準備設定檔
pi@raspberrypi:~/OpenSSL/openssl $ cp /etc/ssl/openssl.cnf .
pi@raspberrypi:~/OpenSSL/openssl $ mkdir ca server client
pi@raspberrypi:~/OpenSSL/openssl $
產生根私鑰
pi@raspberrypi:~/OpenSSL/openssl $ openssl genrsa -out ca/ca.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................+++
......+++
e is 65537 (0x10001)
產生根證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl req -new -x509 -key ca/ca.key -out ca
/ca.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SDL
Organizational Unit Name (eg, section) []:R&D
Common Name (e.g. server FQDN or YOUR name) []:PiCA
Email Address []:
pi@raspberrypi:~/OpenSSL/openssl $ ls ca
ca.crt ca.key
pi@raspberrypi:~/OpenSSL/openssl $
產生伺服端私鑰
pi@raspberrypi:~/OpenSSL/openssl $ openssl genrsa -out server/server.key 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
..............+++
e is 65537 (0x10001)
產生伺服端需求證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl req -new -key server/server.key -out server/server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SDL
Organizational Unit Name (eg, section) []:R&D
Common Name (e.g. server FQDN or YOUR name) []:PiServer
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
pi@raspberrypi:~/OpenSSL/openssl $ ls server/
server.csr server.key
pi@raspberrypi:~/OpenSSL/openssl $
產生客戶端私鑰
pi@raspberrypi:~/OpenSSL/openssl $ openssl genrsa -out client/client.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................+++
....................................+++
e is 65537 (0x10001)
產生客戶端需求證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl req -new -key client/client.key -out
client/client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taichung
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SDL
Organizational Unit Name (eg, section) []:R&D
Common Name (e.g. server FQDN or YOUR name) []:PiClient
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
pi@raspberrypi:~/OpenSSL/openssl $ ls client/
client.csr client.key
pi@raspberrypi:~/OpenSSL/openssl $
修改 dir 目錄
pi@raspberrypi:~/OpenSSL/openssl $ vi openssl.cnf
[ CA_default ]
#dir = ./demoCA # Where everything is kept
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
pi@raspberrypi:~/OpenSSL/openssl $
簽署證書環境準備
pi@raspberrypi:~/OpenSSL/openssl $ touch index.txt
pi@raspberrypi:~/OpenSSL/openssl $ echo "01">serial
pi@raspberrypi:~/OpenSSL/openssl $ mkdir newcerts
簽署伺服端證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl ca -in server/server.csr -out server/server.crt -days 3650 -cert ca/ca.crt -keyfile ca/ca.key -config openssl.cnf
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 29 02:08:38 2017 GMT
Not After : Aug 27 02:08:38 2027 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = SDL
organizationalUnitName = R&D
commonName = PiServer
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4D:26:A0:55:4D:37:58:EE:10:D3:A0:8E:B8:93:35:E9:E5:84:1F:BC
X509v3 Authority Key Identifier:
keyid:F4:6D:3E:3D:93:2A:4A:81:85:62:C3:D7:4B:70:F9:28:F6:E6:A4:F4
Certificate is to be certified until Aug 27 02:08:38 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
pi@raspberrypi:~/OpenSSL/openssl $ ls server/
server.crt server.csr server.key
pi@raspberrypi:~/OpenSSL/openssl $
簽署客戶端證書
pi@raspberrypi:~/OpenSSL/openssl $ openssl ca -in client/client.csr -out client/
client.crt -days 3650 -cert ca/ca.crt -keyfile ca/ca.key -config openssl.cnf
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Aug 29 02:12:26 2017 GMT
Not After : Aug 27 02:12:26 2027 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = SDL
organizationalUnitName = R&D
commonName = PiClient
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
45:1F:CC:47:19:FF:37:04:7A:8D:40:B8:1E:CA:08:11:36:E0:E7:EF
X509v3 Authority Key Identifier:
keyid:F4:6D:3E:3D:93:2A:4A:81:85:62:C3:D7:4B:70:F9:28:F6:E6:A4:F4
Certificate is to be certified until Aug 27 02:12:26 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
pi@raspberrypi:~/OpenSSL/openssl $ ls client/
client.crt client.csr client.key
pi@raspberrypi:~/OpenSSL/openssl $
pi@raspberrypi:~/OpenSSL/openssl $ ls
ca index.txt index.txt.attr.old newcerts serial server
client index.txt.attr index.txt.old openssl.cnf serial.old
pi@raspberrypi:~/OpenSSL/openssl $
沒有留言:
張貼留言