2010年8月3日 星期二

OpenSSL Certificate Management

#
# 製作 RSA Private Key,並且將 Key 設定為只有 owner 才能存取的權限
#
openssl genrsa -out myhost.key.pem 2048
chmod og-rwx myhost.key.pem

*** genrsa 是 openssl 產生 rsa key 用的 command ***
*** -out 是表示 output 的 key name ***
*** 2048 是 key 的強度,一定要放在最後面 ***


#
# 填寫憑證申請書
#
openssl req -new -key myhost.key.pem -out myhost.req.pem

*** req 是 openssl 產生 CSR 用的 command ***
X.509 Certificate Signing Request (CSR) Management
*** -new 是產生新的 certificate request ***
*** -key 是指定要從哪邊讀 private key ***
*** -out 是表示 output 的 request name ***


#
# 顯示憑證申請書
#
openssl req -text -noout -in myhost.req.pem

*** -text 是印出 CSR 的 text form ***
*** -noout 是不要印出 CSR 的 encoded form ***
*** -in 表明要處理的 request file ***


#
# 簽憑證 (CA certificate)
#
openssl x509 -req -days 7305 -sha1 \
-extfile ~/etc/ssl/openssl.cnf -extensions v3_ca \
-signkey ~/etc/ssl/private/myrootca.key.pem \
-in ~/tmp/myrootca.req.pem -out ~/etc/ssl/certs/myrootca.crt.pem

*** x509 是證書資料管理的 command ***
*** -req 特別表示處理的是 request file,一般都是 certificate ***
*** -days 表明證書的有效天數 ***
*** -sha1 表示要使用的 digest 演算法 ***
*** -extfile 表示包含 certificate extensions 的檔案 ***
file containing certificate extensions to use
If not specified then no extensions are added to the certificate
*** -extensions v3_ca ***
the section to add certificate extensions from
*** -signkey 表示要用哪一把 private key 去 self-sign request ***
this option causes the input file to be self signed using the supplied private key


#
# 簽憑證 (Server certificate)
#
openssl x509 -req -days 3650 -sha1 \
-extfile ~/etc/ssl/openssl.cnf -extensions v3_req \
-CA ~/etc/ssl/certs/myrootca.crt.pem -CAkey ~/etc/ssl/private/myrootca.key.pem \
-CAserial ~/etc/ssl/myrootca.srl -CAcreateserial \
-in /tmp/myhost.req.pem -out ~/etc/ssl/certs/myhost.crt.pem

*** -CA ***
specifies the CA certificate to be used for signing
*** -CAkey ***
sets the CA private key to sign a certificate with.
If this option is not specified then it is assumed that the CA private key is present in the CA certificate file
*** -CAserial ***
sets the CA serial number file to use
*** -CAcreateserial ***
with this option the CA serial number file is created if it does not


#
# 顯示憑證
#
openssl x509 -text -noout -in myhost.crt.pem



[Reference]
如何製作 SSL X.509 憑證
http://www.imacat.idv.tw/tech/sslcerts.html

OpenSSL official Documents
http://www.openssl.org/docs/apps/openssl.html

沒有留言:

張貼留言