CentOS 下的 Apache CA 证书申请与导入日志
时间:2014-05-20 11:42 来源:linux.it.net.cn 作者:IT网
Get request
[root@tsghweb openssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@tsghweb openssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@tsghweb openssl]#
… …
Verify CA file
[root@tsghweb openssl]# openssl verify -CAfile rootca.crt -purpose sslserver rootcaserver.crt
rootcaserver.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
error 20 at 0 depth lookup:unable to get local issuer certificate
[root@tsghweb openssl]#
[root@tsghweb openssl]# openssl rsa -noout -modulus -in server.key | openssl sha1
Enter pass phrase for server.key:hp0521
fa955c5e12ba90274553d879ba144afb6f7a3946
[root@tsghweb openssl]#
[root@tsghweb openssl]# openssl verify -CAfile rootcaserver.crt -purpose sslserver rootca.crt
rootca.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
error 2 at 1 depth lookup:unable to get issuer certificate
[root@tsghweb openssl]#
… …
Impot certification
[root@tsghweb openssl]# openssl pkcs7 -in server.p7b -inform DER -print_certs -out server-chain.pem
[root@tsghweb openssl]# cp server-chain.pem /etc/pki/tls/certs/server-chain.crt
[root@tsghweb openssl]#
[root@tsghweb openssl]# openssl x509 -in server.cer -inform DER -out server.pem
[root@tsghweb openssl]# cp server.pem /etc/pki/tls/certs/server.crt
[root@tsghweb openssl]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.hpmtaiwan.tw:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
[ OK ]
[root@tsghweb openssl]#
(责任编辑:IT)
Get request[root@tsghweb openssl]# openssl genrsa -des3 -out server.key 1024Generating RSA private key, 1024 bit long modulus ............++++++ ..........++++++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: [root@tsghweb openssl]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@tsghweb openssl]# … … Verify CA file[root@tsghweb openssl]# openssl verify -CAfile rootca.crt -purpose sslserver rootcaserver.crtrootcaserver.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 error 20 at 0 depth lookup:unable to get local issuer certificate [root@tsghweb openssl]# [root@tsghweb openssl]# openssl rsa -noout -modulus -in server.key | openssl sha1 Enter pass phrase for server.key:hp0521 fa955c5e12ba90274553d879ba144afb6f7a3946 [root@tsghweb openssl]# [root@tsghweb openssl]# openssl verify -CAfile rootcaserver.crt -purpose sslserver rootca.crt rootca.crt: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 error 2 at 1 depth lookup:unable to get issuer certificate [root@tsghweb openssl]# … … Impot certification[root@tsghweb openssl]# openssl pkcs7 -in server.p7b -inform DER -print_certs -out server-chain.pem [root@tsghweb openssl]# cp server-chain.pem /etc/pki/tls/certs/server-chain.crt [root@tsghweb openssl]# [root@tsghweb openssl]# openssl x509 -in server.cer -inform DER -out server.pem [root@tsghweb openssl]# cp server.pem /etc/pki/tls/certs/server.crt [root@tsghweb openssl]# service httpd restart Stopping httpd: [ OK ] Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server www.hpmtaiwan.tw:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [ OK ] [root@tsghweb openssl]# |