一、設定 OpenSSL 環境
vi /usr/lib/ssl/openssl.cnf
編輯內容
dir = ssl
new_certs_dir = $dir
假設工作目錄在/apache/conf,先在工作目錄上建立 ssl 目錄,先在 ssl 目錄內新增 index.txt 檔,內容空白,然後在 ssl 目錄內再新增 serial 檔,內容填 01 即可。
cd /apache/confmkdir sslcd ssltouch index.txttouch serialvi serial ##內容填入01
二、建立第三方 CA 憑證
第三方 CA 憑證是要安裝在 client 端的瀏覽器上,假設工作目錄在/apache/conf
cd /apache/conf
製作 ca.key,執行後會要求設定密碼,在輸入密碼2次後即完成,密碼需記下,後面會用到。
#1024是RSA長度,可以改成2048,但需注意有些服務不支援RSA 2048。openssl genrsa -des3 -out ssl/ca.key 1024
製作 ca.csr 檔,執行指令後,會先要求輸入ca.key密碼。
openssl req -new -key ssl/ca.key -out ssl/ca.csr
密碼正確後,再來需要輸入憑證資訊。
Country Name (2 letter code) [AU]:TW #輸入國家簡碼,例如TW
State or Province Name (full name) [Some-State]:Taiwan #輸入區省
Locality Name (eg, city) []:Taicheng #輸入城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany #輸入公司名稱
Organizational Unit Name (eg, section) []:IT #部門
Common Name (eg, YOUR name) []:MyCompany Industry Co., Ltd. #發佈的名稱
Email Address []:admin@sample.com #管理者的 E-Mail
..
..
最後面還有2個資訊,直接按Enter即可。
製作ca.crt檔案,這個檔案主要是提供給用戶端瀏覽器安裝。
#數字3650是憑證的有效天數,
#目前知道的是,RSA 1024可以給36500 (100年),
#RSA 2048可以給6570 (18年),建議有效天數設長一點,
#執行下列指定會要求輸入密碼。
openssl x509 -days 3650 -req -signkey ssl/ca.key -in ssl/ca.csr -out ssl/ca.crt
三、建立伺服端憑證
假設工作目錄在 /apache/conf
cd /apache/conf
製作 server.key
#1024是RSA長度,可以改為2048openssl genrsa -out ssl/server.key 1024
製作 server.csr 檔,輸入伺服方的資訊
openssl req -new -key ssl/server.key -out ssl/server.csr
執行後,需要輸入伺服方的資訊,除了Common Name以外,其餘欄位跟製作ca.crs憑證檔時相同。
Country Name (2 letter code) [AU]:TWState or Province Name (full name) [Some-State]:TaiwanLocality Name (eg, city) []:TaichengOrganization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompanyOrganizational Unit Name (eg, section) []:ITCommon Name (eg, YOUR name) []:www.myweb.com ## 輸入網站的 host nameEmail Address []:admin@sample.com
建立伺服端 server.crt 檔案
#數字3650是憑證的有效天數openssl ca -days 3650 -cert ssl/ca.crt -keyfile ssl/ca.key -in ssl/server.csr -out ssl/server.crt
執行指令後,會要求 ca.key 的密碼,密碼正確後會顯示憑證資訊,輸入2次 y 確認後,server.crt檔案製作完成。
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ssl/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 7 (0x7)
Validity
Not Before: Jun 29 02:11:53 2009 GMT
Not After : Jun 27 02:11:53 2019 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = MyCompany
organizationalUnitName = IT
commonName = www.myweb.com
emailAddress = admin@sample.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
56:23:78:D1:6F:48:0C:3A:16:95:C0:55:7E:7F:14:7D:63:E3:5E:DD
X509v3 Authority Key Identifier:
DirName:/C=TW/ST=Taiwan/L=Taicheng/O=MyCompany/OU=IT/CN=MyCompany Industry Co., Ltd./emailAddress=admin@sample.com
serial:9E:62:79:CC:6E:FF:35:24
Certificate is to be certified until Aug 5 14:16:42 2031 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Enter pass phrase for ssl/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 7 (0x7)
Validity
Not Before: Jun 29 02:11:53 2009 GMT
Not After : Jun 27 02:11:53 2019 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
organizationName = MyCompany
organizationalUnitName = IT
commonName = www.myweb.com
emailAddress = admin@sample.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
56:23:78:D1:6F:48:0C:3A:16:95:C0:55:7E:7F:14:7D:63:E3:5E:DD
X509v3 Authority Key Identifier:
DirName:/C=TW/ST=Taiwan/L=Taicheng/O=MyCompany/OU=IT/CN=MyCompany Industry Co., Ltd./emailAddress=admin@sample.com
serial:9E:62:79:CC:6E:FF:35:24
Certificate is to be certified until Aug 5 14:16:42 2031 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
如果出現「I am unable to access the ./demoCA/newcerts directory」錯誤訊息,要自已手動建立目錄及檔案,在工作目錄下執行下列指令。
mkdir demoCAmkdir demoCA/newcertsmkdir demoCA/privatetouch demoCA/index.txtecho "01" >> demoCA/serial