How to setup your own Certificate Authority
===========================================
Note: this howto requires the openssl binary, as well as classic
UNIX tools (cat, touch, echo). If you use Windows, please consider
installing Cygwin -- see http://cygwin.com/
1. Configure OpenSSL
--------------------
First of all, create sslconf.txt in the current directory
(a basic example is provided at the end of this file).
cat > sslconf.txt <<"EOF"
[paste contents here]
EOF
Then you need to create the database and a starting serial number:
touch index
echo "01" > serial
mkdir newcerts
2. Generate the CA certificate
------------------------------
openssl req -config sslconf.txt -days 3653 -x509 -newkey rsa:2048 \
-set_serial 0 -text -keyout test-ca.key -out test-ca.crt
3. Generate the private keys and certificate requests
-----------------------------------------------------
openssl genrsa -out server1.key 2048
openssl genrsa -out server2.key 2048
openssl genrsa -out client1.key 2048
openssl genrsa -out client2.key 2048
openssl req -config sslconf.txt -new -key server1.key -out server1.req
openssl req -config sslconf.txt -new -key server2.key -out server2.req
openssl req -config sslconf.txt -new -key client1.key -out client1.req
openssl req -config sslconf.txt -new -key client2.key -out client2.req
4. Issue and sign the certificates
----------------------------------
openssl ca -config sslconf.txt -in server1.req -out server1.crt
openssl ca -config sslconf.txt -in server2.req -out server2.crt
openssl ca -config sslconf.txt -in client1.req -out client1.crt
openssl ca -config sslconf.txt -in client2.req -out client2.crt
5. To revoke a certificate and update the CRL
---------------------------------------------
openssl ca -config sslconf.txt -revoke server1.crt
openssl ca -config sslconf.txt -revoke client1.crt
openssl ca -config sslconf.txt -gencrl -out crl.pem
6. To display a certificate and verify its validity
---------------------------------------------------
openssl x509 -in server2.crt -text -noout
cat test-ca.crt crl.pem > ca_crl.pem
openssl verify -CAfile ca_crl.pem -crl_check server2.crt
rm ca_crl.pem
7. To export a certificate into a .pfx file
-------------------------------------------
openssl pkcs12 -export -in client2.crt -inkey client2.key \
-out client2.pfx
##================================================================
##============== Example OpenSSL configuration file ==============
##================================================================
# References:
#
# /etc/ssl/openssl.conf
# http://www.openssl.org/docs/apps/config.html
# http://www.openssl.org/docs/apps/x509v3_config.html
[ ca ]
default_ca = my_ca
[ my_ca ]
certificate = test-ca.crt
private_key = test-ca.key
database = index
serial = serial
new_certs_dir = newcerts
default_crl_days = 60
default_days = 730
default_md = sha1
policy = my_policy
x509_extensions = v3_usr
[ my_policy ]
countryName = optional
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
distinguished_name = my_req_dn
x509_extensions = v3_ca
[ my_req_dn ]
countryName = Country Name..............
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name....
localityName = Locality Name.............
0.organizationName = Organization Name.........
organizationalUnitName = Org. Unit Name............
commonName = Common Name (required)....
commonName_max = 64
emailAddress = Email Address.............
emailAddress_max = 64
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_usr ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
没有合适的资源?快使用搜索试试~ 我知道了~
RSA\SHA\DES\SSL等加解密源代码
4星 · 超过85%的资源 需积分: 10 17 下载量 7 浏览量
2011-04-27
23:51:52
上传
评论
收藏 328KB TGZ 举报
温馨提示
共225个文件
c:46个
pem:30个
h:28个
非常小巧易用的库,programs目录里是使用例子。比网上其他的库用起来要简单。
资源推荐
资源详情
资源评论
收起资源包目录
RSA\SHA\DES\SSL等加解密源代码 (225个子文件)
index.attr 20B
x509parse.c 66KB
ssl_tls.c 57KB
bignum.c 41KB
aes.c 39KB
camellia.c 28KB
ssl_srv.c 27KB
des.c 26KB
sha4.c 24KB
ssl_cli.c 22KB
sha2.c 21KB
rsa.c 21KB
ssl_test.c 17KB
sha1.c 16KB
md5.c 15KB
md4.c 11KB
certs.c 11KB
aescrypt2.c 10KB
ssl_client2.c 10KB
ssl_server.c 10KB
havege.c 9KB
md2.c 9KB
benchmark.c 9KB
net.c 8KB
cert_app.c 8KB
dhm.c 7KB
dh_server.c 7KB
base64.c 6KB
dh_client.c 6KB
ssl_cert_test.c 6KB
debug.c 6KB
xtea.c 5KB
timing.c 5KB
padlock.c 5KB
ssl_client1.c 4KB
rsa_genkey.c 4KB
arc4.c 4KB
sha2sum.c 4KB
sha1sum.c 4KB
md5sum.c 4KB
rsa_sign.c 4KB
selftest.c 3KB
rsa_verify.c 3KB
dh_genprime.c 3KB
mpi_demo.c 2KB
hello.c 1KB
version.c 1KB
ChangeLog 15KB
test-ca.crt 4KB
test-ca.crt 4KB
cert_sha512.crt 4KB
cert_sha384.crt 4KB
cert_sha512.crt 4KB
cert_sha384.crt 4KB
cert_sha224.crt 4KB
cert_sha256.crt 4KB
cert_sha256.crt 4KB
cert_sha224.crt 4KB
cert_sha1.crt 4KB
cert_sha1.crt 4KB
server1.crt 4KB
client1.crt 4KB
server1.crt 4KB
client2.crt 4KB
cert_md2.crt 4KB
cert_md5.crt 4KB
cert_md4.crt 4KB
cert_md5.crt 4KB
cert_md4.crt 4KB
server2.crt 4KB
server2.crt 4KB
cert_md2.crt 0B
test_suite_rsa.data 102KB
test_suite_x509parse.data 45KB
test_suite_aes.data 43KB
test_suite_mpi.data 26KB
test_suite_shax.data 18KB
test_suite_hmac_shax.data 13KB
test_suite_camellia.data 12KB
test_suite_des.data 9KB
test_suite_mdx.data 9KB
test_suite_debug.data 2KB
test_suite_arc4.data 1KB
test_suite_base64.data 1KB
test_suite_xtea.data 1KB
test_suite_dhm.data 398B
test_suite_version.data 131B
polarssl.dsp 6KB
ssl_cert_test.dsp 4KB
dh_genprime.dsp 4KB
ssl_client1.dsp 4KB
ssl_client2.dsp 4KB
rsa_verify.dsp 4KB
rsa_genkey.dsp 4KB
ssl_server.dsp 4KB
selftest.dsp 4KB
benchmark.dsp 4KB
dh_client.dsp 4KB
dh_server.dsp 4KB
aescrypt2.dsp 4KB
共 225 条
- 1
- 2
- 3
资源评论
- Sallyhi2014-04-01挺好的,很适合学习
typ678
- 粉丝: 0
- 资源: 1
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功