差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

兩邊的前次修訂版 前次修改
下次修改		 前次修改
tech:openssl_caserver [2021/01/17 16:46] – [- 產生效期兩年的伺服器憑證檔 ServerCA.crt] jonathantech:openssl_caserver [2025/04/13 00:50] (目前版本) – 移除了 -des3 參數, 將 -sha1 替換為 -sha256 jonathan
行 5: 行 5:
 ==== - 建立根憑證 Private Key 檔 RootCA.key ==== ==== - 建立根憑證 Private Key 檔 RootCA.key ====
 <code sh> <code sh>
-openssl genrsa -des3 -out RootCA.key 2048+openssl genrsa -out RootCA.key 2048
 chmod og-rwx RootCA.key chmod og-rwx RootCA.key
 </code> </code>
-++++看產生結果| 
-<cli> 
-[jonathan@pd920 ca]$ openssl genrsa -des3 -out RootCA.key 2048 
-Generating RSA private key, 2048 bit long modulus 
-..............................................+++ 
-.+++ 
-e is 65537 (0x10001) 
-Enter pass phrase for RootCA.key:  <-- 設定 RootCA 密鑰的密碼 
-Verifying - Enter pass phrase for RootCA.key: <-- 再次輸入 RootCA 密鑰的密碼 
-[jonathan@pd920 ca]$ chmod og-rwx RootCA.key  <-- 讓 RootCA 只有自己可以讀寫 
-</cli> 
-++++ 
  
 ==== - 產生根憑證的申請檔 RootCA.req ==== ==== - 產生根憑證的申請檔 RootCA.req ====
行 27: 行 15:
 ++++看產生結果| ++++看產生結果|
 <cli> <cli>
-[jonathan@pd920 ca]$ openssl req -new -key RootCA.key -out RootCA.req +$ openssl req -new -key RootCA.key -out RootCA.req
-Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼+
 You are about to be asked to enter information that will be incorporated You are about to be asked to enter information that will be incorporated
 into your certificate request. into your certificate request.
行 36: 行 23:
 If you enter '.', the field will be left blank. If you enter '.', the field will be left blank.
 ----- -----
-Country Name (2 letter code) [GB]:TW +Country Name (2 letter code) [AU]:TW 
-State or Province Name (full name) [Berkshire]:Taiwan +State or Province Name (full name) [Some-State]:Taiwan 
-Locality Name (eg, city) [Newbury]:Taipei +Locality Name (eg, city) []:Taipei 
-Organization Name (eg, company) [My Company Ltd]:Trysoft Corp. +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Trysoft Corp. 
-Organizational Unit Name (eg, section) []: <-- 可以不輸入 +Organizational Unit Name (eg, section) []: 
-Common Name (eg, your name or your server's hostname) []:  <-- 不是當 Server 憑證不需要輸入+Common Name (e.g. server FQDN or YOUR name) []:
 Email Address []:[email protected] Email Address []:[email protected]
  
 Please enter the following 'extra' attributes Please enter the following 'extra' attributes
 to be sent with your certificate request to be sent with your certificate request
-A challenge password []: <-- 可以不輸入 +A challenge password []: 
-An optional company name []: <-- 可以不輸入 +An optional company name []: 
-[jonathan@pd920 ca]$+$
 </cli> </cli>
 ++++ ++++
 ==== - 產生效期十年的根憑證檔 RootCA.crt ==== ==== - 產生效期十年的根憑證檔 RootCA.crt ====
 <code sh> <code sh>
-openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt +openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt
-rm -f RootCA.req+
 </code> </code>
 ++++看產生結果| ++++看產生結果|
 <cli> <cli>
-[jonathan@pd920 ca]$ openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt +$ openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt 
-Signature ok +Warning: ignoring -extensions option without -extfile 
-subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./[email protected] +Certificate request self-signature ok 
-Getting Private key +subject=C = TWST = TaiwanL = TaipeiO = Trysoft Corp.emailAddress = [email protected] 
-Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼 +$
-[jonathan@pd920 ca]rm -f RootCA.req+
 </cli> </cli>
 ++++ ++++
行 74: 行 59:
 chmod og-rwx ServerCA.key chmod og-rwx ServerCA.key
 </code> </code>
-++++看產生結果| 
-<cli> 
-[jonathan@pd920 ca]$ openssl genrsa -out ServerCA.key 2048 
-Generating RSA private key, 2048 bit long modulus 
-.............................................+++ 
-...........................................................................................................+++ 
-e is 65537 (0x10001) 
-不會出現輸入密碼的訊息,因為 Server CA 不需要輸入密碼,否則啟動 Service 時會需要輸入密碼後,才可繼續執行服務 
-</cli> 
-++++ 
  
 ==== - 產生伺服器憑證的申請檔 ServerCA.req ==== ==== - 產生伺服器憑證的申請檔 ServerCA.req ====
行 91: 行 66:
 ++++看產生結果| ++++看產生結果|
 <cli> <cli>
-[jonathan@pd920 ca]$ openssl req -new -key ServerCA.key -out ServerCA.req+$ openssl req -new -key ServerCA.key -out ServerCA.req
 You are about to be asked to enter information that will be incorporated You are about to be asked to enter information that will be incorporated
 into your certificate request. into your certificate request.
行 99: 行 74:
 If you enter '.', the field will be left blank. If you enter '.', the field will be left blank.
 ----- -----
-Country Name (2 letter code) [GB]:TW +Country Name (2 letter code) [AU]:TW 
-State or Province Name (full name) [Berkshire]:Taiwan +State or Province Name (full name) [Some-State]:Taiwan 
-Locality Name (eg, city) [Newbury]:Taipei +Locality Name (eg, city) []:Taipei 
-Organization Name (eg, company) [My Company Ltd]:Trysoft Corp. +Organization Name (eg, company) [Internet Widgits Pty Ltd]:Trysoft Corp. 
-Organizational Unit Name (eg, section) []: <-- 可以不輸入 +Organizational Unit Name (eg, section) []: 
-Common Name (eg, your name or your server's hostname) []:mail.ichiayi.com <-- 輸入 Server 的 Domain Name+Common Name (e.g. server FQDN or YOUR name) []:mail.ichiayi.com
 Email Address []:[email protected] Email Address []:[email protected]
  
 Please enter the following 'extra' attributes Please enter the following 'extra' attributes
 to be sent with your certificate request to be sent with your certificate request
-A challenge password []: <-- 可以不輸入 +A challenge password []: 
-An optional company name []: <-- 可以不輸入+An optional company name []: 
 +$
 </cli> </cli>
 ++++ ++++
行 116: 行 92:
 ==== - 產生效期兩年的伺服器憑證檔 ServerCA.crt ==== ==== - 產生效期兩年的伺服器憑證檔 ServerCA.crt ====
 <code sh> <code sh>
-openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt+openssl x509 -req -days 730 -sha256 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt
 rm -f ServerCA.req rm -f ServerCA.req
 </code> </code>
 ++++看產生結果| ++++看產生結果|
 <cli> <cli>
-[jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt +$ openssl x509 -req -days 730 -sha256 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key -CAserial RootCA.srl -CAcreateserial -in ServerCA.req -out ServerCA.crt 
-Signature ok +Warning: ignoring -extensions option without -extfile 
-subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./CN=mail.ichiayi.com/[email protected] +Certificate request self-signature ok 
-Getting CA Private Key +subject=C = TWST = TaiwanL = TaipeiO = Trysoft Corp.CN = mail.ichiayi.comemailAddress = [email protected] 
-Enter pass phrase for RootCA.key: <-- 輸入 RootCA 密鑰的密碼 +$
-[jonathan@pd920 ca]rm -f ServerCA.req+
 </cli> </cli>
 ++++ ++++
行 135: 行 110:
 ==== - 建立用戶憑證 Private Key 檔 ClientCA.key ==== ==== - 建立用戶憑證 Private Key 檔 ClientCA.key ====
 <code sh> <code sh>
-openssl genrsa -des3 -out ClientCA.key 2048+openssl genrsa -out ClientCA.key 2048
 chmod og-rwx ClientCA.key chmod og-rwx ClientCA.key
 </code> </code>
-++++看產生結果| 
-<cli> 
-[jonathan@pd920 ca]$ openssl genrsa -des3 -out ClientCA.key 2048 
-Generating RSA private key, 2048 bit long modulus 
-...........+++ 
-................................................+++ 
-e is 65537 (0x10001) 
-Enter pass phrase for ClientCA.key: <- 設定用戶憑證密碼 
-Verifying - Enter pass phrase for ClientCA.key: <- 再次輸入確認密碼 
-[jonathan@pd920 ca]$ chmod og-rwx ClientCA.key 
-</cli> 
-++++ 
  
 ==== - 產生用戶憑證的申請檔 ClientCA.req ==== ==== - 產生用戶憑證的申請檔 ClientCA.req ====
行 183: 行 146:
 ==== - 產生效期兩年的用戶憑證檔 ClientCA.crt ==== ==== - 產生效期兩年的用戶憑證檔 ClientCA.crt ====
 <code sh> <code sh>
-openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt+openssl x509 -req -days 730 -sha256 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt
 rm -f ClientCA.req rm -f ClientCA.req
 </code> </code>
 ++++看產生結果| ++++看產生結果|
 <cli> <cli>
-[jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha1 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt+[jonathan@pd920 ca]$ openssl x509 -req -days 730 -sha256 -extensions v3_req -CA RootCA.crt -CAkey RootCA.key  -CAserial RootCA.srl -CAcreateserial -in ClientCA.req -out ClientCA.crt
 Signature ok Signature ok
 subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech./CN=Jonathan Tsai/[email protected] subject=/C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech./CN=Jonathan Tsai/[email protected]
  • tech/openssl_caserver.1610873175.txt.gz
  • 上一次變更: 2021/01/17 16:46
  • jonathan