OPENSSL的應用--發放與請求CA證書

                             配置server和client之間發放和請求CA證書

一.建立服務器端的CA證書
1.)`cd /etc/pki/tls/`到此目錄下，`vim openssl.cnf`編輯此文件：第45行修改成dir = /etc/pki/CA,第132行可修改建立證書或建立證書請求的默認值。

2.)`cd ../CA`轉到此目錄，`mkdir -pv certs crl newcerts touch serial`建立newcerts touch serial這三個目錄,`touch index.txt`,`touch serial`建立index.txt和serial這兩個文件,`echo 100731 > serial`給serial文件添加一條序列號。

3.)`cd private/`到此目錄下,`openssl genrsa 1024 > cakey.pem`爲服務器建立一個私鑰。
  Generating RSA private key, 1024 bit long modulus
  .....++++++
  .....++++++
  e is 65537 (0x10001)

4.)`cd ..`回到原來的目錄,`openssl req -new -x509 -key private/cakey.pem -out cacert.pem`爲服務器建立一個以pem爲後綴的證書。
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [CN]:
  State or Province Name (full name) [Henan]:
  Locality Name (eg, city) [Zhengzhou]:
  Organization Name (eg, company) [RHCE]:
  Organizational Unit Name (eg, section) [TERM]:
  Common Name (eg, your name or your server's hostname) []:zzuwhx.example.com
  Email Address []:root@example.com

二.建立客戶端證書發送請求
1.)`openssl genrsa 1024 > client.key`爲客戶端建立一個私鑰。
  Generating RSA private key, 1024 bit long modulus
  .....++++++
  .....++++++
  e is 65537 (0x10001)

2.)`openssl req -new -key client.key -out client.csr`爲客戶端生成一個證書發送請求。
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [GB]:CN
  State or Province Name (full name) [Berkshire]:Henan
  Locality Name (eg, city) [Newbury]:Zhengzhou
  Organization Name (eg, company) [My Company Ltd]:RHCE
  Organizational Unit Name (eg, section) []:TERM
  Common Name (eg, your name or your server's hostname) []:client.example.com
  Email Address []:root@example.com

  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:

3.)`scp client.csr 192.168.0.11:/root`客戶端把證書發送請求傳送給服務器。
  The authenticity of host '192.168.0.11 (192.168.0.11)' can't be established.
  RSA key fingerprint is d0:3d:ac:2b:e8:5e:47:b4:f5:ab:ed:c3:8b:37:6f:39.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.0.11' (RSA) to the list of known hosts.
  root@192.168.0.11's password:
  client.csr                            100%  696     0.7KB/s   00:00

三.服務器給客戶端請求頒發證書
1.)`openssl ca -in /root/client.csr -out client.crt`服務器根據客戶端提供的證書發送請求爲客戶端生成一個證書。
  Using configuration from /etc/pki/tls/openssl.cnf
  Check that the request matches the signature
  Signature ok
  Certificate Details:
          Serial Number: 1050417 (0x100731)
          Validity
              Not Before: Jul 31 02:45:09 2010 GMT
              Not After : Jul 31 02:45:09 2011 GMT
          Subject:
              countryName               = CN
              stateOrProvinceName       = Henan
              organizationName          = RHCE
              organizationalUnitName    = TERM
              commonName                = client.example.com
              emailAddress              = client @example.com
          X509v3 extensions:
              X509v3 Basic Constraints:
                  CA:FALSE
              Netscape Comment:
                  OpenSSL Generated Certificate
              X509v3 Subject Key Identifier:
                  A8:2A:D6:FA:BD:94:D1:01:6D:A9:84:3E:0D:FA:AE:5D:FA:79:22:CE
              X509v3 Authority Key Identifier:
                  keyid:F4:3C:8D:FF:66:7A:D4:44:95:5E:C6:DB:29:57:FE:5B:8D:F8:4A:ED

  Certificate is to be certified until Jul 31 02:45:09 2011 GMT (365 days)
  Sign the certificate? [y/n]:y

  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated

2.)`scp client.crt 192.168.0.151:/root`服務器把生成好的證書發送給客戶端。
  The authenticity of host '192.168.0.151 (192.168.0.151)' can't be established.
  RSA key fingerprint is e1:07:e9:f1:61:1b:20:0e:8f:98:e3:cd:76:c2:21:3b.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.0.151' (RSA) to the list of known hosts.
  reverse mapping checking getaddrinfo for server51.example.com failed - POSSIBLE BREAK-IN     ATTEMPT!
  root@192.168.0.151's password:
  client.crt                         100% 3244     3.2KB/s   00:00  

openssl補充
1.)md5sum    file                                              用md5加密提取特徵碼顯示128位
2.)shasum    file                                                用sha1加密提取特徵碼顯示160位
3.)openssl   dgst  -sha1  file                             對文件使用sha1加密
4.)openssl   sha1 < file                                     同上
5.)openssl   passwd -1                                     生成一個用戶密碼（帶有隨機數）
6.)openssl   req  -noout -in server.csr  -text      查看「證書發送請求」
7.)openssl   genrsa   -out   server.key   1024    建立一個名爲server.key的私鑰
8.)openssl   req  -new -x509 -key server.key  -out server.crt  建立一個名爲server.crt的證書
9.)openssl   virsion                                           查看哪一個版本
10.)openssl   ciphers                                        查看openssl的選項
11.)openssl   speed   rsa                                   rsa算法的加密速度
12.)openssl   enc  -dec3  -salt -a -in file_1 -out file_2   把文件用dec3的算法加密成文件，解密用-d選項
對於Red Hat建立證書,生成密鑰還有更簡單的方法：

首先切換目錄到/etc/pki/tls/certs:`cd /etc/pki/tls/certs`；以後可用make命令來建立證書或者密鑰，能夠用後綴名區別證書和密鑰：`.key`爲私鑰,`.pem`和`.crt`爲證書。