Openssl幾個(gè)簡(jiǎn)單的功能命令使用

　　1：生成ca的自簽證書(shū)：

　　#cd /etc/pki/CA 進(jìn)入該目錄，CA證書(shū)必須建立在該目錄中

　　#openssl genrsa 2048 > /privat/my.key

　　生成一個(gè)密鑰

　　#vim /etc/pki/tls/openssl.cnf

　　將[ CA_default ]中的dir 選項(xiàng)改為：/etc/pki/CA

　　#mkdir ./newcerts

　　證書(shū)生成后會(huì)自動(dòng)生成一些序列號(hào)文件和信息文件，而這些文件要放在newcerts目錄中，所以要是先創(chuàng)建它，否則生成證書(shū)時(shí)會(huì)報(bào)錯(cuò)提示說(shuō)沒(méi)有改文件，以致無(wú)法完成

　　#touch ./{serial ,index.txt}

　　建立序列號(hào)文件和index文檔

　　#echo “00” > ./serial

　　給定一個(gè)序列號(hào)初始值

　　#openssl –x509 –new –key private/cakey.pem –out ./cacert.pem –days 1000

　　生成ca證書(shū)

　　2：證書(shū)的簽署

　　#mkdir /root/testcrt

　　#cd /root/testcrt

　　#openssl genrsa 1024 > my.key

　　生成密鑰

　　Generating RSA private key, 1024 bit long modulus

　　..........................++++++

　　...++++++

　　e is 65537 (0x10001)

　　----------------------------------

　　#openssl rsa –in my.key –pubout –out test.pub

　　查看剛剛生成的密鑰文件

　　#openssl req –new –key my.key –out my.csr

　　生成證書(shū)請(qǐng)求

　　--------------------------------------

　　You are about to be asked to enter information that will be incorporated

　　into your certificate request.

　　What you are about to enter is what is called a Distinguished Name or a DN.

　　There are quite a few fields but you can leave some blank

　　For some fields there will be a default value,

　　If you enter '.', the field will be left blank.

　　-----

　　Country Name (2 letter code) [GB]:NA

　　State or Province Name (full name) [Berkshire]:HA

　　Locality Name (eg, city) [Newbury]:ZZ

　　Organization Name (eg, company) [My Company Ltd]:CA

　　Organizational Unit Name (eg, section) []:station173.example.com

　　Common Name (eg, your name or your server's hostname) []:a.example.com

　　Email Address []:root@a.example.com

　　Please enter the following 'extra' attributes

　　to be sent with your certificate request

　　A challenge password []:

　　An optional company name []:

　　---------------------------------------------------

　　#openssl ca –in my.csr –out my.crt –days 1000

　　由ca給其生成證書(shū)

　　----------------------------------------------------

　　Using configuration from /etc/pki/tls/openssl.cnf

　　Check that the request matches the signature

　　Signature ok

　　Certificate Details:

　　Serial Number: 2 (0x2)

　　Validity

　　Not Before: Feb 25 15:28:21 2010 GMT

　　Not After : Nov 21 15:28:21 2012 GMT

　　Subject:

　　countryName = CN

　　stateOrProvinceName = HA

　　organizationName = CA

　　organizationalUnitName = station173.example.com

　　commonName = a.example.com

　　emailAddress = root@a.example.com

　　X509v3 extensions:

　　X509v3 Basic Constraints:

　　CA:FALSE

　　Netscape Comment:

　　OpenSSL Generated Certificate

　　X509v3 Subject Key Identifier:

　　A6:66:7E:D6:4E:70:0F:60:3B:CE:D8:7F:56:B2:D7:7C:64:8A:4B:25

　　X509v3 Authority Key Identifier:

　　keyid:CB:79:BF:95:34:53:96:EE:79:8B:48:C2:6E:77:B4:E6:AB:23:C0:F3

　　Certificate is to be certified until Nov 21 15:28:21 2012 GMT (1000 days)

　　Sign the certificate? [y/n]:y

　　1 out of 1 certificate requests certified, commit? [y/n]y

　　Write out database with 1 new entries

　　Data Base Updated

　　------------------------------------------------------------

　　#openssl x509 –in my.crt –noout –text

服務(wù)器租用/服務(wù)器托管中國(guó)五強(qiáng)！虛擬主機(jī)域名注冊(cè)頂級(jí)提供商！15年品質(zhì)保障！--億恩科技[ENKJ.COM]