windows下使用openssl生成证书
2020-11-20 00:28
标签:des style blog code tar ext 一:下载 使用的是0.9.8 1:openssl下载,http://www.openssl.org/source/ 2:安装vs2010,并安装 3:下载perl,http://www.activestate.com/ActivePerl,并安装。 二:安装openssl 1:解压到系统盘C:\openssl-0.9.8v 2、配置WIN32环境 打开CMD命令行,进入C:\openssl-0.9.8v目录,执行命令 perl Configure VC-WIN32 注意区分大小写 3、进入VC BIN目录,配置VC环境变量 进入VS安装路径VC/Bin目录下,运行: VCVARS32.BAT 设置环境变量。 4、返回OpenSSL目录,创建makefile文件 ms\do_ms 该命令不执行汇编语言编译,如报告文末错误,可以尝试ms\do_masm(使用汇编语言)、ms\do_nasm、ms\do_nt等,这几个配置文件是针对不同的系统配置写的批处理。 5、在Openssl目录下,执行编译 nmake -f ms\ntdll.mak 最终编译动态库完成后,输出都在out32dll目录下:包括可执行文件、两个dll 和两个lib文件: libeay32.dll,
libeay32.lib, ssleay32.dll,
ssleay32.lib,如果使用VS/VC编程只需按照下文的方法进行即可,如果需要使用openssl命令,还需要在系统环境变量path中增加C:\openssl-0.9.8v\out32dll路径,因为openssl.exe就在该目录下,声明后可以直接在命令行中使用openssl命令。 三:生成证书 1、添加配置文件(openssl.cnf)的环境变量:OPENSSL_CONF。配置文件可从OpenSSL解压后根目录下的apps目录下拷贝,再自行修改配置。也可以在openssl命令中用-config指定配置文件的位置。 我的配置文件: # RANDFILE = .rnd #################################################################### #################################################################### dir = C:\\CA # Where everything is kept certificate = $dir\\cacert.pem # The CA
certificate x509_extensions = x509v3_extensions # The extentions to add to the
cert # A few difference way of specifying how similar the request should look # For the CA policy # For the ’anything’ policy #################################################################### [ req_distinguished_name ] stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your website’s domain
name) emailAddress = Email Address [ req_attributes ] [ x509v3_extensions ] $dir下建立一系列目录和文件: 现在可以使用openssl命令来生成证书了: 1.首先要生成服务器端的私钥(key文件): 2.openssl req -new -key server.key -out server.csr -config openssl.cnf 3.对客户端也作同样的命令生成key及csr文件: 4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱.自己做CA. 5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名: client使用的文件有:ca.crt,client.crt,client.key openssl req 命令参数: openssl req[-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg]
[-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus]
[-new] [-rand file(s)] [-newkey rsa:bits] [-newkey alg:file] [-nodes] [-key
filename] [-keyform PEM|DER] [-keyout filename] [-keygen_engine id] [-[digest]]
[-config filename] [-subj arg] [-multivalue-rdn] [-x509] [-days n] [-set_serial
n] [-asn1-kludge] [-no-asn1-kludge] [-newhdr] [-extensions section] [-reqexts
section] [-utf8] [-nameopt] [-reqopt] [-subject] [-subj arg] [-batch] [-verbose]
[-engine id] windows下使用openssl生成证书,搜素材,soscw.com windows下使用openssl生成证书 标签:des style blog code tar ext 原文地址:http://www.cnblogs.com/javaleon/p/3708827.html
# SSLeay example properties file.
# This is mostly being used for
generation of certificate requests.
#
[ ca
]
default_ca = CA_default # The default ca section
[
CA_default ]
certs =
$dir\\certs # Where the issued certs are kept
crl_dir =
$dir\\crl # Where the issued crl are kept
database =
$dir\\index.txt # database index file.
new_certs_dir =
$dir\\newcerts # default place for new certs.
serial = $dir\\serial # The current serial
number
crl = $dir\\crl.pem # The current
CRL
private_key = $dir\\private\\cakey.pem # The private
key
RANDFILE = $dir\\private\\private.rnd # private random number
file
default_days = 365 # how long to certify
for
default_crl_days = 30 # how long before next
CRL
default_md = md5 # which md to use.
preserve
= no # keep passed DN ordering
#
For type CA, the listed attributes must be the same, and the optional
# and
supplied fields are just that :-)
policy = policy_match
[ policy_match ]
countryName =
match
stateOrProvinceName = match
organizationName =
match
organizationalUnitName = optional
commonName =
supplied
emailAddress = optional
# At this point in time, you must list all
acceptable ’object’
# types.
[ policy_anything ]
countryName =
optional
stateOrProvinceName = optional
localityName =
optional
organizationName = optional
organizationalUnitName =
optional
commonName = supplied
emailAddress =
optional
[ req
]
default_bits = 1024
default_keyfile =
privkey.pem
distinguished_name = req_distinguished_name
attributes
= req_attributes
countryName = Country Name (2 letter
code)
countryName_min = 2
countryName_max = 2
commonName_max = 64
emailAddress_max = 40
challengePassword = A challenge
password
challengePassword_min = 4
challengePassword_max = 20
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
server使用的文件有:ca.crt,server.crt,server.key
.crt文件和.key可以合到一个文件里面,本人把2个文件合成了一个.pem文件(直接拷贝过去就行了)