openssl建立CA中心.docx

1、openssl建立CA中心openssl建立CA中心实验用了三台机：CA中心：(192.168.10.254)mail server: (192.168.10.20)mail client: (192.168.10.19)实验基于Red Hat Enterprise Linux server 5 update 4版一.CA中心(:192.168.10.254)的设置rootserver1 tls# pwd/etc/pki/tlsrootserver1 tls# lscert.pem certs misc f privaterootserver1 tls# rpm -qa |grep opens

2、slopenssl-0.9.8e-12.el5#linux下的ssl是由openssl提供的。-开始配置frootserver1 tls#vim f CA_default dir = /etc/pki/CA #CA存放的路径certs = $dir/certs #存放签名的公钥crl_dir = $dir/crl # 证书过期列表，存放过期证书database = $dir/index.txt # 证书颁发、吊销的信息 new_certs_dir = $dir/newcerts # 证书副本(吊销凭证)certificate = $dir/my-ca.crt #CA公钥(任何人都可以拥有的)s

3、erial = $dir/serial # 序列号(每作一次签名,序列号就增加1)crlnumber = $dir/crlnumber #吊销序列号crl = $dir/my-ca.crl #吊销证书名单列表private_key = $dir/private/my-ca.key# The private keyRANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the certdefault_days = 365 # 证书

4、有效期default_crl_days= 30 #crl更新时间default_md = sha1 # which md to use.preserve = no # keep passed DN ordering policy_match countryName = match #国家代码必须完全匹配stateOrProvinceName = match #organizationName = matchorganizationalUnitName = optional #optional可以不一样commonName = supplied #代表唯一身份,必须不匹配emailAddress

5、 = optional req_distinguished_name countryName = Country Name (2 letter code)countryName_default = CN #国家代码countryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = Hubei #洲或省localityName = Locality Name (eg, city)localityName_default

6、 = Wuhan #城市0.organizationName = Organization Name (eg, company)0.organizationName_default = Example, Inc. #组织#f配置完成rootserver1 tls# cd ./CA/rootserver1 CA# lsprivaterootserver1 CA# mkdir certs,newcerts,crl #创建刚才定义的那几个目录rootserver1 CA# lscerts crl newcerts privaterootserver1 CA# echo 00 serial ;touc

7、h index.txt #分配一个开始序列号并创建index.txtrootserver1 CA# echo 00 crlnumber #同上-开始生成CA中心自己的私钥rootserver1 CA#(umask 077; openssl genrsa out private/my-ca.key des3 2048 )Generating RSA private key, 2048 bit long modulus.+.+e is 65537 (0x10001)Enter pass phrase for private/my-ca.key:redhat #输入私钥密码Verifying - E

8、nter pass phrase for private/my-ca.key:redhat #确认输入-通过私钥来生成公钥:rootserver1 CA# openssl req -new -x509 -key private/my-ca.key -days 365 my-ca.crtEnter pass phrase for private/my-ca.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are ab

9、out to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) CN:State or Province Name (full name) Hubei:Locality Name (eg,

10、 city) Wuhan:Organization Name (eg, company) Example, Inc.:Organizational Unit Name (eg, section) :Common Name (eg, your name or your servers hostname) :Email Address :#CA中心已经搭完了,下面开始用服务来验证用一台机搭建mail服务器(:192.168.10.20)rootstation20 # yum install y dovecot postfix system-switch-mailrootstation20 #vim

11、 /etc/postfix/main.cfinet_interfaces = all rootstation20 # vim /etc/dovecot.confprotocols = imaps pop3srootstation20 #service postfix restartrootstation20 #service dovecot restart-生成私钥rootstation20 # openssl genrsa 1024 station20.keyGenerating RSA private key, 1024 bit long modulus.+.+e is 65537 (0x

12、10001)rootstation20 # lsanaconda-ks.cfg Desktop install.log install.log.syslog station20.key-通过私钥生成一个证书请求文件.rootstation20 # openssl req -new -key station20.key -out dovecot.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to

13、enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) GB:CNState or Province Name (full name) Berkshire:HubeiLocality Name (eg, city) Newbury:WuhanOrganization Name (eg, company) My Company Ltd:Example, Inc. Organizational Unit Name (eg, section) : #以上填写均要跟CA中心的一致Common Name (eg, your name or your servers hostname) :Email Address :Please enter the following extra attributest