在Linux下,我們進行下面的操作前都須确認已安裝OpenSSL軟體包。
1.建立根證書密鑰檔案root.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out root.key 1024
Generating RSA private key, 1024 bit long modulus
...............................................................++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for root.key: <--輸入一個密碼
Verifying - Enter pass phrase for root.key: <--再次輸入密碼
2.建立根證書的申請檔案root.csr:
[root@mrlapulga:/etc/pki/CA]#openssl req -new -key root.key -out root.csr
Enter pass phrase for root.key: <--輸入前面建立的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN <--輸入國家名
State or Province Name (full name) []:BeiJing <--輸入省份
Locality Name (eg, city) [Default City]:haidian <--輸入城市名
Organization Name (eg, company) [Default Company Ltd]:mrlapulga <--輸入公司名
Organizational Unit Name (eg, section) []: <--可不輸入
Common Name (eg, your name or your server's hostname) []: <--可不輸入
Email Address []:[email protected] <--輸入郵件位址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <--可不輸入
An optional company name []: <--可不輸入
3.建立一個為期十年的根證書root.crt:
[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey private/root.key -in root.csr -out root.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/[email protected]
Getting Private key
Enter pass phrase for private/root.key: <--輸入之前建立的密碼
4.建立伺服器證書密鑰server.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 2014 bit long modulus
............+++
................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key: <--輸入一個密碼
Verifying - Enter pass phrase for server.key: <--再次輸入密碼
5.建立伺服器證書的申請檔案server.csr:
[root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/server.key -out server.csr
Enter pass phrase for private/server.key: <--輸入前面建立的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN <--輸入國家名
State or Province Name (full name) []:BeiJing <--輸入省份
Locality Name (eg, city) [Default City]:haidian <--輸入城市名
Organization Name (eg, company) [Default Company Ltd]:mrlapulga <--輸入公司名
Organizational Unit Name (eg, section) []: <--可不輸入
Common Name (eg, your name or your server's hostname) []: <--可不輸入
Email Address []:[email protected] <--輸入郵件位址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <--可不輸入
An optional company name []: <--可不輸入
6.建立一個為期一年的伺服器證書server.crt:
[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/[email protected]
Getting CA Private Key
Enter pass phrase for private/root.key: <--輸入之前建立的密碼
7.建立用戶端證書密鑰檔案client.key:
[root@mrlapulga:/etc/pki/CA/private]#openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
..............................++++++
..................................................++++++
e is 65537 (0x10001)
Enter pass phrase for client.key: <--輸入一個密碼
Verifying - Enter pass phrase for client.key: <--再次輸入密碼
8.建立用戶端證書的申請檔案client.csr:
[root@mrlapulga:/etc/pki/CA]#openssl req -new -key private/client.key -out client.csr
Enter pass phrase for private/client.key: <--輸入前面建立的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN <--輸入國家名
State or Province Name (full name) []:BeiJing <--輸入省份
Locality Name (eg, city) [Default City]:haidian <--輸入城市名
Organization Name (eg, company) [Default Company Ltd]:mrlapulga <--輸入公司名
Organizational Unit Name (eg, section) []: <--可不輸入
Common Name (eg, your name or your server's hostname) []: <--可不輸入
Email Address []:[email protected] <--輸入郵件位址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <--可不輸入
An optional company name []: <--可不輸入
9.建立一個有效期為一年的用戶端證書client.crt:
[root@mrlapulga:/etc/pki/CA]#openssl x509 -req -days 365 -sha1 -extensions v3_req -CA root.crt -CAkey private/root.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=haidian/O=mrlapulga/[email protected]
Getting CA Private Key
Enter pass phrase for private/root.key: <--輸入之前建立的密碼
10.現在可将用戶端證書檔案client.crt和用戶端證書密鑰檔案client.key合并為用戶端的client.pfx安裝封包件:
[root@mrlapulga:/etc/pki/CA]#openssl pkcs12 -export -in client.crt -inkey private/client.key -out client.pfx
Enter pass phrase for private/client.key: <--輸入之前建立的密碼
Enter Export Password: <--建立一個新密碼
Verifying - Enter Export Password: <--确認密碼
client.pfx是配置雙向SSL時需要用戶端安裝的證書檔案。
![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)