1、准备证书相关文件
[iyunv@localhost CA]# wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
[iyunv@localhost CA]# tar -zxf ssl.ca-0.1.tar.gz
[iyunv@localhost CA]# cd ssl.ca-0.1
1.1)生成根证书
[iyunv@localhost ssl.ca-0.1]# ./new-root-ca.sh
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
........++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: //输入密码
Verifying - Enter pass phrase for ca.key: //确认密码
Self-sign the root CA... //签署根证书
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- //信息输入
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:zhejiang
Locality Name (eg, city) [Sitiawan]:hangzhou
Organization Name (eg, company) [My Directory Sdn Bhd]:ccssl
Organizational Unit Name (eg, section) [Certification Services Division]:ccdw
Common Name (eg, MD Root CA) []:intranet
Email Address []:summersun_ym@126.com
[iyunv@localhost ssl.ca-0.1]#
1.2) 服务器生成证书
[iyunv@localhost ssl.ca-0.1]# ./new-server-cert.sh server //证书名称
No server.key round. Generating one
Generating RSA private key, 1024 bit long modulus
...................................................++++++
....++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- //输入相关信息
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:zhejiang
Locality Name (eg, city) [Sitiawan]:hangzhou
Organization Name (eg, company) [My Directory Sdn Bhd]:ccssl
Organizational Unit Name (eg, section) [Secure Web Server]:ccdw
Common Name (eg, www.domain.com) []:localhost //服务器的ip或者域名
Email Address []:summersun_ym@126.com
You may now run ./sign-server-cert.sh to get it signed
[iyunv@localhost ssl.ca-0.1]#
1.3)签发服务器证书
[iyunv@localhost ssl.ca-0.1]# ./sign-server-cert.sh server //为server服务器签发证书
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: //输入之前设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'zhejiang'
localityName:PRINTABLE:'hangzhou'
organizationName:PRINTABLE:'ccssl'
organizationalUnitName:PRINTABLE:'ccdw'
commonName:PRINTABLE:'localhost'
emailAddress:IA5STRING:'summersun_ym@126.com'
Certificate is to be certified until Aug 12 05:49:48 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
[iyunv@localhost ssl.ca-0.1]#
3、生成客户端证书测试
[iyunv@localhost ssl.ca-0.1]# ./new-user-cert.sh client //创建客户端证书
No client.key round. Generating one
Generating RSA private key, 1024 bit long modulus
................................++++++
..++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg, John Doe) []:CN
Email Address []:summersun_ym@126.com
You may now run ./sign-user-cert.sh to get it signed
[iyunv@localhost ssl.ca-0.1]# ll
[iyunv@localhost ssl.ca-0.1]# ./sign-user-cert.sh client //签发客户端证书
CA signing: client.csr -> client.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: //输入密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName
RINTABLE:'CN'
emailAddress :IA5STRING:'summersun_ym@126.com'
Certificate is to be certified until Aug 12 07:13:06 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: client.crt <-> CA cert
client.crt: OK
[iyunv@localhost ssl.ca-0.1]#