所属类别：Linux

文章作者：colderhua

特别推荐：免费发布信息 承包关键词~~抢爆了！^HOT!

1.取得 OpensslOpenssl 是一套公布原始码(Open source)之套件，可以从 http://www.openssl.org/ 取得。 wget http://www.openssl.org/source/ openssl-0.9.8e.tar.gz解压缩。 tar zxvf openssl-0.9.8e.tar.gzcd openssl-0.9.8h# ./config --prefix=/usr/local/openssl# make# make install修改~/openssl/ssl/openssl.cnf。 dir= /usr/local/openssl/ssl/misc/demoCA #设定存取凭证的路径default_days= 3650 #设定凭证可使用之天数default_bits = 2048 #设定密钥长度(bits)产生 CA 凭证 我们所产生的 CA凭证，将放置在 ~/openssl/ssl/misc/demoCA 下，以下我们将介绍如何产生出最上层的 CA凭证。2.执行CA凭证产生程式。 # cd ~/openssl/ssl/misc# ./CA.sh -newcaCA certificate filename (or enter to create)[enter]Making CA certificate ...Generating a 1024 bit RSA private key................................ .............................++++++..++++++writing new private key to './demoCA/private/./cakey.pem'Enter PEM pass phrase:[设定通行码]Verifying - Enter PEM pass phrase:[确认通行码]-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:CNState or Province Name (full name) [Berkshire]:GUANGDONGLocality Name (eg, city) [Newbury]:GUANGZHOUOrganization Name (eg, company) [My Company Ltd]:demoOrganizational Unit Name (eg, section) []:demoCommon Name (eg, your name or your server's hostname) []:demoEmail Address []demo@demolcn3. 确定CA凭证及金钥是否产生。 #cd ~/openssl/ssl/misc/demoCA#ls –lcacert.pem certs crl index.txt newcerts private serial可见「cacert.pem」即是CA之凭证，而「private」目录即是存放CA私钥之处。设定CA凭证之存取权限，仅允许本人能存取，他人必须限制其存取权限。 chmod -R 660 ~/openssl/ssl/misc/ demoCA4. 以 CA产生次级凭证 在CA凭证产生完之后，我们便可以产生使用者或公司所需要之凭证，此次级凭证产生后，使用者便可应用于Email签章加密或https等ssl传输加密。产生使用者之金钥档及CSR档(Certificate Signing Request)。 #cd ~/openssl/ssl/misc/demoCA#~/openssl/bin/openssl req -nodes -new -keyout islab_key.pem\#-out islab_req.pem -days 3650 -config ~/openssl/ssl/openssl.cnf#此处「-keyout」即为产生Private key之档名，我们以「islab_key.pem」为例#，您可自行设定。而「-out」则产生CSR档，我们以「islab_req.pem」为例。Generating a 2048 bit RSA private key................................ ..........................+++................................ ................................................................+++writing new private key to 'islab_key.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:CNState or Province Name (full name) [GUANGDONG]:GUANGDONGLocality Name (eg, city) []:GUANGZHOUOrganization Name (eg, company) [THU]:demoOrganizational Unit Name (eg, section) []:IdemoCommon Name (eg, YOUR name) []:demo@demo.com#Common Name请输入您所欲使用之名称，如此凭证产生后欲使用在 Email#签章，则必须填入email名称；若此凭证欲使用在https，则必须填网址。Email Address []:demo@demo.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:[password]An optional company name []:[company]#以上两项可随意输入即可。产生使用者之凭证。 ~/openssl/bin/openssl ca -config ~/openssl/ssl/openssl.cnf \-policy policy_anything -out islab_cert.pem -infiles islab_req.pemUsing configuration from /usr/local/openssl/ssl/openssl.cnfEnter pass phrase for /usr/local/openssl/ssl/misc/demoCA/private/cakey.pem:[输入CA通行码]Check that the request matches the signatureSignature okCertificate Details:Serial Number: 1 (0x1)ValidityNot Before: Feb 24 14:34:58 2005 GMTNot After : Feb 22 14:34:58 2015 GMTSubject:countryName = CNstateOrProvinceName = GUANGDONGlocalityName = GUANGZHOUorganizationName = demoorganizationalUnitName= democommonName = demo@demo.comemailAddress = demo@demo.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:EC:88:66:DE:FF:79:CE:81:C2:EE:93:BF:9A:65:92:3B:AC:2C:CD:7EX509v3 Authority Key Identifier:keyid:37:AA:42:CF:FA:D9:73:C7:80:E5:0C:E2:9F:7B:95:86:40:66:72:C5DirName:/C=CNST=GUANGDONG/L=GUANGZHOU/O=GUANGZHOU University/OU=demo/CN=ISLAB_CA/ emailAddress=demo@demo.cnserial:00Certificate is to be certified until Feb 22 14:34:58 2015 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated检查凭证是否产生。 cd ~/openssl/ssl/misc/demoCAls -lcacert.pem crl index.txt.attr islab_cert.pem islab_req.pem private serial.old certs index.txt index.txt.old islab_key.pem newcerts serial以上可见，islab_cert.pem、islab_req.pem及islab_key.pem分别为刚刚所产生出来的凭证、CSR及Private Key。 5.Openssl 应用 以cacert验证产生出来的使用者cert~/openssl/bin/openssl verify -CApath . \-CAfile cacert.pem islab_cert.pem检查产生的序号 ~/openssl/bin/openssl x509 -noout -serial -in islab_cert.pemserial=01检查发行者资讯 ~/openssl/bin/openssl x509 -noout -issuer -in islab_cert.pemissuer=/C=CN/ST=CN/L=guangdong/ O=THU/OU=ISLAB/CN=www.demo.cn/emailAddress=demo@demo.cn检查凭证起始及终止日期时间 ~/openssl/bin/openssl x509 -noout -in islab_cert.pem -datesnotBefore=Feb 24 07:54:16 2005 GMTnotAfter=Feb 22 07:54:16 2015 GMT检查个人凭证资讯subject~/openssl/bin/openssl x509 -noout -in islab_cert.pem -subjectsubject=/C=CN/ST=CN/L=GUANGDONG/ O=THU/OU=CSIE/CN=demo@demo.cn/emailAddress=demo@demo.cn检查MD5 fingerprint~/openssl/bin/openssl x509 -noout -in islab_cert.pem -fingerprintMD5 Fingerprint=A4:A1:95:41:CC:26:18:00:AA:16:07:25:A8:5F:65:6E检查SHA-1 fingerprint~/openssl/bin/openssl x509 -noout -in islab_cert.pem -fingerprint -sha1SHA1 Fingerprint=B2:D7:CF:DF:DA:B7:A6:3B:4C:99:3A:94:52:64:B8:28:0B:3A:24:9D由PEM转至PKCS12。Microsoft Outlook Express使用PKCS12格式，因此欲使用Microsoft Outlook Express寄出签章信件，只要将产生出来的.p12档安装在Windows即可使用。 ~/openssl/bin/openssl pkcs12 -export -in islab_cert.pem -out islab_cert.p12 -name Blave's Certificate -inkey islab_key.pemEnter Export Password:Verifying - Enter Export Password:由PKCS12转至PEM由PKCS12产生Private Key~/openssl/bin/openssl pkcs12 -in islab_cert.p12 -out islab_key2.pemEnter Import Password:MAC verified OKEnter PEM pass phrase:Verifying - Enter PEM pass phrase:再由Private Key产生凭证 ~/openssl/bin/openssl x509 -in islab_key2.pem -text \out islab_cert2.pem文件加密 「islab_cert.pem」为个人凭证，可以公开给大家，因此某人欲加密传送一文件给我，便可以依下列方式加密。编辑一纯文字档，在此我们预设档名为「document.txt」，而经加密码之档名为「document.enc」。echo "This is a text file." > document.txtcat document.txtThis is a text file.~/openssl/bin/openssl smime -encrypt -in document.txt \-out document.enc islab_cert.pemcat document.encMIME-Version: 1.0Content-Disposition: attachment; filename="smime.p7m"Content-Type: application/x-pkcs7- mime; name="smime.p7m"Content-Transfer-Encoding: base64MIICFgYJKoZIhvcNAQcDoIICBzCCAgMCAQAxggG5MIIBtQIBADCBnDCBljEL MAkGA1UEBhMCVFcxDzANBgNVBAgTBlRBSVdBTjERMA8GA1UEBxMIVGFpY2h 1bmcxDDAK…(略)…DQEHATAaBggqhkiG9w0DAjAOAgIAoAQIIyXl/ VHcSASAGOtS9efsvXwqks1LmBp6irSgxerAE6TShw==文件解密 若我们收到了某人传送的「document.enc」，我们便能使用Private Key来进行解密。~/openssl/bin/openssl smime -decrypt -in document.enc \-recip islab_cert.pem -inkey islab_key.pemThis is a text file.文件签章 为文件签章可证明文件的来源为本人无误，并且可以验证文件是否被篡改。我们依前例，为一纯文字档「document.txt」签章，签章后档名为「document.sig」。~/openssl/bin/openssl smime -sign -inkey islab_key.pem \-signer islab_cert.pem -in document.txt -out document.sigcat document.sigMIME-Version: 1.0Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary=& quot;----F565CC3F7AEE7ACC3F74CA855D8EC920"This is an S/MIME signed message------F565CC3F7AEE7ACC3F74CA855D8EC920This is a text file.------F565CC3F7AEE7ACC3F74CA855D8EC920Content-Type: application/x-pkcs7- signature; name="smime.p7s"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="smime.p7s"MIIHBgYJKoZIhvcNAQcCoIIG9zCCBvMCAQExCzAJBgUrDgMCGgUAMAsGC SqGSIb3DQEHAaCCBFYwggRSMIIDu6ADAgECAgEBMA0GCSqGSIb3DQEBBAUAM IGWMQswCQYD…(略)…------F565CC3F7AEE7ACC3F74CA855D8EC920- -文件签章验证 当某人收到这份文件时，可利用我们的凭证(islab_cert.pem)以及CA凭证(cacert.pem)来验证文件。 ~/openssl/bin/openssl smime -verify -in document.sig \signer islab_cert.pem -out document.txt -CAfile cacert.pemVerification successful因此我们可以知道，验证方必须事先取得 CA凭证(cacert.pem)方可验证文件。文件加密并签章 我们已知如何加解密以及签章验证的方法了，因此要将文件加密并签章实非难事。我们必须先将文件进行签章再加密，而收方则以相反步骤进行解密再验证即可

....