你的位置:首页  >  

openssl ou=,cn 什么意思

来源:kuaidi.ping-jia.net  作者:佚名   更新日期:2018-08-16
您好,使用openssl生成自我认证证书的过程中碰到了一下问题,我所有的操作为:
1. openssl的windows安装文件的版本:openssl-0.9.8h-1-setup.exe
2. 双击安装,我的安装位置为:C:\OpenSSL
3. 配置环境变量
OPENSSL_HOME C:\OpenSSL
path %OPENSSL_HOME%\bin
4. 修改文件openssl.cnf
%OPENSSL_HOME%\share\openssl.cnf
注意变量dir,它指向的是CA工作目录,本文将路径d:/ca作为CA工作目录,对变量dir做相应修改。
修改后:
####################################################################
[ CA_default ]
dir = d:/ca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
5.建立CA工作目录后,我们需要构建一些子目录,用于存放证书、密钥等。
如下通过bat文件实现
@rem 根据前面配置的CA工作目录,我这里为d:/ca
@echo off
echo 新建CA目录ca
set dir=d:\ca
if exist %dir% goto okDir
echo 目录%dir%不存在
mkdir %dir%
echo 目录创建成功
:okDir
cd %dir%
d:
echo 构建已发行证书存放目录certs
mkdir certs
echo 构建新证书存放目录newcerts
mkdir newcerts
echo 构建私钥存放目录private
mkdir private
echo 构建证书吊销列表存放目录crl
mkdir crl
echo 构建索引文件index.txt
echo 0>index.txt
echo 构建序列号文件serial
echo 01>serial
echo 构建随机数private/.rand
@rem openssl 的命令参数随机数
openssl rand -out private/.rand 1000
@pause
6. 创建证书
OpenSSL通常使用PEM(Privacy Enbanced Mail,隐私增强邮件)编码格式保存私钥。
构建根证书私钥
C:\OpenSSL>openssl genrsa -aes256 -out e:\lcl.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
......+++
......+++
e is 65537 (0x10001)
Enter pass phrase for lcl.pem:
Verifying - Enter pass phrase for lcl.pem:
查看证书私钥信息
C:\OpenSSL>openssl rsa -noout -text -in e:\lcl.pem
Enter pass phrase for e:\lcl.pem:
Private-Key: (2048 bit)
modulus:
如果你觉得lcl.pem的保护密码太麻烦想去掉的话:
openssl rsa -in e:\lcl.pem -out e:\lcl.pem.unsecure
不过不推荐这么做
生成根证书签发申请
C:\OpenSSL>openssl req -new -verbose -key e:\lcl.pem -out e:\lcr.csr -days 365 -config C:\OpenSSL\share\openssl.cnf -subj "/c=CN/st=BJ/l=HD/o=HANSKY/ou=STS/cn=LCR"
Using configuration from C:\OpenSSL\share\openssl.cnf
Enter pass phrase for e:\lcl.pem:
Loading 'screen' into random state - done
Subject Attribute c has no known NID, skipped
Subject Attribute st has no known NID, skipped
Subject Attribute l has no known NID, skipped
Subject Attribute o has no known NID, skipped
Subject Attribute ou has no known NID, skipped
Subject Attribute cn has no known NID, skipped
得到根证书签发申请文件后,我们可以将其发送给CA机构签发。当然,我们也可以自行签发根证书。
7. 签发根证书
C:\OpenSSL>openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey e:\lcl.pem -in e:\lcr.csr -out e:\lcr.cer
Loading 'screen' into random state - done
Signature ok
subject=
Getting Private key
Enter pass phrase for e:\lcl.pem:
8. 根证书转换
OpenSSL产生的数字证书不能在Java语言环境中直接使用,需要将其转化为PKCS#12编码格式。
C:\OpenSSL>openssl pkcs12 -export -cacerts -inkey e:\lcl.pem -in e:\lcr.cer -out e:\ca.p12
Loading 'screen' into random state - done
Enter pass phrase for e:\lcl.pem:
Enter Export Password:
Verifying - Enter Export Password:
9. 查看密钥库信息
个人信息交换文件(PKCS#12)可以作为密钥库或信任库使用,我们可以通过KeyTool查看该密钥库的详细信息。
keytool -list -keystore e:\ca.p12 -storetype pkcs12 -v -storepass aaaaaaa
在这里出现错误:
keytool错误: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates
在网上也查阅了一些资料,不过问题仍然没有解决,不知道是什么原因导致,我的操作参考了《java加密与解密的艺术》
另外麻烦大家给解释一下证书生成过程中后缀的问题,如keystore、pem、crt、cer登