1. 下载和安装OpenSSL
请访问参考文献3,我这里使用的是:Win64 OpenSSL v1.0.1c Light。
安装前需要先安装Visual C++ 2008 Redistributables (x64),其它步骤比较简单,从略。
2. 生成证书前的准备工作
(1)设置环境变量
OPENSSL_HOME=C:\OpenSSL-Win64
PATH=%PATH%;%OPENSSL_HOME%\bin
(2)修改%OPENSSL_HOME%\bin\openssl.cfg,修改dir,指向D盘ca目录。
dir = D:/ca # Where everything is kept
(3)创建目录
在D盘创建ca目录,所有的证书都将存放在这里。
在ca目录下创建certs目录,存放已发行证书。
在ca目录下创建newcerts 目录,存放 新证书 。
在ca目录下创建private 目录,存放私钥 。
在ca目录下创建crl 目录,存放证书吊销列表 。
(4)构建索引文件index.txt
echo 0>index.txt
(5)构建序列号文件serial
echo 01>serial
(6)构建随机数private/.rand
openssl rand -out private/.rand 1000
(1)构建根证书私钥:ca.key.pem
openssl genrsa -aes256 -out private/ca.key.pem 2048
(2)生成根证书签发申请:ca.csr
openssl req -new -key private/ca.key.pem -out private/ca.csr -subj "/C=CN/ST=BJ/L=BJ/O=JavaNeverDie/OU=JavaNeverDie/CN=ca"
(3)签发根证书:ca.cer
openssl x509 -req -days 10000 -sha1 -extensions v3_ca -signkey private/ca.key.pem -in private/ca.csr -out certs/ca.cer
(4)把根证书转换为P12格式,方便分发和导入:ca.p12
openssl pkcs12 -export -cacerts -inkey private/ca.key.pem -in certs/ca.cer -out certs/ca.p12
(5)查看CA密钥库信息:ca.p12
keytool -list -keystore certs/ca.p12 -storetype pkcs12 -v -storepass 123456
会发现默认的alias是1,这不符合一般要求。
(6)修改alias为ca
keytool -changealias -alias 1 -destalias ca -keystore certs/ca.p12 -storetype pkcs12 -v -storepass 123456
(7)再次查看CA密钥库信息ca.p12,输出如下:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: ca
Creation date: Oct 9, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ca, OU=JavaNeverDie, O=JavaNeverDie, L=BJ, ST=BJ, C=CN
Issuer: CN=ca, OU=JavaNeverDie, O=JavaNeverDie, L=BJ, ST=BJ, C=CN
Serial number: f83f9ce81e66bc8c
Valid from: Tue Oct 09 14:27:26 CST 2012 until: Sat Feb 25 14:27:26 CST 2040
Certificate fingerprints:
MD5: 2C:97:99:72:EA:B3:CF:BC:15:77:BB:82:E9:65:CC:D0
SHA1: F6:45:5A:D7:A4:8F:CA:B0:5E:20:8E:31:EF:33:F7:07:CF:15:BF:62
Signature algorithm name: SHA1withRSA
Version: 1
*******************************************
*******************************************
说明:Entry type是PrivateKeyEntry,表明这是一个包括公钥、私钥、以及数字证书的密钥库。
3. 生成CA签名的Server证书
(1)构建Server私钥:server.key.pem
openssl genrsa -aes256 -out private/server.key.pem 2048
(2)生成服务器证书签发申请:server.csr
openssl req -new -key private/server.key.pem -out private/server.csr -subj "/C=CN/ST=BJ/L=BJ/O=JavaNeverDie/OU=JavaNeverDie/CN=localhost"
注意,这里CN=localhost,主要是用于本机测试,实际使用时,应该设置成机器的IP地址或网址。
(3)使用CA私钥签发Server证书:server.cer
openssl x509 -req -days 3650 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/ca.key.pem -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
(4)把Server证书转换为P12格式,方便分发和导入:server.p12
openssl pkcs12 -export -clcerts -inkey private/server.key.pem -in certs/server.cer -out certs/server.p12
(5)查看 Server密钥库信息:server.p12
keytool -list -keystore certs/server.p12 -storetype pkcs12 -v -storepass 123456
会发现默认的alias是1,这不符合一般要求。
(6)修改Alias为server
keytool -changealias -alias 1 -destalias server -keystore certs/server.p12 -storetype pkcs12 -v -storepass 123456
(7)再次查看Server密钥库信息server.p12,输出如下:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: server
Creation date: Oct 9, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=JavaNeverDie, O=JavaNeverDie, L=BJ, ST=BJ, C=CN
Issuer: CN=ca, OU=JavaNeverDie, O=JavaNeverDie, L=BJ, ST=BJ, C=CN
Serial number: ed5781b2f34d4e74
Valid from: Tue Oct 09 14:29:12 CST 2012 until: Fri Oct 07 14:29:12 CST 202
Certificate fingerprints:
MD5: 78:BC:BE:70:F9:AD:E0:55:91:80:78:77:6D:FE:68:32
SHA1: 4A:7E:39:4B:4C:4F:2D:C3:48:F8:6B:5D:B1:75:5E:D4:B9:52:51:F2
Signature algorithm name: SHA1withRSA
Version: 1
*******************************************
*******************************************
(1)构建Server私钥:server.key.pem
openssl genrsa -aes256 -out private/server.key.pem 2048
(2)生成服务器证书签发申请:server.csr
openssl req -new -key private/server.key.pem -out private/server.csr -subj "/C=CN/ST=BJ/L=BJ/O=JavaNeverDie/OU=JavaNeverDie/CN=localhost"
注意,这里CN=localhost,主要是用于本机测试,实际使用时,应该设置成机器的IP地址或网址。
(3)使用CA私钥签发Server证书:server.cer
openssl x509 -req -days 3650 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/ca.key.pem -CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
(4)把Server证书转换为P12格式,方便分发和导入:server.p12
openssl pkcs12 -export -clcerts -inkey private/server.key.pem -in certs/server.cer -out certs/server.p12
(5)查看 Server密钥库信息:server.p12
keytool -list -keystore certs/server.p12 -storetype pkcs12 -v -storepass 123456
会发现默认的alias是1,这不符合一般要求。
(6)修改Alias为server
keytool -changealias -alias 1 -destalias server -keystore certs/server.p12 -storetype pkcs12 -v -storepass 123456
(7)再次查看Server密钥库信息server.p12,输出如下:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: server
Creation date: Oct 9, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=JavaNeverDie, O=JavaNeverDie, L=BJ, ST=BJ, C=CN
Issuer: CN=ca, OU=JavaNeverDie, O=JavaNeverDie, L=BJ, ST=BJ, C=CN
Serial number: ed5781b2f34d4e74
Valid from: Tue Oct 09 14:29:12 CST 2012 until: Fri Oct 07 14:29:12 CST 202
Certificate fingerprints:
MD5: 78:BC:BE:70:F9:AD:E0:55:91:80:78:77:6D:FE:68:32
SHA1: 4A:7E:39:4B:4C:4F:2D:C3:48:F8:6B:5D:B1:75:5E:D4:B9:52:51:F2
Signature algorithm name: SHA1withRSA
Version: 1
*******************************************
*******************************************
说明:Entry type是PrivateKeyEntry,表明这是一个包括公钥、私钥、以及数字证书的密钥库。
4. 生成CA签名的Client证书
(1)构建Client私钥:client.key.pem
openssl genrsa -aes256 -out private/client.key.pem 2048
(2)生成服务器证书签发申请:client.csr
openssl req -new -key private/client.key.pem -out private/client.csr -subj "/C=CN/ST=BJ/L=BJ/O=JavaNeverDie/OU=JavaNeverDie/CN=MaPing"
注意,这里CN=MaPing,主要是用于本机测试,实际使用时,应该设置成客户的名字。
(3)使用CA私钥签发Client证书:client.cer
openssl ca -days 3650 -in private/client.csr -out certs/client.cer -cert certs/ca.cer -keyfile private/ca.key.pem
(4)把Client证书转换为P12格式,方便分发和导入:client.p12
openssl pkcs12 -export -inkey private/client.key.pem -in certs/client.cer -out certs/client.p12
(5)查看Client密钥库信息:client.p12
keytool -list -keystore certs/client.p12 -storetype pkcs12 -v -storepass 123456
会发现默认的alias是1,这不符合一般要求。
(6)修改Alias为client
keytool -changealias -alias 1 -destalias client -keystore certs/client.p12 -storetype pkcs12 -v -storepass 123456
(7)再次查看Client密钥库信息server.p12,输出如下:
4. 生成CA签名的Client证书
(1)构建Client私钥:client.key.pem
openssl genrsa -aes256 -out private/client.key.pem 2048
(2)生成服务器证书签发申请:client.csr
openssl req -new -key private/client.key.pem -out private/client.csr -subj "/C=CN/ST=BJ/L=BJ/O=JavaNeverDie/OU=JavaNeverDie/CN=MaPing"
注意,这里CN=MaPing,主要是用于本机测试,实际使用时,应该设置成客户的名字。
(3)使用CA私钥签发Client证书:client.cer
openssl ca -days 3650 -in private/client.csr -out certs/client.cer -cert certs/ca.cer -keyfile private/ca.key.pem
(4)把Client证书转换为P12格式,方便分发和导入:client.p12
openssl pkcs12 -export -inkey private/client.key.pem -in certs/client.cer -out certs/client.p12
(5)查看Client密钥库信息:client.p12
keytool -list -keystore certs/client.p12 -storetype pkcs12 -v -storepass 123456
会发现默认的alias是1,这不符合一般要求。
(6)修改Alias为client
keytool -changealias -alias 1 -destalias client -keystore certs/client.p12 -storetype pkcs12 -v -storepass 123456
(7)再次查看Client密钥库信息server.p12,输出如下:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: client
Creation date: Oct 9, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=MaPing, OU=JavaNeverDie, O=JavaNeverDie, ST=BJ, C=CN
Issuer: CN=ca, OU=JavaNeverDie, O=JavaNeverDie, L=BJ, ST=BJ, C=CN
Serial number: 1
Valid from: Tue Oct 09 14:31:14 CST 2012 until: Fri Oct 07 14:31:14 CST 2022
Certificate fingerprints:
MD5: 9E:85:CF:E6:F3:2A:19:C1:A0:8E:BC:3D:F8:E0:17:D7
SHA1: 51:CC:3C:E6:E7:02:F0:28:7D:87:14:B1:19:EB:AA:92:51:C8:92:BD
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 A3 76 23 D3 B8 F1 90 92 E4 39 AA 19 54 75 40 ..v#......9..Tu@
0010: D9 04 B9 F9 ....
]
]
#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[CN=ca, OU=JavaNeverDie, O=JavaNeverDie, L=BJ, ST=BJ, C=CN]
SerialNumber: [ f83f9ce8 1e66bc8c]
]
*******************************************
*******************************************
至此,我们生成了CA、Server、Client三方的公钥、私钥、以及数字证书。
接下来,我们可以配置双向SSL认证了。
参考文献:
1. http://book.51cto.com/art/201004/192440.htm
2. http://www.openssl.org/source/
3. http://www.slproweb.com/products/Win32OpenSSL.html
没有评论:
发表评论