Windows7下安裝openssl產生電子證書

安裝環境：win7 64位，VS2013

安裝前的準備：首先下載到http://www.openssl.org/source/ 下載最新版本的openssl-1.0.2.tar.gz, 解壓到C:\ openssl-1.0.2

其次 http://www.activestate.com/ActivePerl 下載ActivePerl，點擊安裝到C盤，而後在命令行裏面執行目錄C:\Perl64\eg下的example.pl，

若結果顯示「Hello from ActivePerl!」，則說明Perl安裝成功，能夠開始使用Perl的相關命令來進行OpenSSL的安裝了，準備工做作完了。

使用管理員權限打開VS2013的命令提示窗口，而後進入OpenSSL的目錄，按照如下步驟就能夠進行編譯了：

 

執行" perl Configure VC-WIN32 no-asm -DOPENSSL_USE_IPV6=0" no-asm表示沒有用NASM編譯，DOPENSSL_USE_IPV6=0 禁用IPV6，避免出現NMAKE : fatal error U1077: 'cl' :

 return code '0x2'錯誤；

執行nmake -f ms\ntdll.mak；

 

檢查下是否成功，執行命令：「nmake -f ms\ntdll.mak test」。或者「> cd out32dll

 

編譯完成後會在 \out32dll 目錄下生成庫文件、動態連接庫文件、Openssl執行文件和測試程序 openssl.exe libeay32.dll ssleay32.dll 。

 

建文件[c:/usr/local/ssl, 拷貝 openssl\apps 下的 openssl.cnf文檔到out32dll 目錄下，就可使用 Openssl了。

 

產生金鑰對 (public-private key pair)

首先您須要產生一對 RSA 金鑰對 (public-private key pair)，可使命令「openssl -out 私鑰檔案 genrsa [-des|des3|-idea] 大小」：

$ openssl genrsa -out www.example.com.key -des3 2048

Generating RSA private key, 2048 bit long modulus

........................+++

..............................................................................+++

e is 65537 (0x10001)

Enter pass phrase for www.example.com.key: Don't show my passphrase

Verifying - Enter pass phrase for www.example.com.key: Don't show my passphrase

命令中最尾的參數表示要產生的金鑰對位元大小，以現今計算機的效能，建議使用 2048 位元會較安全。此外，在命令中由於加入選項 -des3， 產生出來的金鑰對會以 TriDES 加密來增強私鑰 (private key) 的安全性。您亦可使用 -des 或 -idea 取代 -des3 來改用 DES 或 IDEA 對私鑰進行加密。(固然 DES 加密算法大弱，毫不應使用) 加密了的私鑰在會次被使用時都會輸入密碼解密纔可使用，會較安全。若是您的電子證書是用在 Apache HTTTd 等服務器中，每次啓動服務器時都要輸入密碼一次。很多人會選擇省去選項 -des3 來產生一個不被加密的私鑰 (便是不會問您輸入密碼，也不會把私鑰加密) :

$ openssl genrsa -out www.example.com.key 2048

Generating RSA private key, 2048 bit long modulus

........................+++

..............................................................................+++

e is 65537 (0x10001)

這個命令和上面幾乎沒有分別，只是此次不會問您輸入密碼了。這方法固然免卻每次要輸入密碼的麻煩，但若是別人只要抄走有私鑰檔案就能夠較易真接盜用電子證書，很是危險。

完成後，新金鑰會以 PKCS#1 PEM 格式記錄在金鑰檔案 www.example.com.key 中 (雖然金鑰的標頭爲 RSA PRIVATE KEY，意思爲 RSA 私鑰，但內容載有產生對應公鑰 public key 的資料):

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEA5xcy3JVptzucvBQI2tzK9HkQ7pVhdqf4x8dID9K2z6A5W4Uc

/NByWOq80EGSetm/hZxj/JIPwOoOSlV2DZx423wtM8xfV9/7nkdiE1FwBVOZTprN

l1KgHY9rvcakNFclUU1xyTcLRWATrAKq4YU8TiR7yuvsNy0CxsZNX7zJszuX8aoQ

SbKTr3ckhJveDXPGGu96TebE146MRuFo1LNZ42AjVVXF0U5RqNtzdRJjxwjgMnQ5

1xEVb4InkW2Zgy/bJDYwCuQcgvswH+43EEou/eOLPeZDp8j2VZjLk/MDcDatEDFQ

Ayd8T3Cg+YSdYj/jLSEc17ZD0r5KSzRwYRa26QIDAQABAoIBAQDfTERib6ICY4D1

ICraSWV3zBB3ajMOdArqCH9ygrsRb5JdBAhZppYHo3OljOcc/JGbat4W7ZB5afE7

FM+JIXyLIbeQCNjMUeuSKwny/stO6lQGZ4Fnynhbd/21GGAND3RI1puvwheLBuab

XMyANL1sCMbx8vyC6GR5bJ7Rdtwz6fiyPOvOBmZV920R3ZnuScI4kWwxz6dzwLP3

wzFVqozD8RiPdP5mWEmEXTDEProNEPqUA0D0ydQg+OwanrUUhavnDu1fvJ5VdWqV

K9HgHJ1PSWJEsiRe9PkDmcFrjyLdgf36pl61CTOGMyhWj7lq9zT3SQxOdtXe4Hsp

wfhKkbY9AoGBAPbPKUAIkDecHwTE5ZkVyQg7W9U6H4iPYowlOMfnntP5+arhq5cl

/CJnzIEd55tgIWgJCjtptG1qodJU52kFL0rR4Z1ce9dRPSMY2Z7hEPl1PkMeRooo

Wr8+FrXhakONQ3Kro0cH5qMkBekwXxFJ+ZQ29O+3EMLaR69iHPNi4lwjAoGBAO+y

MRIeh43qB985ps23yNDfL6FL69besKcNiuMyDc6GfBNg9j4hZVrPPiJjVDvHsqnc

RHiuO6MvXOT9atXAyyX6/h00CVoU5mxbEe4mEbpvivqaosW64eAkqdSj2HInkG9u

lTeZGPZwleK9EDgTmVZ7lFEoBgRxNSUEkXJPfLuDAoGAArkIWHd/t81WHkRZ0BWI

cTnOaozImkYSrT8f4Dyy6N3CHlt8/B7kKDEC9Y2x52npFG+9GCizX92kSWC8aNEw

0197YLQLfbWcug1lITaUbFwZwr3Lw2xsi92QfJMvC+28B8DS/U6eAcC8+/SXp+Ys

BbGRhC991Nh5n/qyHRFDNAcCgYBmH1NM1vkF+5nS/2sT5qOGajCO1hvq9gHpipmL

5r1/KkkesIb5PZ1DLVzZpdwzhAeY2yHJEOKTyhAX9+hWncdvrRorMwpw+Mqbi8l9

33ZaKj/aOZv0BoVJzBUXZZ9IM5cUAtdMUswR4zHY4phQa/k+oXQ1h4nYxqrP1Lxr

KXaJJQKBgQDVLfOLgH6sN+I1f4B3/n6pOgjiosQd1c1K6NyjD3E8lnL5W/wI0CfP

SK80ZkUwAlrGFMpL9K/qyswc0ejaswvQGTcra0V0DVzfZ4DhCOYC3shAGV3lsWzD

VQAG4iwwf61wNBVuXBKl6xBIIzu1JoqB+in+IJ3MP4u0y9IF3VV+/w==

-----END RSA PRIVATE KEY-----

以上金鑰是沒有被加密。加密的金鑰會有「Proc-Type: 4,ENCRYPTED」

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,B5400D0F10CAF72B

Gkxpb1n8M3cQBH3J/l5ZzLE9GyYE+nv9+2Fk7jSJZM0W+ek/aeQYnE37OaGrabRD

1hCk0j5BoH8xa5hlwxpHM48cJbLsFmuMlVag1FTdtPozXNRBLHCNWUFWq9qQoa6K

IY/efrkzTx5WFXmidroKUPAA1kTXNjpSAjO0kLO/sqwS57bTMKb4cwxu21p3Crcy

Z1BBUPHaRdunK2Q/Gj05NO0ARX0VScKbr/sY9tt/D/viH89zwBAKmGVr3+RQlUP0

Lx9vhKK2S+Ut+GvWYPzitgrlE1txHywe9pLJ/LzJEZsBVm7M4HmNq1yoeoy95jo+

p974utG9MerlS84Wy5T4neNn2LamWCOFgOTIOfNfpvkan4KTEw5okvHCWQ+/pHcT

wDionMztMaExj4XHbtutUMVZVjsNhR3zzuZ62KQNkwLUYNHTGCKwZYc+5JJ5dWMU

dZyxHqJ+qcO4UTFoMKT1HxoYZUWhH6V2keS0NaULLXuJq5D4GZkIAl3Zb/4u83kK

0siqoIdd/97s5PnSKfsrztF8zZHxrFl8CGQp6iht+tI68m9t1WONSQ38nxzDZlWu

TA6vX78229dOs+HiQzwRYayPvC541re9ZQuj49aVWcU1oi8JcdvxlbV7cXl/Z6JB

j6PL481fiRiCSBW4WxmfNldrlNRXa7nULmwaM9dyFENE0zmWJaMfmnTAQAtZ3Bhq

p4rtRG9sDIbNvF3HPmPy/cRfwFWFE/KiW4yhodrmj6IgrB+VwK7Es7UraFWhclZk

wsVVQNAEn/22RlyHvkpN9bMuXQuiBPMPsP51TnXsy0SBBgE1bUpOxkIG3EbQ4W5Z

aPVki2Aa8gJQ5UeRv1ob4M3nkYeJjEUwo4qV5PyQnAlaEiqTCKKuFa4IdHxOeAlB

PIs5bsKMZwsBFrWGyy15W7LnHbhodvHhAyw3bGOZ0hwODAKOAaXgvN1K1fO/TqNa

DCTCm1OfDuZQVU1cS2n/HTxAOptD0XLBWQKUuQ7HX2BVbifsjAhnYIkzxq2yLafv

MRxPfrYTh1frZkUYYkQ6C9m0vkhl0vqBygeBuQLK6mMaP09uOggJklLg86roAVn9

5ZGlc5tWqnlmDqusFDvUOGJVfPTGDI7aFYn9AGS2nDGT16pGDnUgQwpMZX2Tp0Pm

iafdI8jKQjWLyDsVInfl19QytOwM2sAWegsgt2FG+KhvTQyuUbOBX+fmKaxCkL4R

3Op6nFYFGHJGiTrkNThRWDpzXYnoyl38S6rV6cmA1Oq6oD1O0W9qF1l4oHP1aKty

iMTml39UepVtvG88b/MN8sK3LsCFZ5B7flNLjnRgiyeI8rBi9Bj+TUeE/wFYUFqP

Jm6u0fWuN/RPyXaMBtfzGpBUk7If9lSpVj/36iVYxn5OCcgtncUk8JE8+hXEoV7J

InD+CAlA/RQhxgHRXUQmBJpKHhBmMFph8OwTTExLrEzO+VlxHqaXPUYfM9XaMYQl

KBzZUPMvI9TkEzVD00OH6J1J7tr8fDCvK/OoIFQQVZ1sbK+jJpEIwPlsu/gPNyWQ

EdRUrYSRJhocOwtym4+Bvq6Bed4QXeIQJbYv4t3nOQywXNzkotJ46ODAcPoa5aAA

-----END RSA PRIVATE KEY-----

產生 Certificate Signing Request (CSR)

產生了金鑰對後，您須要有公信加的人當中的公鑰 (public key) 爲您全部。因此您須要產生這個公鑰的 Certificate Signing Request (CSR) 給一個 Certificate Authority (CA) 簽署纔可使用。要產生 CSR ，可使用命令「openssl req -new -key 金鑰檔案 > CSR檔案」：

$ openssl req -new -key www.example.com.key > www.example.com.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:HK

State or Province Name (full name) [Some-State]:HKSAR

Locality Name (eg, city) []:Hong Kong

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd.

Organizational Unit Name (eg, section) []:Web Team

Common Name (e.g. server FQDN or YOUR name) []:www.example.com

Email Address []:webmaster@example.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:abc123

An optional company name []:Example Ltd.

以上命令會詢問要產生電子證書的資料並由金鑰檔案抽出有關公鑰併產生 CSR。記謹 Common Name 必須填上將會使用此電子證書網站的全名 (FQDN, Full Qualified Domain Name)，填錯了又已送去 CA 將會浪費金錢。

產生出來的 CSR 會放在 www.example.com.csr 中：

-----BEGIN CERTIFICATE REQUEST-----

MIICEDCCAXkCAQAwgZsxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIEwVIS1NBUjESMBAG

A1UEBxMJSG9uZyBLb25nMRUwEwYDVQQKEwxFeGFtcGxlIEx0ZC4xETAPBgNVBAsT

CFdlYiBUZWFtMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20xJDAiBgkqhkiG9w0B

CQEWFXdlYm1hc3RlckBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw

gYkCgYEAucC/Gxdd1v/5kGMLr6OoQN3BHFsFuAaNRUZs4/JITGaw7fhKwOyZux04

AUQTjeyVTfH6TTX1A0GWISwfKkqxNg4jx9LOqiecMnjKH/fzBvCZE1iNhz1mtkPh

pxWV9K6keuf6nuLXfU/NSWd9EY/VWUQX0PUDmjynrVYI29Zl1sMCAwEAAaA0MBUG

CSqGSIb3DQEJBzEIEwZhYmMxMjMwGwYJKoZIhvcNAQkCMQ4TDEV4YW1wbGUgTHRk

LjANBgkqhkiG9w0BAQQFAAOBgQAxdevQ9KuHhUf+XYHrDS04+yhesSmg2muC65mq

WHn9iIMQZIcWlcm5WtZZlamDnSxui8Utyh15U0cJDeIo8jebht+DDfC3BXc5LUaV

1TjbieB5gaM+oCNJFI3STC77ldwowCqgrbAQTpO3mx84M1gunJgGPKy/SHR3DwfN

Drzq2A==

-----END CERTIFICATE REQUEST-----

您只要把這個 CSR 檔案提交給 CA ，CA 覈實您的資料後就會簽署併產生您的電子證書。