1661.html

著名的linux英雄站点的文档打包

commonName = supplied<br>
emailAddress = optional<br>
####################################################################<br>
[ req ]<br>
default_bits = 1024<br>
default_keyfile = privkey.pem<br>
distinguished_name = req_distinguished_name<br>
attributes = req_attributes<br>
x509_extensions = v3_ca # The extentions to add to the self signed cert<br>
[ req_distinguished_name ]<br>
countryName = Country Name (2 letter code)<br>
countryName_default = CA<br>
countryName_min = 2<br>
countryName_max = 2<br>
stateOrProvinceName = State or Province Name (full name)<br>
stateOrProvinceName_default = Quebec<br>
localityName = Locality Name (eg, city)<br>
localityName_default = Montreal<br>
0.organizationName = Organization Name (eg, company)<br>
0.organizationName_default = Open Network Architecture<br>
# we can do this but it is not needed normally<br>
#1.organizationName = Second Organization Name (eg, company)<br>
#1.organizationName_default = World Wide Web Pty Ltd<br>
organizationalUnitName = Organizational Unit Name (eg, section)<br>
organizationalUnitName_default = Internet Department<br>
commonName = Common Name (eg, YOUR name)<br>
commonName_default = www.openarch.com<br>
commonName_max = 64<br>
emailAddress = Email Address<br>
emailAddress_default = admin@openarch.com<br>
emailAddress_max = 40<br>
# SET-ex3 = SET extension number 3<br>
[ req_attributes ]<br>
challengePassword = A challenge password<br>
challengePassword_min = 4<br>
challengePassword_max = 20<br>
unstructuredName = An optional company name<br>
[ usr_cert ]<br>
# These extensions are added when 'ca' signs a request.<br>
# This goes against PKIX guidelines but some CAs do it and some software<br>
# requires this to avoid interpreting an end user certificate as a CA.<br>
basicConstraints=CA:FALSE<br>
# Here are some examples of the usage of nsCertType. If it is omitted<br>
# the certificate can be used for anything *except* object signing.<br>
# This is OK for an SSL server.<br>
# nsCertType = server<br>
# For an object signing certificate this would be used.<br>
# nsCertType = objsign<br>
# For normal client use this is typical<br>
# nsCertType = client, email<br>
# and for everything including object signing:<br>
# nsCertType = client, email, objsign<br>
# This is typical in keyUsage for a client certificate.<br>
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br>
# This will be displayed in Netscape's comment listbox.<br>
nsComment = "OpenSSL Generated Certificate"<br>
# PKIX recommendations harmless if included in all certificates.<br>
subjectKeyIdentifier=hash<br>
authorityKeyIdentifier=keyid,issuer:always<br>
# This stuff is for subjectAltName and issuerAltname.<br>
# Import the email address.<br>
# subjectAltName=email:copy<br>
# Copy subject details<br>
# issuerAltName=issuer:copy<br>
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem<br>
#nsBaseUrl<br>
#nsRevocationUrl<br>
#nsRenewalUrl<br>
#nsCaPolicyUrl<br>
#nsSslServerName<br>
[ v3_ca]<br>
# Extensions for a typical CA<br>
# PKIX recommendation.<br>
subjectKeyIdentifier=hash<br>
authorityKeyIdentifier=keyid:always,issuer:always<br>
# This is what PKIX recommends but some broken software chokes on critical<br>
# extensions.<br>
#basicConstraints = critical,CA:true<br>
# So we do this instead.<br>
basicConstraints = CA:true<br>
# Key usage: this is typical for a CA certificate. However since it will<br>
# prevent it being used as an test self-signed certificate it is best<br>
# left out by default.<br>
# keyUsage = cRLSign, keyCertSign<br>
# Some might want this also<br>
# nsCertType = sslCA, emailCA<br>
# Include email address in subject alt name: another PKIX recommendation<br>
# subjectAltName=email:copy<br>
# Copy issuer details<br>
# issuerAltName=issuer:copy<br>
# RAW DER hex encoding of an extension: beware experts only!<br>
# 1.2.3.5=RAW:02:03<br>
# You can even override a supported extension:<br>
# basicConstraints= critical, RAW:30:03:01:01:FF<br>
[ crl_ext ]<br>
# CRL extensions.<br>
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.<br>
# issuerAltName=issuer:copy<br>
authorityKeyIdentifier=keyid:always,issuer:always<br>
<br>
   注意：编译和安装完OpenSSL程序之后，“openssl.cnf”文件在服务器上已经存在了，可以在“/et/ssl”目录下找到。没有必要改变这个文件中所有的默认配置，经常需要修改的只是[CA_default]和[req_distinguished_name]这两个section。<br>
<br>
创建“/usr/bin/sign.sh”脚本文件<br>
   “openssl ca”命令有一些奇怪的要求，OpenSSL默认的配置并不是很容易直接使用“openssl ca”，因此我们用“sign.sh”脚本文件替代它。<br>
<br>
   创建“sign.sh”脚本（touch /usr/bin/sign.sh），加入：<br>
<br>
#!/bin/sh<br>
##<br>
## sign.sh -- Sign a SSL Certificate Request (CSR)<br>
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.<br>
##<br>
# argument line handling<br>
CSR=$1<br>
if [ $# -ne 1 ]; then<br>
echo "Usage: sign.sign &lt;whatever&gt;.csr"; exit 1<br>
fi<br>
if [ ! -f $CSR ]; then<br>
echo "CSR not found: $CSR"; exit 1<br>
fi<br>
case $CSR in<br>
*.csr ) CERT="`echo $CSR | sed -e 's/.csr/.crt/'`" ;;<br>
* ) CERT="$CSR.crt" ;;<br>
esac<br>
# make sure environment exists<br>
if [ ! -d ca.db.certs ]; then<br>
mkdir ca.db.certs<br>
fi<br>
if [ ! -f ca.db.serial ]; then<br>
echo '01' &gt;ca.db.serial<br>
fi<br>
if [ ! -f ca.db.index ]; then<br>
cp /dev/null ca.db.index<br>
fi<br>
# create an own SSLeay config<br>
cat &gt;ca.config &lt;&lt;EOT<br>
[ ca ]<br>
default_ca = CA_own<br>
[ CA_own ]<br>
dir = /etc/ssl<br>
certs = /etc/ssl/certs<br>
new_certs_dir = /etc/ssl/ca.db.certs<br>
database = /etc/ssl/ca.db.index<br>
serial = /etc/ssl/ca.db.serial<br>
RANDFILE = /etc/ssl/ca.db.rand<br>
certificate = /etc/ssl/certs/ca.crt<br>
private_key = /etc/ssl/private/ca.key<br>
default_days = 365<br>
default_crl_days = 30<br>
default_md = md5<br>
preserve = no<br>
policy = policy_anything<br>
[ policy_anything ]<br>
countryName = optional<br>
stateOrProvinceName = optional<br>
localityName = optional<br>
organizationName = optional<br>
organizationalUnitName = optional<br>
commonName = supplied<br>
emailAddress = optional<br>
EOT<br>
# sign the certificate<br>
echo "CA signing: $CSR -&gt; $CERT:"<br>
openssl ca -config ca.config -out $CERT -infiles $CSR<br>
echo "CA verifying: $CERT &lt;-&gt; CA cert"<br>
openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT<br>
# cleanup after SSLeay<br>
rm -f ca.config<br>
rm -f ca.db.serial.old<br>
rm -f ca.db.index.old<br>
# die gracefully<br>
exit 0<br>
<br>
   现在，让这个脚本可执行并改变它的默认权限：<br>
<br>
[root@deep]# chmod 755 /usr/bin/sign.sh<br>
<br>
   注意：解开“floppy.tgz”文件之后，可以在“mod_ssl-version/pkg.contrib”目录下找到“sign.sh”文件。要根据实际情况改变[CA_own]这一节，而且不要忘了改变“openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT”这一行。<br>
<br>
保证OPENSSL的安全<br>
   把密匙设置成只能被超级用户“root”可执行和可写。必须保证其他人不能访问这个文件。<br>
<br>
   用下面的命令使得密匙只能被“root”可执行和可写：<br>
<br>
[root@deep]# chmod 600 /etc/ssl/certs/ca.crt<br>
[root@deep]# chmod 600 /etc/ssl/certs/server.crt<br>
[root@deep]# chmod 600 /chroot/httpd/etc/ssl/private/ca.key<br>
[root@deep]# chmod 600 /chroot/httpd/etc/ssl/private/server.key<br>
<br>
命令<br>
   下面列出的是一些我们经常要用到的命令，当然还有很多其它的命令，更详细的信息可以查看man帮助页或其它文档。<br>
<br>
   在下面这个例子中，我们指导你如何为Apache Web服务器创建认证：<br>
<br>
   注意：下面所有的命令都在“/etc/ssl”目录下运行的。<br>
<br>
   为Apache服务器创建用口令保护的RSA私人密匙。<br>
[root@deep]# openssl genrsa -des3 -out server.key 1024<br>
Generating RSA private key, 1024 bit long modulus<br>
......................+++++<br>
.....+++++<br>
e is 65537 (0x10001)<br>
Enter PEM pass phrase:<br>
Verifying password - Enter PEM pass phrase:<br>
<br>
   请把“server.key”文件备份起来，记住只有在安全的地方才能输入口令。<br>
<br>
   用服务器的RSA私人密匙创建Certificate Signing Request（CSR）<br>
[root@deep]# openssl req -new -key server.key -out server.csr<br>
Enter PEM pass phrase:<br>
You are about to be asked to enter information that will be incorporated<br>
into your certificate request.<br>
What you are about to enter is what is called a Distinguished Name or a DN.<br>