差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

兩邊的前次修訂版 前次修改
下次修改		 前次修改
tech:openssl_caserver [2008/09/16 17:11] jonathantech:openssl_caserver [2025/04/13 00:50] (目前版本) – 移除了 -des3 參數, 將 -sha1 替換為 -sha256 jonathan
行 5: 行 5:
 ==== - 建立根憑證 Private Key 檔 RootCA.key ==== ==== - 建立根憑證 Private Key 檔 RootCA.key ====
 <code sh> <code sh>
-openssl genrsa -des3 -out RootCA.key 2048+openssl genrsa -out RootCA.key 2048
 chmod og-rwx RootCA.key chmod og-rwx RootCA.key
 </code> </code>
-++++看產生結果| 
-<xtermrtf> 
-[jonathan@pd920 ca]$ openssl genrsa -des3 -out RootCA.key 2048 
-Generating RSA private key, 2048 bit long modulus 
-..............................................+++ 
-.+++ 
-e is 65537 (0x10001) 
-Enter pass phrase for RootCA.key:  <-- 設定 RootCA 密鑰的密碼 
-Verifying - Enter pass phrase for RootCA.key: <-- 再次輸入 RootCA 密鑰的密碼 
-[jonathan@pd920 ca]$ chmod og-rwx RootCA.key  <-- 讓 RootCA 只有自己可以讀寫 
-</xtermrtf> 
-++++ 
  
 ==== - 產生根憑證的申請檔 RootCA.req ==== ==== - 產生根憑證的申請檔 RootCA.req ====
行 26: 行 14:
 </code> </code>
 ++++看產生結果| ++++看產生結果|
-<xtermrtf+<cli
-[jonathan@pd920 ca]$ openssl req -new -key RootCA.key -out RootCA.req +$ openssl req -new -key RootCA.key -out RootCA.req
-Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼+
 You are about to be asked to enter information that will be incorporated You are about to be asked to enter information that will be incorporated
 into your certificate request. into your certificate request.
行 36: 行 23:
 If you enter '.', the field will be left blank. If you enter '.', the field will be left blank.
 ----- -----
-Country Name (2 letter code) [GB]:TW +Country Name (2 letter code) [AU]:TW 
-State or Province Name (full name) [Berkshire]:Taiwan +State or Province Name (full name) [Some-State]:Taiwan 
-Locality Name (eg, city) [Newbury]:Taipei +Locality Name (eg, city) []:Taipei 
-Organization Name (eg, company) [My Company Ltd]:Trysoft Corp. +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Trysoft Corp. 
-Organizational Unit Name (eg, section) []: <-- 可以不輸入 +Organizational Unit Name (eg, section) []: 
-Common Name (eg, your name or your server's hostname) []:  <-- 不是當 Server 憑證不需要輸入+Common Name (e.g. server FQDN or YOUR name) []:
 Email Address []:[email protected] Email Address []:[email protected]
  
 Please enter the following 'extra' attributes Please enter the following 'extra' attributes
 to be sent with your certificate request to be sent with your certificate request
-A challenge password []: <-- 可以不輸入 +A challenge password []: 
-An optional company name []: <-- 可以不輸入 +An optional company name []: 
-[jonathan@pd920 ca]+
-</xtermrtf>+</cli>
 ++++ ++++
 ==== - 產生效期十年的根憑證檔 RootCA.crt ==== ==== - 產生效期十年的根憑證檔 RootCA.crt ====
 <code sh> <code sh>
-openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt +openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt
-rm -f RootCA.req+
 </code> </code>
 ++++看產生結果| ++++看產生結果|
-<xtermrtf+<cli
-[jonathan@pd920 ca]$ openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt +$ openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt 
-Signature ok +Warning: ignoring -extensions option without -extfile 
-subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./[email protected] +Certificate request self-signature ok 
-Getting Private key +subject=C = TWST = TaiwanL = TaipeiO = Trysoft Corp.emailAddress = [email protected] 
-Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼 +
-[jonathan@pd920 ca]rm -f RootCA.req +</cli>
-</xtermrtf>+
 ++++ ++++
-<style> 
 |  {{:tech:rca_01.png?250&direct}}  |  {{:tech:rca_02.png?250&direct}}  |  {{:tech:rca_03.png?250&direct}}  | |  {{:tech:rca_01.png?250&direct}}  |  {{:tech:rca_02.png?250&direct}}  |  {{:tech:rca_03.png?250&direct}}  |
-</style> 
  
 ===== - 伺服器憑證 (Server CA) 作法:===== ===== - 伺服器憑證 (Server CA) 作法:=====
行 76: 行 59:
 chmod og-rwx ServerCA.key chmod og-rwx ServerCA.key
 </code> </code>
-++++看產生結果| 
-<xtermrtf> 
-[jonathan@pd920 ca]$ openssl genrsa -out ServerCA.key 2048 
-Generating RSA private key, 2048 bit long modulus 
-.............................................+++ 
-...........................................................................................................+++ 
-e is 65537 (0x10001) 
-不會出現輸入密碼的訊息,因為 Server CA 不需要輸入密碼,否則啟動 Service 時會需要輸入密碼後,才可繼續執行服務 
-</xtermrtf> 
-++++ 
  
 ==== - 產生伺服器憑證的申請檔 ServerCA.req ==== ==== - 產生伺服器憑證的申請檔 ServerCA.req ====
行 92: 行 65:
 </code> </code>
 ++++看產生結果| ++++看產生結果|
-<xtermrtf+<cli
-[jonathan@pd920 ca]$ openssl req -new -key ServerCA.key -out ServerCA.req+$ openssl req -new -key ServerCA.key -out ServerCA.req
 You are about to be asked to enter information that will be incorporated You are about to be asked to enter information that will be incorporated
 into your certificate request. into your certificate request.
行 101: 行 74:
 If you enter '.', the field will be left blank. If you enter '.', the field will be left blank.
 ----- -----
-Country Name (2 letter code) [GB]:TW +Country Name (2 letter code) [AU]:TW 
-State or Province Name (full name) [Berkshire]:Taiwan +State or Province Name (full name) [Some-State]:Taiwan 
-Locality Name (eg, city) [Newbury]:Taipei +Locality Name (eg, city) []:Taipei 
-Organization Name (eg, company) [My Company Ltd]:Trysoft Corp. +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Trysoft Corp. 
-Organizational Unit Name (eg, section) []: <-- 可以不輸入 +Organizational Unit Name (eg, section) []: 
-Common Name (eg, your name or your server's hostname) []:mail.ichiayi.com <-- 輸入 Server 的 Domain Name+Common Name (e.g. server FQDN or YOUR name) []:mail.ichiayi.com
 Email Address []:[email protected] Email Address []:[email protected]
  
 Please enter the following 'extra' attributes Please enter the following 'extra' attributes
 to be sent with your certificate request to be sent with your certificate request
-A challenge password []: <-- 可以不輸入 +A challenge password []: 
-An optional company name []: <-- 可以不輸入 +An optional company name []: 
-</xtermrtf>+$ 
 +</cli>
 ++++ ++++
  
 ==== - 產生效期兩年的伺服器憑證檔 ServerCA.crt ==== ==== - 產生效期兩年的伺服器憑證檔 ServerCA.crt ====
 <code sh> <code sh>
-openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt+openssl x509 -req -days 730 -sha256 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt
 rm -f ServerCA.req rm -f ServerCA.req
 </code> </code>
 ++++看產生結果| ++++看產生結果|
-<xtermrtf+<cli
-[jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt +$ openssl x509 -req -days 730 -sha256 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt 
-Signature ok +Warning: ignoring -extensions option without -extfile 
-subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./CN=mail.ichiayi.com/[email protected] +Certificate request self-signature ok 
-Getting CA Private Key +subject=C = TWST = TaiwanL = TaipeiO = Trysoft Corp.CN = mail.ichiayi.comemailAddress = [email protected] 
-Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼 +
-[jonathan@pd920 ca]rm -f ServerCA.req +</cli>
-</xtermrtf>+
 ++++ ++++
  
-<style> 
 |  {{:tech:ca_00.png?250}}  |  {{:tech:ca_02.png?250}}  |  {{:tech:ca_01.png?250}}  | |  {{:tech:ca_00.png?250}}  |  {{:tech:ca_02.png?250}}  |  {{:tech:ca_01.png?250}}  |
-</style> 
  
 ===== - 用戶憑證 (Client CA) 作法:===== ===== - 用戶憑證 (Client CA) 作法:=====
 ==== - 建立用戶憑證 Private Key 檔 ClientCA.key ==== ==== - 建立用戶憑證 Private Key 檔 ClientCA.key ====
 <code sh> <code sh>
-openssl genrsa -des3 -out ClientCA.key 2048+openssl genrsa -out ClientCA.key 2048
 chmod og-rwx ClientCA.key chmod og-rwx ClientCA.key
 </code> </code>
-++++看產生結果| 
-<xtermrtf> 
-[jonathan@pd920 ca]$ openssl genrsa -des3 -out ClientCA.key 2048 
-Generating RSA private key, 2048 bit long modulus 
-...........+++ 
-................................................+++ 
-e is 65537 (0x10001) 
-Enter pass phrase for ClientCA.key: <- 設定用戶憑證密碼 
-Verifying - Enter pass phrase for ClientCA.key: <- 再次輸入確認密碼 
-[jonathan@pd920 ca]$ chmod og-rwx ClientCA.key 
-</xtermrtf> 
-++++ 
  
 ==== - 產生用戶憑證的申請檔 ClientCA.req ==== ==== - 產生用戶憑證的申請檔 ClientCA.req ====
行 160: 行 119:
 </code> </code>
 ++++看產生結果| ++++看產生結果|
-<xtermrtf>+<cli>
 [jonathan@pd920 ca]$ openssl req -new -key ClientCA.key -out ClientCA.req [jonathan@pd920 ca]$ openssl req -new -key ClientCA.key -out ClientCA.req
 Enter pass phrase for ClientCA.key: <- 輸入用戶憑證密碼 Enter pass phrase for ClientCA.key: <- 輸入用戶憑證密碼
行 182: 行 141:
 A challenge password []: <-- 可以不輸入 A challenge password []: <-- 可以不輸入
 An optional company name []: <-- 可以不輸入 An optional company name []: <-- 可以不輸入
-</xtermrtf>+</cli>
 ++++ ++++
  
 ==== - 產生效期兩年的用戶憑證檔 ClientCA.crt ==== ==== - 產生效期兩年的用戶憑證檔 ClientCA.crt ====
 <code sh> <code sh>
-openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt+openssl x509 -req -days 730 -sha256 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt
 rm -f ClientCA.req rm -f ClientCA.req
 </code> </code>
 ++++看產生結果| ++++看產生結果|
-<xtermrtf+<cli
-[jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt+[jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha256 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt
 Signature ok Signature ok
 subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech./CN=Jonathan Tsai/[email protected] subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech./CN=Jonathan Tsai/[email protected]
行 198: 行 157:
 Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼 Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼
 [jonathan@pd920 ca]$ rm -f ClientCA.req [jonathan@pd920 ca]$ rm -f ClientCA.req
-</xtermrtf>+</cli>
 ++++ ++++
 ==== - 將 ClientCA.crt 與 ClientCA.key 轉成 ClientCA.pfx ==== ==== - 將 ClientCA.crt 與 ClientCA.key 轉成 ClientCA.pfx ====
行 205: 行 164:
 </code> </code>
 ++++看產生結果| ++++看產生結果|
-<xtermrtf>+<cli>
 [jonathan@pd920 ca]$ openssl pkcs12 -export -in ClientCA.crt -inkey ClientCA.key -out ClientCA.pfx [jonathan@pd920 ca]$ openssl pkcs12 -export -in ClientCA.crt -inkey ClientCA.key -out ClientCA.pfx
 Enter pass phrase for ClientCA.key: <-- 輸入用戶憑證密碼 Enter pass phrase for ClientCA.key: <-- 輸入用戶憑證密碼
 Enter Export Password: <-- 設定匯出用戶憑證時的密碼, 可以和用戶憑證密碼相同 Enter Export Password: <-- 設定匯出用戶憑證時的密碼, 可以和用戶憑證密碼相同
 Verifying - Enter Export Password: <-- 輸入確認匯出用戶憑證時的密碼 Verifying - Enter Export Password: <-- 輸入確認匯出用戶憑證時的密碼
-</xtermrtf>+</cli>
 ++++ ++++
  
行 216: 行 175:
  
   * 看到 apache 的 ssl_request_log 發現 IE7 使用 **TLSv1 RC4-MD5**, Firefox3 使用 **SSLv3 DHE-RSA-AES256-SHA**, cURL 7.15.5 使用 **TLSv1 DHE-RSA-AES256-SHA**   * 看到 apache 的 ssl_request_log 發現 IE7 使用 **TLSv1 RC4-MD5**, Firefox3 使用 **SSLv3 DHE-RSA-AES256-SHA**, cURL 7.15.5 使用 **TLSv1 DHE-RSA-AES256-SHA**
-<xtermrtf>+<cli>
 [root@pd920 httpd]# cat ssl_request_log [root@pd920 httpd]# cat ssl_request_log
 [20/Aug/2008:16:28:12 +0800] 192.168.11.248 TLSv1 RC4-MD5 "GET /t.txt HTTP/1.1" 25   <-- IE7 [20/Aug/2008:16:28:12 +0800] 192.168.11.248 TLSv1 RC4-MD5 "GET /t.txt HTTP/1.1" 25   <-- IE7
行 222: 行 181:
 [21/Aug/2008:12:18:55 +0800] 127.0.0.1 TLSv1 DHE-RSA-AES256-SHA "GET /t.txt HTTP/1.1" 5 <-- cURL 7.15.5 [21/Aug/2008:12:18:55 +0800] 127.0.0.1 TLSv1 DHE-RSA-AES256-SHA "GET /t.txt HTTP/1.1" 5 <-- cURL 7.15.5
 [root@pd920 httpd]# [root@pd920 httpd]#
-</xtermrtf>+</cli>
  
 ===== 參考網址 ===== ===== 參考網址 =====
  • tech/openssl_caserver.1221556284.txt.gz
  • 上一次變更: 2008/09/16 17:11
  • jonathan