第一步. 生成rsa私钥文件
:\> openssl genrsa -out bexio.pem 1024
: 若要加密生成的rsa私钥文件(des3加密)
:\> openssl genrsa -des3 -out bexio.pem 1024
第二步. 生成Certificate Signing Request(CSR - 证书请求文件)
:\> openssl req -new -key bexio.pem -out bexio.csr -config openssl.cnf
: 根据交互提示一步一步输入必要信息, 敲击回车可以跳过, 以下是一个简单的例子
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:china
Locality Name (eg, city) []:xiamen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:289633152@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
第三步. 把证书请求文件认证为可用证书
(1) 生产CA根证书(用于签名)
: 把openssl.cnf复制到openssl.exe所在目录
:\> openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
执行成功以后, 在oepnssl所在目录便生成了ca.key和ca.crt两个文件. 其中ca.key存的是CA根证书的私钥, ca.crt存的便是CA根证书.
(2) 准备CA环境
: 把openssl.cnf复制到openssl.exe所在目录, 修改其中的ca section, 添加新的ca策略. 如下:
####################################################################
[ ca ]
default_ca = CA_BEXIO #CA_default # The default ca section
####################################################################
[ CA_BEXIO ]
dir = .# Where everything is kept
certs = $dir# Where the issued certs are kept
crl_dir = $dir# Where the issued crl are kept
database = $dir/index.txt# database index file.
new_certs_dir = $dir# default place for new certs.
certificate = $dir/ca.crt# The CA certificate
serial = $dir/serial# The current serial number
crlnumber = $dir/crlnumber# the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem# The current CRL
private_key = $dir/ca.key# The private key
RANDFILE = $dir/.rand# private random number file
x509_extensions = usr_cert# The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default# Subject Name options
cert_opt = ca_default# Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650# how long to certify for
default_crl_days= 30# how long before next CRL
default_md = default# use public key default MD
preserve = no# keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
: 生成证书索引文件和数据库文件
\Linux:
$ touch index.txt
$ echo 01> serial
\Windows:
:\> copy con index.txt
:\> <Ctrl-z>
:\> echo 01> serial
: 修改openssl.cnf中的配置项如下:
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
(3) CA签名
:\> openssl ca -in bexio.csr -out bexio.crt -config openssl.cnf
至此, 生成的证书相关文件有: ca.crt (ca根证书) bexio.pem(私钥) bexio.crt(证书)
在使用时, 私钥和证书可以合并为一个文件.
\Linux:
$ cat bexio.pem >> bexio.crt
\Windows:
用文本编辑器把内容拷贝过去即可