问题描述

我是openSSL库和PKI中的新手.我对openSSL专家有一个简单的问题.

I am newbie in openSSL library and PKI .I have simple question for openSSL experts.

有人知道如何为本文的代码示例创建证书吗?Eric Rescorla的"OpenSSL编程简介(第I/II部分)"

Does anybody know how to create certificates for code samples in this article "An Introduction to OpenSSL programming (Part I/II)" by Eric Rescorla

www.rtfm.com/openssl-examples/part1.pdf

www.rtfm.com/openssl-examples/part1.pdf

www.rtfm.com/openssl-examples/part2.pdf

www.rtfm.com/openssl-examples/part2.pdf

我已经从 http://www.rtfm.com/openssl-examples问题在于证书已过期，我不知道如何创建新的根证书.

I have downloaded source code from http://www.rtfm.com/openssl-examplesThe problem is that certificates are expired and I don't know how to create new root certificate.

如何创建根证书?如何为客户端和服务器应用程序创建证书?我应该使用Wich加密算法吗?据我了解，我应该执行以下操作:

How to create root certificate? How to create certificates for client and server app? Wich ciphering algorithm should I use? As far as i understand i shuld do the following:

• 创建密钥对.秘密和公共密钥.
• 创建证书申请(p10格式).
• 创建自签名根证书(x509格式).

文章中的细节不清楚.

Details is not clear from the article.

这是我尝试创建证书的方式:

This is how I am trying to create certificates:

1)创建CA私钥和证书请求:openssl req -newkey rsa -keyout ./ca_key.pem out.pem -out ./ca_req.pem -days 1095 -passin pass:"password" -subj有关CA的某些信息"-扩展名v3_ca

1) Creating CA private key and certificate request:openssl req -newkey rsa -keyout ./ca_key.pem out.pem -out ./ca_req.pem -days 1095 -passin pass:"password" -subj "some information about CA" -extensions v3_ca

2)创建自签名的CA证书openssl ca -create_serial -in ca_req.pem -out root.pem -days 1095 -passin pass:"password" -selfsign -extension v3_ca

2) Create self signed CA certificateopenssl ca -create_serial -in ca_req.pem -out root.pem -days 1095 -passin pass:"password" -selfsign -extension v3_ca

3)生成服务器私钥并请求证书openssl req -newkey rsa -keyout server_key.pem out server_req.pem -days 1095 -passin pass:"password" -subj有关服务器的一些信息"

3)generate server private key and request for certificateopenssl req -newkey rsa -keyout server_key.pem out server_req.pem -days 1095 -passin pass:"password" -subj "some information about server"

4)创建服务器证书(此证书不是自签名的.此证书由CA私钥签名)openssl ca -in server_req.pem -out server.pem -passin pass:密码"

4)create server certifiate (this certificate is not self signed. This certificate signed by CA private key)openssl ca -in server_req.pem -out server.pem -passin pass:"password"

5)生成用户私钥并请求证书openssl req -newkey rsa -keyout user_key.pem out user_req.pem -days 1095 -passin pass:"password" -subj有关客户端的一些信息"

5)generate user private key and request for certificateopenssl req -newkey rsa -keyout user_key.pem out user_req.pem -days 1095 -passin pass:"password" -subj "some information about client"

6)创建用户证书(此证书不是自签名的.此证书由CA私钥签名)openssl ca -in user_req.pem -out client.pem -passin pass:密码"

6)create user certifiate (this certificate is not self signed. This certificate signed by CA private key)openssl ca -in user_req.pem -out client.pem -passin pass:"password"

我不确定这里的"rsa"算法.可能是我shuold使用其他算法.

I am not sure about "rsa" algorithm here. May be I shuold use other algorthm.

所以我有root.pem，server.pem，client.pem我把客户端密钥和证书放到client.pem对于server.pem也是如此. (与文章样本证书中的方法相同.)

So i have root.pem, server.pem, client.pemI put client key and certificate to client.pem And the same thing for server.pem. ( The same way as in the articles sample certificates.)

但是当我尝试使用这些新生成的证书启动服务器时，出现错误:无法打开DH文件."

But when i try to start server with these new generated certificates i have an error:"Couldn't open DH file."

当我将旧的DH文件放入当前文件夹并且服务器启动时.(dh1024.pem是什么?)

When I put old DH file to current folder and server starts.(dh1024.pem What is it?)

下一步.我启动客户端，然后收到另一条错误消息:证书不验证."

The next step. I start client and I got another error message: "Cetrificate doesn't verify."

错误代码为20.x509_vfy.h中代码20的描述为无法在本地获取颁发者证书"

The error code is 20. Desciption for code 20 in x509_vfy.h is "unable to get issuer certificate locally"

所有这些都意味着我创建的证书不正确.我不知道该怎么做.

All of this means that I have created certificates incorrectly.I don't know how to do it correctly.

有人有主意吗?

推荐答案

这是解决方案.可能它不是最佳方法，但它可以工作.问题解决方案的唯一区别是选项:-des3 1024"

This is the solution. May be it is not optimal but it works. The only difference with question solution is option: "-des3 1024"

#!/bin/sh

alg="rsa"

ossl="openssl"

passwd="password"

#certificate autority folder
caFolder="./demoCA"

#delete old certificates, CA folder and keys 
rm -rf *.pem

rm -rf $caFolder

#create folder structure
mkdir $caFolder
mkdir "$caFolder/private"
mkdir "$caFolder/newcerts"

#generate RSA private key for CA
$ossl genrsa -out ca_key.pem 1024

#Creating certificate request:
$ossl req -new -key ca_key.pem -out ./ca_req.pem -days 1095 -passin pass:$passwd  -passout pass:$passwd \
-subj /C=RU/ST=Moscow/L=Moscow/O=company/OU=TestCAs/CN=TestCA/[email protected] -extensions v3_ca

cp ca_key.pem "$caFolder/private/cakey.pem" 

touch "$caFolder/index.txt"

#Create self signed CA certificate 
$ossl ca -create_serial -in ca_req.pem -out ca_cert.pem -days 1095 -passin pass:$passwd -selfsign -extensions v3_ca -notext
cp ca_cert.pem "$caFolder/cacert.pem"


#generate SERVER private key and request for certificate 
$ossl genrsa -out server_key.pem -passout pass:$passwd -des3 1024

$ossl req -new -key server_key.pem  -passin pass:$passwd \
-passout pass:$passwd -out server_req.pem -days 1095 \
-subj /C=RU/ST=Moscow/L=Moscow/O=company/OU=SSLServers/CN=localhost/[email protected]  

#create SERVER certifiate (this certificate is not self signed. This certificate signed by CA private key)
$ossl ca -in server_req.pem -out server_cert.pem -passin pass:$passwd -notext


#generate RSA private key for client
$ossl genrsa -out user_key.pem -passout pass:$passwd -des3 1024

#generate request certificate for client
$ossl req -new -key user_key.pem -out user_req.pem -days 1095 \
-passin pass:$passwd -passout pass:$passwd \
-subj /C=RU/ST=Moscow/L=Moscow/O=company/OU=Clients/CN=Client/[email protected] 

#create user certifiate (this certificate is not self signed. This certificate signed by CA private key) 
$ossl ca -in user_req.pem -out user_cert.pem -passin pass:$passwd -notext

#generate  DH   param
$ossl dhparam -out dh1024.pem 1024

cat ./user_key.pem ./user_cert.pem > client.pem  

cat ./server_key.pem  ./server_cert.pem  > server.pem

cp ./ca_cert.pem root.pem

这篇关于"openssl编程简介".文章.过期的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！