📄 initialisation.htm
字号:
<HTML><HEAD><TITLE>Initialisation of the Certification Authority</TITLE><METANAME="GENERATOR"CONTENT="Modular DocBook HTML Stylesheet Version 1.55"><LINKREL="HOME"TITLE="The Open–source PKI Book"HREF="ospki-book.htm"><LINKREL="UP"TITLE="General implementation overview"HREF="implementation-overview.htm"><LINKREL="PREVIOUS"TITLE="General implementation overview"HREF="implementation-overview.htm"><LINKREL="NEXT"TITLE="User/Server key generation and signing"HREF="keygensign.htm"></HEAD><BODYCLASS="SECT1"BGCOLOR="#FFFFFF"TEXT="#000000"LINK="#0000FF"VLINK="#840084"ALINK="#0000FF"><DIVCLASS="NAVHEADER"><TABLEWIDTH="100%"BORDER="0"CELLPADDING="0"CELLSPACING="0"><TR><THCOLSPAN="3"ALIGN="center">The Open–source PKI Book: A guide to PKIs and Open–source Implementations</TH></TR><TR><TDWIDTH="10%"ALIGN="left"VALIGN="bottom"><AHREF="implementation-overview.htm">Prev</A></TD><TDWIDTH="80%"ALIGN="center"VALIGN="bottom">Chapter 4. General implementation overview</TD><TDWIDTH="10%"ALIGN="right"VALIGN="bottom"><AHREF="keygensign.htm">Next</A></TD></TR></TABLE><HRALIGN="LEFT"WIDTH="100%"></DIV><DIVCLASS="SECT1"><H1CLASS="SECT1"><ANAME="INITIALISATION">Initialisation of the Certification Authority</A></H1><P> Here we describe the initialisation phase of the CA. This takes place once. Special care is needed for the protection of the CA's private key. </P><DIVCLASS="NOTE"><P></P><TABLECLASS="NOTE"WIDTH="100%"BORDER="0"><TR><TDWIDTH="25"ALIGN="CENTER"VALIGN="TOP"><IMGSRC="stylesheet-images/note.gif"HSPACE="5"ALT="Note"></TD><TDALIGN="LEFT"VALIGN="TOP"><P> The following examples require the OpenSSL software installed on your workstation. Also, it is recommended to have the directory that the <SPANCLASS="APPLICATION"> openssl</SPAN> application resides, in your <TTCLASS="ENVAR">PATH</TT> environment variable. Possible locations for the <SPANCLASS="APPLICATION"> openssl</SPAN> application are <TTCLASS="FILENAME"> /usr/local/ssl/bin/</TT> or <TTCLASS="FILENAME"> /usr/bin/</TT>. </P></TD></TR></TABLE></DIV><DIVCLASS="SECT2"><H2CLASS="SECT2"><ANAME="GENERATEKEYPAIR">Generate the RSA key–pair for the CA</A></H2><P> Use this command to generate the RSA key–pair: </P><P> <PCLASS="LITERALLAYOUT"><TTCLASS="PROMPT">CA_Admin% </TT><TTCLASS="USERINPUT"><B>openssl genrsa –des3 –out ca.key 2048</B></TT></P> <P></P><DIVCLASS="VARIABLELIST"><P><B>Parameters</B></P><DL><DT>genrsa</DT><DD><P> the <SPANCLASS="APPLICATION">openssl</SPAN> component to generate an <SPANCLASS="ACRONYM">RSA</SPAN> key–pair, </P></DD><DT>-des3</DT><DD><P> the symmetric algorithm to encrypt the key–pair, </P></DD><DT>-out <TTCLASS="FILENAME">ca.key</TT></DT><DD><P> the filename to store the key–pair, </P></DD><DT>2048</DT><DD><P> size of RSA modulus in bits. </P></DD></DL></DIV> </P><P> Executing the above command, the user is presented with the following information<TABLEBORDER="0"BGCOLOR="#E0E0E0"WIDTH="100%"><TR><TD><PRECLASS="PROGRAMLISTING">1112 semi-random bytes loadedGenerating RSA private key, 2048 bit long modulus.+++++......................................................+++++e is 65537 (0x10001)Enter PEM pass phrase: <ICLASS="EMPHASIS">enter the pass–phrase here</I>Verifying password - Enter PEM pass phrase: <ICLASS="EMPHASIS">re–enter the pass–phrase here</I></PRE></TD></TR></TABLE></P><P> This creates an <SPANCLASS="ACRONYM">RSA</SPAN> key pair which is stored in the file <TTCLASS="FILENAME">ca.key</TT>. This key pair is encrypted with <SPANCLASS="ACRONYM">3DES</SPAN> using a password supplied by the user during key generation. The <SPANCLASS="ACRONYM">N</SPAN> in <SPANCLASS="ACRONYM">RSA</SPAN> (the product of the two prime numbers) is 2048 bits long. For brevity, we say that we use <TTCLASS="LITERAL">2048-bit</TT> RSA. </P><P> A sample key–pair, encrypted with a pass–phrase, can be found at <AHREF="sample-openssl-usage.htm#SAMPLE-PRIV-ENC-KEY">the section called <I>Sample Encrypted Private Key in PEM format (2048 bits)</I> in Appendix B</A>. This same key–pair without the pass–phrase encryption is at <AHREF="sample-priv-key.htm">the section called <I>Sample Private Key in PEM format (2048 bits)</I> in Appendix B</A>. The decoded version of the same key can be found at <AHREF="sample-key-components.htm">the section called <I>Sample Private Key in TXT format (2048 bits)</I> in Appendix B</A>. </P></DIV><DIVCLASS="SECT2"><H2CLASS="SECT2"><ANAME="CREATESELFSIGNEDCACERT">Create a self–signed CA Certificate</A></H2><P> In order to get a self–signed CA Certificate, we need to sign the CA's certificate request with the corresponding private key. The resulting Certificate has the X.509 structure. </P><P><PCLASS="LITERALLAYOUT"><TTCLASS="PROMPT">CA_Admin% </TT><TTCLASS="USERINPUT"><B>openssl req –new –x509 –days 365 –key ca.key –out ca.crt</B></TT></P> <P></P><DIVCLASS="VARIABLELIST"><P><B>Parameters</B></P><DL><DT>req</DT><DD><P> the <SPANCLASS="APPLICATION">openssl</SPAN> component to generate a certificate request, </P></DD><DT>-new</DT><DD><P> this is a new certificate, </P></DD><DT>-x509</DT><DD><P> generate an <SPANCLASS="ACRONYM">X.509</SPAN> certificate, </P></DD><DT>-days 365</DT><DD><P> the time in days that the certificate will be valid, counting from now, </P></DD><DT>-key <TTCLASS="FILENAME">ca.key</TT></DT><DD><P> the key–pair file to be used, </P></DD><DT>-out <TTCLASS="FILENAME">ca.crt</TT></DT><DD><P> the filename that the new certificate will be written onto </P></DD></DL></DIV> </P><P> Executing the above command presents this dialogue: </P><TABLEBORDER="0"BGCOLOR="#E0E0E0"WIDTH="100%"><TR><TD><PRECLASS="PROGRAMLISTING">Using configuration from /usr/local/ssl/openssl.cnfEnter PEM pass phrase: <ICLASS="EMPHASIS">enter the pass–phrase here</I>You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:<TTCLASS="USERINPUT"><B>GB</B></TT>State or Province Name (full name) [Some-State]:<TTCLASS="USERINPUT"><B>Surrey</B></TT>Locality Name (eg, city) []:<TTCLASS="USERINPUT"><B>.</B></TT>Organization Name (eg, company) [Internet Widgits Pty Ltd]: <TTCLASS="USERINPUT"><B>Best CA Ltd</B></TT>Organizational Unit Name (eg, section) []:<TTCLASS="USERINPUT"><B>Class 1 Public Primary Certification Authority</B></TT>Common Name (eg, YOUR name) []:<TTCLASS="USERINPUT"><B>Best CA Ltd</B></TT>Email Address []:<TTCLASS="USERINPUT"><B>.</B></TT><TTCLASS="PROMPT">CA_Admin% </TT></PRE></TD></TR></TABLE><P> This creates a self–signed certificate, called <TTCLASS="FILENAME">ca.crt</TT>. It is valid for 365 days from the date of generation. In this step, the CA Administrator has to enter the X.509 details of the CA Root Certificate. </P><P> A sample CA Certificate, in PEM format, can be found at <AHREF="sample-ca-cert.htm">the section called <I>Sample CA Certificate in PEM format</I> in Appendix B</A>. The TXT or human–readable of the same Certificate can be found at <AHREF="sample-ca-cert-txt.htm">the section called <I>Sample CA Certificate in TXT format</I> in Appendix B</A>. </P></DIV></DIV><DIVCLASS="NAVFOOTER"><HRALIGN="LEFT"WIDTH="100%"><TABLEWIDTH="100%"BORDER="0"CELLPADDING="0"CELLSPACING="0"><TR><TDWIDTH="33%"ALIGN="left"VALIGN="top"><AHREF="implementation-overview.htm">Prev</A></TD><TDWIDTH="34%"ALIGN="center"VALIGN="top"><AHREF="ospki-book.htm">Home</A></TD><TDWIDTH="33%"ALIGN="right"VALIGN="top"><AHREF="keygensign.htm">Next</A></TD></TR><TR><TDWIDTH="33%"ALIGN="left"VALIGN="top">General implementation overview</TD><TDWIDTH="34%"ALIGN="center"VALIGN="top"><AHREF="implementation-overview.htm">Up</A></TD><TDWIDTH="33%"ALIGN="right"VALIGN="top">User/Server key generation and signing</TD></TR></TABLE></DIV></BODY></HTML>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -