OpenSSL命令行常用功能(1) - 中国信息安全组织

来源:百度文库 编辑:神马文学网 时间:2024/04/26 21:03:36
OpenSSL命令行常用功能(1)
作者:rainbow 文章出处:中国信息安全组织 发布时间:2005-11-04 点击: 2793 字体: 【小中大】
1、为CA创建一个RSA私钥
D:\openssl\bin>openssl genrsa -des3 -out -ca.key 1024
Loading ‘screen‘ into random state - done
Generating RSA private key, 1024 bit long modulus
............................................................................++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for -ca.key:123456
Verifying - Enter pass phrase for -ca.key:123456
2、利用CA的RSA私钥创建一个自签名的CA证书
D:\openssl\bin>openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config openssl.cnf
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:sh
Locality Name (eg, city) []:sh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ciso
Organizational Unit Name (eg, section) []:ciso
Common Name (eg, YOUR name) []:infosecurity.org.cn
Email Address []:webmaster@infosecurity.org.cn
3、生成证书请求
D:\openssl\bin>openssl req -config openssl.cnf -new -keyout webmaster.key -out wm_req.pem -days 365
Loading ‘screen‘ into random state - done
Generating a 1024 bit RSA private key
.....++++++
......................++++++
writing new private key to ‘newreq.pem‘
Enter PEM pass phrase:123456(自己输)
Verifying - Enter PEM pass phrase:123456(自己输)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:sh
Locality Name (eg, city) []:sh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ciso
Organizational Unit Name (eg, section) []:ciso
Common Name (eg, YOUR name) []:webmaster
Email Address []:webmaster@infosecurity.org.cn
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:(不输)
An optional company name []:(不输)
4、签发证书
D:\openssl\bin>openssl ca -config openssl.cnf -out webmaster.pem -infiles wm_req.pem
Using configuration from openssl.cnf
Loading ‘screen‘ into random state - done
1896:error:0E06D06C:configuration file routines:NCONF_get_string:no value:.\crypto\conf\conf_lib.c:329:group=CA_defa
ult name=unique_subject
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
countryName     :PRINTABLE:‘cn‘
stateOrProvinceName   :PRINTABLE:‘sh‘
localityName     :PRINTABLE:‘sh‘
organizationName   :PRINTABLE:‘ciso‘
organizationalUnitName:PRINTABLE:‘ciso‘
commonName       :PRINTABLE:‘webmaster‘
emailAddress     :IA5STRING:'webmaster@infosecurity.org.cn‘
Certificate is to be certified until Aug 23 10:01:35 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5、重复步骤3与4可以创建个人证书。
6、包成pfx文件格式。
输入:z1.key与z1.crt
输出:z1.pfx
D:\openssl\bin>openssl pkcs12 -export -inkey z1.key -in z1.crt -out z1.pfx
Loading ‘screen‘ into random state - done
Enter pass phrase for z1.key:(输入密码)
Enter Export Password: :(输入密码)
Verifying - Enter Export Password::(输入密码)
7、去除私钥的密码。
D:\openssl\bin>openssl rsa -in z1.key -out z1_nopwd.key
Enter pass phrase for z1.key:(输入密码)
writing RSA key