*make sure openssl points to the correct instillation (%which openssl). Mine is aliased to /usr/local/openssl/bin/openssl
Generate a CA
1) openssl req -out ca.pem -new -x509
-generates CA file "ca.pem" and CA key "privkey.pem"
Generate server certificate/key pair
- no password required.
2) openssl genrsa -out server.key 1024
3) openssl req -key server.key -new -out server.req
4) openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out server.pem
-contents of "file.srl" is a two digit number. eg. "00"
Generate client certificate/key pair
5) Either choose to encrypt the key(a) or not(b)
a. Encrypt the client key with a passphrase
openssl genrsa -des3 -out client.key 1024
b. Don't encrypt the client key
openssl genrsa -out client.key 1024
6) openssl req -key client.key -new -out client.req
7) openssl x509 -req -in client.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out client.pem
-contents of "file.srl" is a two digit number. eg. "00"
8) DONE
The Link:
http://acs.lbl.gov/~boverhof/openssl_certs.html
http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php
沒有留言:
張貼留言