Certyfikaty SSL
Aby wygenerować klucze SSL możesz wybrać jeden z poniższych sposobów.
Znajdź CA.pl lub CA.sh
- W Debianie są one zwykle w /usr/lib/ssl/misc/
- W MacOS X, znajdziesz je w /System/Library/OpenSSL/misc/
Tworzenie nowego CA
$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
........................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: [wpisz hasło]
Verifying - Enter PEM pass phrase: [wpisz hasło]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cherokee Polska
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Główny certyfikat
Email Address []:me@pigmej.eu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
[...]
Certificate is to be certified until Oct 29 23:08:25 2011 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
........................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: [wpisz hasło]
Verifying - Enter PEM pass phrase: [wpisz hasło]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cherokee Polska
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Główny certyfikat
Email Address []:me@pigmej.eu
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
[...]
Certificate is to be certified until Oct 29 23:08:25 2011 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
Generowanie zapytania o certyfikat
$ /usr/lib/ssl/misc/CA.pl -newreq
Generating a 1024 bit RSA private key
..................++++++
..........++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: [wpisz hasło]
Verifying - Enter PEM pass phrase: [wpisz hasło]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cherokee Polska
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.cherokee-project.pl
Email Address []:mail@cherokee-project.pl
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
Generating a 1024 bit RSA private key
..................++++++
..........++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase: [wpisz hasło]
Verifying - Enter PEM pass phrase: [wpisz hasło]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cherokee Polska
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.cherokee-project.pl
Email Address []:mail@cherokee-project.pl
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
Podpisanie certyfikatu
$ /usr/lib/ssl/misc/CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: [wpisz hasło]
Check that the request matches the signature
Signature ok
Certificate Details:
[...]
Certificate is to be certified until Oct 29 23:19:29 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: [wpisz hasło]
Check that the request matches the signature
Signature ok
Certificate Details:
[...]
Certificate is to be certified until Oct 29 23:19:29 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Certyfikaty podpisane przez siebie
A teraz inny sposób na wygenerowanie certyfikatów. Ramon Pons przesłał ten mały skrypt do tworzenia certyfikatów podpisanych przez siebie:
#!/bin/sh
CERTNAME=cherokee.pem
openssl req -days 1000 -new -x509 -nodes -out $CERTNAME -keyout $CERTNAME
chmod 600 $CERTNAME
openssl verify $CERTNAME
if [ $? != 0 ]; then
\mv $CERTNAME $CERTNAME.not_valid
fi
CERTNAME=cherokee.pem
openssl req -days 1000 -new -x509 -nodes -out $CERTNAME -keyout $CERTNAME
chmod 600 $CERTNAME
openssl verify $CERTNAME
if [ $? != 0 ]; then
\mv $CERTNAME $CERTNAME.not_valid
fi
http://www.cherokee-project.com/doc/cookbook_ssl.html
Szczegóły tej rewizji
Rewizje tego pliku
Rewizje w tej gałęzi
Data modyfikacji: 11-03-2009, 14:09:38
Autor: Jędrzej Nowak <me@pigmej.eu>
Typ formatowania: (x)html
Rewizje tego pliku
Rewizje w tej gałęzi
Data modyfikacji: 11-03-2009, 14:09:38
Autor: Jędrzej Nowak <me@pigmej.eu>
Typ formatowania: (x)html