linux-ca自签发-021

账号认证

Linux openca 只能为本单位发布证书

Linux下做rootca 自签发证书 实现client访问时有身份验证.

[root@localhost ~]# yum list all |grep openssl

This system is not registered with RHN.

RHN support will be disabled.

openssl.i686 0.9.8e-7.el5 installed

openssl-devel.i386 0.9.8e-7.el5 installed

openssl.i386 0.9.8e-7.el5 rehl-server

openssl-perl.i386 0.9.8e-7.el5 rehl-server

openssl097a.i386 0.9.7a-9.el5_2.1 rehl-server

xmlsec1-openssl.i386 1.2.9-8.1 rehl-server

xmlsec1-openssl-devel.i386 1.2.9-8.1 rehl-server

[root@localhost ~]# yum install openssl*

1.编辑openssl.cnf产生存放私钥的文件

[root@apache-server pki]# pwd

/etc/pki

[root@apache-server pki]# vim tls/openssl.cnf

--存放机构自己的私钥

dir = /etc/pki/CA # Where everything is kept

[root@apache-server pki]# cd /etc/pki/CA

[root@apache-server CA]# ll

total 8

drwx------ 2 root root 4096 Dec 17 2008 private

2.产生机构的私钥

[root@apache-server CA]# openssl genrsa 1024 >private/cakey.pem

Generating RSA private key, 1024 bit long modulus

.................

.......

e is 65537 (0x10001)

--改变权限

[root@apache-server CA]# chmod 600 private/*

[root@apache-server CA]# ll private/

total 4

-rw------- 1 root root 887 Aug 23 23:05 cakey.pem

[root@apache-server CA]#

3.自签发的证书ROOTCA

[root@apache-server CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ''.'', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HENAN

Locality Name (eg, city) [Newbury]:ZHENGZHOU

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:TEC

Common Name (eg, your name or your server''s hostname) []:ROOTCA.ZZU.COM

Email Address []:

[root@apache-server CA]#

Client申请证书

"Times New Roman";mso-hansi-font-family:"Times New Roman"">产生私钥

[root@apache-server httpd]# mkdir certs

[root@apache-server httpd]# cd certs

[root@apache-server certs]# ll

total 0

[root@apache-server certs]# pwd

/etc/httpd/certs

[root@apache-server certs]# openssl genrsa 1024 >httpd.key

Generating RSA private key, 1024 bit long modulus

...............

.......

e is 65537 (0x10001)

[root@apache-server certs]# chmod 600 httpd.key

[root@apache-server certs]# ll

total 4

-rw-----

凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务，公司网站：http://www.lingzhong.cn 为了给广大客户了解更多的技术信息，本技术文章收集来源于网络,凌众科技尊重文章作者的版权，如果有涉及你的版权有必要删除你的文章，请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!