OSWikiHK: 請協力 GPLv3 的中文翻譯工作。

管理您的 CA

OSWikiHK,自由中文開源知識庫

Jump to: navigation, search

標準文章
作者: Roy Chan
協力: -
校對: -
級別: 初階
分享本文:
如要連結本文,強烈建議使用英文連結: http://wiki.linux.org.hk/w/Manage_your_own_CA
加至 del.icio.us 加至 Technorati 加至 Google Bookmark 加至 Yahoo Bookmark 加至 Furl 收藏到 QQ 书签 貼到 funP 添加到雅虎收藏 加至黑米 加至 MyShare 加至 YouPush

目录


[编辑]

建立你的 CA 

$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
 
Making CA certificate ...
Generating a 1024 bit RSA private key
.................................++++++
....................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:              (輸入一個密碼,以後簽署證書時都要使用這個密碼)
Verifying - Enter PEM pass phrase:  (再次輸入上面輸入的密碼作確認)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN   (國家編碼)
State or Province Name (full name) [Some-State]:HKSAR (州或省份)
Locality Name (eg, city) []:Hong Kong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd.
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, YOUR name) []: Example CA       (CA 名字)
Email Address []:ca@example.com        (聯絡電郵)

你會看到下列檔案:

檔案 描述
./demoCA/certs
./demoCA/crl 電子證書撤銷列表 (Certificate Revocation List)
./demoCA/newcerts 備份所有經這個 CA 簽署過的電子證書
./demoCA/private CA 的私有區,存放了不可以外洩的資料,例如私鑰
./demoCA/private/cakey.pem CA 的私鑰
./demoCA/index.txt
./demoCA/cacert.pem CA 的證書
./demoCA/serial
[编辑]

用你的 CA 簽署電字證書

把要簽署的 CSR 放在 CA 目錄 (和 demoCA 在同一層) 並記名作 newreq.pem,然後打 /usr/lib/ssl/misc/CA.pl -signreq

$ /usr/lib/ssl/misc/CA.pl -signreq
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:     (鍵入 CA 的密碼)
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            b2:7f:68:4d:80:d1:7b:a9
        Validity
            Not Before: Nov 20 18:15:25 2004 GMT
            Not After : Nov 20 18:15:25 2005 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HKSAR
            localityName              = Hong Kong
            organizationName          = Example Ltd.
            organizationalUnitName    = Web Team
            commonName                = www.example.com
            emailAddress              = webmaster@example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                76:6F:7F:4C:9C:2A:87:40:5A:D4:0E:40:EE:B6:AD:3D:6E:12:0C:2D
            X509v3 Authority Key Identifier:
               keyid:51:D8:8E:8B:63:1D:F3:AF:CC:24:48:73:52:C9:F1:53:F6:B2:65:45
               DirName:/C=CN/ST=HKSAR/L=Hong Kong/O=Example Ltd./OU=Certificate
Authority/CN=Example CA/emailAddress=ca@example.com
                serial:B2:7F:68:4D:80:D1:7B:A8

Certificate is to be certified until Nov 20 18:15:25 2005 GMT (365 days)
Sign the certificate? [y/n]:y  (確認以上資料無誤後,就可以打 y 簽署)


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

新建的檔案 newcert.pem 就是簽署好的電子證書了: 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b2:7f:68:4d:80:d1:7b:a9
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=CN, ST=HKSAR, L=Hong Kong, O=Example Ltd., OU=Certificate
Authority, CN=Example CA/emailAddress=ca@example.com
        Validity
            Not Before: Nov 20 18:15:25 2004 GMT
            Not After : Nov 20 18:15:25 2005 GMT
        Subject: C=CN, ST=HKSAR, L=Hong Kong, O=Example Ltd., OU=Web Team,
CN=www.example.com/emailAddress=webmaster@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b9:c0:bf:1b:17:5d:d6:ff:f9:90:63:0b:af:a3:
                    a8:40:dd:c1:1c:5b:05:b8:06:8d:45:46:6c:e3:f2:
                    48:4c:66:b0:ed:f8:4a:c0:ec:99:bb:1d:38:01:44:
                    13:8d:ec:95:4d:f1:fa:4d:35:f5:03:41:96:21:2c:
                    1f:2a:4a:b1:36:0e:23:c7:d2:ce:aa:27:9c:32:78:
                    ca:1f:f7:f3:06:f0:99:13:58:8d:87:3d:66:b6:43:
                    e1:a7:15:95:f4:ae:a4:7a:e7:fa:9e:e2:d7:7d:4f:
                    cd:49:67:7d:11:8f:d5:59:44:17:d0:f5:03:9a:3c:
                    a7:ad:56:08:db:d6:65:d6:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                76:6F:7F:4C:9C:2A:87:40:5A:D4:0E:40:EE:B6:AD:3D:6E:12:0C:2D
            X509v3 Authority Key Identifier:
               keyid:51:D8:8E:8B:63:1D:F3:AF:CC:24:48:73:52:C9:F1:53:F6:B2:65:45
                DirName:/C=CN/ST=HKSAR/L=Hong Kong/O=Example Ltd./OU=Certificate
Authority/CN=Example CA/emailAddress=ca@example.com
                serial:B2:7F:68:4D:80:D1:7B:A8

    Signature Algorithm: md5WithRSAEncryption
        2e:63:b0:8c:59:54:2c:ff:ea:3d:cb:d9:60:08:cf:53:c6:b2:
        dc:e2:74:4e:a3:33:05:15:13:89:e5:f2:27:b4:6b:a8:fb:7a:
        87:18:63:d6:4d:25:4a:c5:58:f6:cd:af:7f:12:a9:d3:ce:2e:
        dd:6d:d0:1f:70:88:c2:9c:06:f0:bd:97:f9:a7:40:a2:8e:1d:
        eb:ef:59:5d:6c:e2:fa:fc:b2:e2:20:f9:e5:d7:e4:c9:30:b5:
        1b:c5:d6:0f:33:0c:40:05:7a:17:e5:8e:bb:4d:6d:a1:dd:8d:
        56:4a:34:58:d7:8f:c5:ba:f4:bd:84:79:a2:5a:44:a2:b1:3c:
        4f:7c
-----BEGIN CERTIFICATE-----
MIID6TCCA1KgAwIBAgIJALJ/aE2A0XupMA0GCSqGSIb3DQEBBAUAMIGcMQswCQYD
VQQGEwJDTjEOMAwGA1UECBMFSEtTQVIxEjAQBgNVBAcTCUhvbmcgS29uZzEVMBMG
A1UEChMMRXhhbXBsZSBMdGQuMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkxEzARBgNVBAMTCkV4YW1wbGUgQ0ExHTAbBgkqhkiG9w0BCQEWDmNhQGV4YW1w
bGUuY29tMB4XDTA0MTEyMDE4MTUyNVoXDTA1MTEyMDE4MTUyNVowgZsxCzAJBgNV
BAYTAkNOMQ4wDAYDVQQIEwVIS1NBUjESMBAGA1UEBxMJSG9uZyBLb25nMRUwEwYD
VQQKEwxFeGFtcGxlIEx0ZC4xETAPBgNVBAsTCFdlYiBUZWFtMRgwFgYDVQQDEw93
d3cuZXhhbXBsZS5jb20xJDAiBgkqhkiG9w0BCQEWFXdlYm1hc3RlckBleGFtcGxl
LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAucC/Gxdd1v/5kGMLr6Oo
QN3BHFsFuAaNRUZs4/JITGaw7fhKwOyZux04AUQTjeyVTfH6TTX1A0GWISwfKkqx
Ng4jx9LOqiecMnjKH/fzBvCZE1iNhz1mtkPhpxWV9K6keuf6nuLXfU/NSWd9EY/V
WUQX0PUDmjynrVYI29Zl1sMCAwEAAaOCATAwggEsMAkGA1UdEwQCMAAwLAYJYIZI
AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
BBR2b39MnCqHQFrUDkDutq09bhIMLTCB0QYDVR0jBIHJMIHGgBRR2I6LYx3zr8wk
SHNSyfFT9rJlRaGBoqSBnzCBnDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUhLU0FS
MRIwEAYDVQQHEwlIb25nIEtvbmcxFTATBgNVBAoTDEV4YW1wbGUgTHRkLjEeMBwG
A1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQDEwpFeGFtcGxlIENB
MR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLmNvbYIJALJ/aE2A0XuoMA0GCSqG
SIb3DQEBBAUAA4GBAC5jsIxZVCz/6j3L2WAIz1PGstzidE6jMwUVE4nl8ie0a6j7
eocYY9ZNJUrFWPbNr38SqdPOLt1t0B9wiMKcBvC9l/mnQKKOHevvWV1s4vr8suIg
+eXX5MkwtRvF1g8zDEAFehfljrtNbaHdjVZKNFjXj8W69L2EeaJaRKKxPE98
-----END CERTIFICATE-----
[编辑]

相關頁面

分享本文: 加至 del.icio.us 加至 Technorati 加至 Google Bookmark 加至 Yahoo Bookmark 加至 Furl 收藏到 QQ 书签 貼到 funP 添加到雅虎收藏 加至黑米 加至 MyShare 加至 YouPush
取自"http://wiki.debian.org.hk/w/Manage_your_own_CA"
Personal tools