linux下使用openssl生成 csr crt CA證書，opensslcsr

本文主要借鑒和引用了下面2個地址的內容，然后在自己的機器上進行了測試和執行，并做了如下記錄。

ref:

http://blog.chinaunix.net/uid-26760055-id-3128132.html

http://www.111cn.net/sys/linux/61591.htm

創建測試目錄

mkdir /tmp/create_key/ca

cd?/tmp/create_key/

證書文件生成:

一.服務器端

1.生成服務器端 ? ?私鑰(key文件);

openssl genrsa -des3 -out server.key 1024

運行時會提示輸入密碼,此密碼用于加密key文件(參數des3是加密算法,也可以選用其他安全的算法),以后每當需讀取此文件(通過openssl提供的命令或API)都需輸入口令.如果不要口令,則去除口令:openssl rsa -in server.key -out

server.key

2.生成服務器端 ? ?證書簽名請求文件(csr文件);

openssl req -new -key server.key -out server.csr

生成Certificate Signing Request(CSR),生成的csr文件交給CA簽名后形成服務端自己的證書.屏幕上將有提示,依照其 提示一步一步輸入要求的個人信息即可(如:Country,province,city,company等).

二.客戶端

1.生成客戶端 ? ??私鑰(key文件);

openssl genrsa -des3 -out client.key 1024

2.生成客戶端

證書簽名請求文件(csr文件);

openssl req -new -key client.key -out client.csr

cd??/tmp/create_key/ca

三.生成CA證書文件

#server.csr與client.csr文件必須有CA的簽名才可形成證書.

1.首先生成CA的key文件:

openssl genrsa -des3 -out ca.key 1024

2.生成CA自簽名證書:

openssl req -new -x509 -key ca.key -out ca.crt

可以加證書過期時間選項 "-days 365".

四.利用CA證書進行簽名

openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key

openssl

ca -in ../client.csr -out ../client.crt -cert ca.crt -keyfile ca.key

這兩條執行的時候因為沒有指定openssl.cnf

會報錯，不過沒關系，我們用默認的?/etc/pki/tls/openssl.cnf?就可以。

不過用默認的時候需要先執行下面兩行：

touch

/etc/pki/CA/index.txt

echo

00 > /etc/pki/CA/serial

下面有錯誤案例分析

#############################################################

根據server.csr 通過CA的ca.crt

ca.key? 生成server.crt文件

openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key:

/etc/pki/CA/index.txt: No such file or directory

unable to open '/etc/pki/CA/index.txt'

140423531685704:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/index.txt','r')

140423531685704:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:

[root@monitor?ca]#?touch /etc/pki/CA/index.txt ? ? ? ? ? ? #創建index文件，因為不存在

[root@monitor?ca]#?openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key:

/etc/pki/CA/serial: No such file or directory

error while loading serial number

139949960836936:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/serial','r')

139949960836936:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:

[root@monitor?ca]#?echo 00 > /etc/pki/CA/serial ? ? ? ? ? ? ? ? #創建serial號文件

[root@monitor?ca]#?openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

The organizationName field needed to be the same in the

CA certificate (homelink-ca) and the request (homelink)

#此處報錯是因為創建CA的ca.crt?時候 和創建server的server.csr時候

#Organization Name (eg, company) [Default Company Ltd]:homelink-ca? 和

#Organization Name (eg, company) [Default Company Ltd]:homelink

#配置的不再一個域，所以不行，下面重建ca.crt

[root@monitor?ca]#?openssl req -new -x509 -key ca.key -out ca.crt

Enter pass phrase for ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:bj

Locality Name (eg, city) [Default City]:bj

Organization Name (eg, company) [Default Company Ltd]:homelink

Organizational Unit Name (eg, section) []:homelink-lft

Common Name (eg, your name or your server's hostname) []:lft

Email Address []:

[root@monitor?ca]#?ls -lrt

total 8

-rw-r--r-- 1 root root 963 May 22 14:39 ca.key

-rw-r--r-- 1 root root 944 May 22 16:16 ca.crt

#重新創建ca.crt后，重新執行，生成成功

[root@monitor?ca]#?openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 0 (0x0)

Validity

Not Before: May 22 08:16:25 2015 GMT

Not After : May 21 08:16:25 2016 GMT

Subject:

countryName = CN

stateOrProvinceName = bj

organizationName = homelink

organizationalUnitName = homelink-lft

commonName = lft

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

00:2C:34:0A:73:5C:1A:E6:39:48:28:6F:8F:02:F6:BC:58:6F:25:55

X509v3 Authority Key Identifier:

keyid:83:70:9D:4E:3F:39:01:3E:7A:CE:B9:2B:0E:1A:FB:00:2A:C3:11:D9

Certificate is to be certified until May 21 08:16:25 2016 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@monitor?ca]# ls -lrt

total 8

-rw-r--r-- 1 root root 963 May 22 14:39 ca.key

-rw-r--r-- 1 root root 944 May 22 16:16 ca.crt

[root@monitor?ca]# ls -lrt ..

total 28

-rw-r--r-- 1 root root 963 May 22 13:51 server.key

-rw-r--r-- 1 root root 672 May 22 13:52 server.csr

-rw-r--r-- 1 root root 963 May 22 14:36 client.key

-rw-r--r-- 1 root root 672 May 22 14:37 client.csr

drwxr-xr-x 2 root root 4096 May 22 14:40 ca

-rw-r--r-- 1 root root 238 May 22 15:07 readme.txt

-rw-r--r-- 1 root root 3036 May 22 16:16 server.crt

#然后生成客戶端的client.crt?文件

openssl ca -in ../client.csr -out ../client.crt -cert ca.crt -keyfile ca.key