openssl pkcs12 -export -in client.crt -inkey private/client.key -out client.pfx Enter pass phrase for private/client.key: <--输入之前创建的密码 Enter Export Password: <--创建一个新密码 Verifying - Enter Export Password: <--确认密码
client.pfx是配置双向SSL时需要客户端安装的证书文件。