OPENSSL的应用--发放与请求CA证书

                             配置server和client之间发放和请求CA证书

一.建立服务器端的CA证书
1.)`cd /etc/pki/tls/`到此目录下，`vim openssl.cnf`编辑此文件：第45行修改成dir = /etc/pki/CA,第132行可修改建立证书或建立证书请求的默认值。

2.)`cd ../CA`转到此目录，`mkdir -pv certs crl newcerts touch serial`建立newcerts touch serial这三个目录,`touch index.txt`,`touch serial`建立index.txt和serial这两个文件,`echo 100731 > serial`给serial文件添加一条序列号。

3.)`cd private/`到此目录下,`openssl genrsa 1024 > cakey.pem`为服务器建立一个私钥。
  Generating RSA private key, 1024 bit long modulus
  .....++++++
  .....++++++
  e is 65537 (0x10001)

4.)`cd ..`回到原来的目录,`openssl req -new -x509 -key private/cakey.pem -out cacert.pem`为服务器建立一个以pem为后缀的证书。
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [CN]:
  State or Province Name (full name) [Henan]:
  Locality Name (eg, city) [Zhengzhou]:
  Organization Name (eg, company) [RHCE]:
  Organizational Unit Name (eg, section) [TERM]:
  Common Name (eg, your name or your server's hostname) []:zzuwhx.example.com
  Email Address []:root@example.com

二.建立客户端证书发送请求
1.)`openssl genrsa 1024 > client.key`为客户端建立一个私钥。
  Generating RSA private key, 1024 bit long modulus
  .....++++++
  .....++++++
  e is 65537 (0x10001)

2.)`openssl req -new -key client.key -out client.csr`为客户端生成一个证书发送请求。
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [GB]:CN
  State or Province Name (full name) [Berkshire]:Henan
  Locality Name (eg, city) [Newbury]:Zhengzhou
  Organization Name (eg, company) [My Company Ltd]:RHCE
  Organizational Unit Name (eg, section) []:TERM
  Common Name (eg, your name or your server's hostname) []:client.example.com
  Email Address []:root@example.com

  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:

3.)`scp client.csr 192.168.0.11:/root`客户端把证书发送请求传送给服务器。
  The authenticity of host '192.168.0.11 (192.168.0.11)' can't be established.
  RSA key fingerprint is d0:3d:ac:2b:e8:5e:47:b4:f5:ab:ed:c3:8b:37:6f:39.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.0.11' (RSA) to the list of known hosts.
  root@192.168.0.11's password:
  client.csr                            100%  696     0.7KB/s   00:00

三.服务器给客户端请求颁发证书
1.)`openssl ca -in /root/client.csr -out client.crt`服务器根据客户端提供的证书发送请求为客户端生成一个证书。
  Using configuration from /etc/pki/tls/openssl.cnf
  Check that the request matches the signature
  Signature ok
  Certificate Details:
          Serial Number: 1050417 (0x100731)
          Validity
              Not Before: Jul 31 02:45:09 2010 GMT
              Not After : Jul 31 02:45:09 2011 GMT
          Subject:
              countryName               = CN
              stateOrProvinceName       = Henan
              organizationName          = RHCE
              organizationalUnitName    = TERM
              commonName                = client.example.com
              emailAddress              = client @example.com
          X509v3 extensions:
              X509v3 Basic Constraints:
                  CA:FALSE
              Netscape Comment:
                  OpenSSL Generated Certificate
              X509v3 Subject Key Identifier:
                  A8:2A:D6:FA:BD:94:D1:01:6D:A9:84:3E:0D:FA:AE:5D:FA:79:22:CE
              X509v3 Authority Key Identifier:
                  keyid:F4:3C:8D:FF:66:7A:D4:44:95:5E:C6:DB:29:57:FE:5B:8D:F8:4A:ED

  Certificate is to be certified until Jul 31 02:45:09 2011 GMT (365 days)
  Sign the certificate? [y/n]:y

  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated

2.)`scp client.crt 192.168.0.151:/root`服务器把生成好的证书发送给客户端。
  The authenticity of host '192.168.0.151 (192.168.0.151)' can't be established.
  RSA key fingerprint is e1:07:e9:f1:61:1b:20:0e:8f:98:e3:cd:76:c2:21:3b.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '192.168.0.151' (RSA) to the list of known hosts.
  reverse mapping checking getaddrinfo for server51.example.com failed - POSSIBLE BREAK-IN     ATTEMPT!
  root@192.168.0.151's password:
  client.crt                         100% 3244     3.2KB/s   00:00  

openssl补充
1.)md5sum    file                                              用md5加密提取特征码显示128位
2.)shasum    file                                                用sha1加密提取特征码显示160位
3.)openssl   dgst  -sha1  file                             对文件使用sha1加密
4.)openssl   sha1 < file                                     同上
5.)openssl   passwd -1                                     生成一个用户密码（带有随机数）
6.)openssl   req  -noout -in server.csr  -text      查看“证书发送请求”
7.)openssl   genrsa   -out   server.key   1024    建立一个名为server.key的私钥
8.)openssl   req  -new -x509 -key server.key  -out server.crt  建立一个名为server.crt的证书
9.)openssl   virsion                                           查看哪一个版本
10.)openssl   ciphers                                        查看openssl的选项
11.)openssl   speed   rsa                                   rsa算法的加密速度
12.)openssl   enc  -dec3  -salt -a -in file_1 -out file_2   把文件用dec3的算法加密成文件，解密用-d选项
对于Red Hat建立证书,生成密钥还有更简单的方法：

首先切换目录到/etc/pki/tls/certs:`cd /etc/pki/tls/certs`；以后可用make命令来建立证书或者密钥，能够用后缀名区别证书和密钥：`.key`为私钥,`.pem`和`.crt`为证书。