CentOS 下的 Apache CA 证书申请与导入日志

柏293

Get request
[iyunv@tsghweb openssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[iyunv@tsghweb openssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[iyunv@tsghweb openssl]#
… …
Verify CA file
[iyunv@tsghweb openssl]# openssl verify -CAfile rootca.crt -purpose sslserver rootcaserver.crt
rootcaserver.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
error 20 at 0 depth lookup:unable to get local issuer certificate
[iyunv@tsghweb openssl]#
[iyunv@tsghweb openssl]# openssl rsa -noout -modulus -in server.key | openssl sha1
Enter pass phrase for server.key:hp0521
fa955c5e12ba90274553d879ba144afb6f7a3946
[iyunv@tsghweb openssl]#
[iyunv@tsghweb openssl]# openssl verify -CAfile rootcaserver.crt -purpose sslserver rootca.crt
rootca.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
error 2 at 1 depth lookup:unable to get issuer certificate
[iyunv@tsghweb openssl]#
… …

Impot certification

[iyunv@tsghweb openssl]# openssl pkcs7 -in server.p7b -inform DER -print_certs -out server-chain.pem
[iyunv@tsghweb openssl]# cp server-chain.pem /etc/pki/tls/certs/server-chain.crt
[iyunv@tsghweb openssl]#
[iyunv@tsghweb openssl]# openssl x509 -in server.cer -inform DER -out server.pem
[iyunv@tsghweb openssl]# cp server.pem /etc/pki/tls/certs/server.crt
[iyunv@tsghweb openssl]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.hpmtaiwan.tw:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[ OK ]
[iyunv@tsghweb openssl]#