“佛曰不可说,一是无法说,一是说不得。多言无意,充其量只是在无法连接的平静中创造一点波动,或许可以接续,大多数缺只是搅动一颗妄心。” 生成ecdsa证书私钥: openssl ecparam -name sect233k1 -out sect233k1_ca openssl ecparam -in sect233k1_ca -genkey -noout -out ca.key 生成dss证书私钥: […]
标签: openssl
关于ssl的经历
openssl功能汇总
openssl实在是太过于博大精深了,经常会遇到各种需求不得不查看手册或者Google,现在将已经使用过的部分功能分类收集一下,便于日后在此查看。 产生根证书并签发证书 生成根证书 openssl genrsa -out RootCA.key 2048 openssl req -new -key RootCA.key -out RootCA.csr -subj /C=CN/ST=SX […]
openssl测试crl列表
首先生成证书吊销列表,在存放自己跟证书和被吊销证书的目录下,执行下面操作:
1 2 3 4 5 6 7 |
touch index.txt serial crlnumber echo 00 > crlnumber echo 00 > serial openssl ca -revoke Server.pem -config openssl.cnf openssl ca -gencrl -out Server.crl -config openssl.cnf |
这样就产生了一个Server.pem证书的吊销列表,名为Server.crl 曾经以为这部分只是这样,没想到却落在坑里许久:-(:曾几何时,听别人的要求修改openssl.cnf,在[ v3_ca ]项下添加了如下信息: [crayon-672729e352 […]
使用openssl生成多级证书
离开北京之后很久都没有再接触openssl了,最近测试用到它来生成证书,所以重新学习一下,参考网上的资料有很多关于生成证书的内容,为了方便使用,特意写了一个脚本,可以方便的生成1~100级的证书:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
#!/bin/bash if [ $# -ne 1 ];then echo "usage ./mkcert.sh level" exit fi #是否给private key设定密码 PRIVATE_KEY_WITH_PASSWORD="false" PASSWORD="helloworld" DAYS=3650 SUBJECT="" POLICY="policy_anything" if [ $PRIVATE_KEY_WITH_PASSWORD == "true" ];then PASSOUT="-aes256 -passout pass:$PASSWORD" PASSIN="-passin pass:$PASSWORD" else PASSOUT="" PASSIN="" fi #keystore密码 PKCSPASSOUT="-passout pass:Aa123456" TRUSTKEYSTOREPASSWORD="Aa123456" rm -rf RootCA* newCert LV=0 while [ $LV -lt $1 ] do mkdir RootCA$LV touch RootCA$LV/index.txt RootCA$LV/serial echo "01" > RootCA$LV/serial CERTIFICATE="certificate = \$dir/RootCA$LV.pem" PRIVATE_KEY="private_key = \$dir/private/RootCA$LV.key" cp openssl.cnf openssl.cnf.tmp sed -i "48 a$CERTIFICATE" openssl.cnf.tmp sed -i "54 a$PRIVATE_KEY" openssl.cnf.tmp mv openssl.cnf.tmp RootCA$LV/openssl.cnf ((LV=LV+1)) done LV=0 while [ $LV -lt $1 ] do echo echo "======= creating RootCA$LV =======" echo if [ $LV -eq 0 ];then cd RootCA$LV openssl genrsa $PASSOUT -out RootCA$LV.key 2048 openssl req -new -x509 -days $DAYS -key RootCA$LV.key $PASSIN -out RootCA$LV.pem -subj /C=CN/ST=GS/L=LZ/O=LZUiversity/OU=ETS/CN=RootCA$LV/emailAddress=RootCA$LV@lzu.cn -config openssl.cnf -sha256 else cd ..; cd RootCA$LV openssl genrsa $PASSOUT -out RootCA$LV.key 2048 openssl req -new -x509 -days $DAYS -key RootCA$LV.key $PASSIN -out RootCA$LV.crt -subj /C=CN/ST=GS/L=LZ/O=LZUiversity/OU=ETS/CN=RootCA$LV/emailAddress=RootCA$LV@lzu.cn -config openssl.cnf openssl ca -ss_cert RootCA$LV.crt -cert ../RootCA$[$LV-1]/RootCA$[$LV-1].pem -keyfile ../RootCA$[$LV-1]/RootCA$[$LV-1].key $PASSIN -config openssl.cnf -policy $POLICY -out RootCA$LV.pem -outdir ./ -extensions v3_ca -batch fi ((LV=LV+1)) done ((LV=LV-1)) echo echo "======= creating Server.pem =======" echo openssl genrsa $PASSOUT -out Server.key 2048 openssl req -new -x509 -days $DAYS -key Server.key $PASSIN -out Server.crt -subj /C=CN/ST=GS/L=LZ/O=LZUiversity/OU=ETS/CN=Server/emailAddress=RootCA$LV@lzu.cn -config openssl.cnf openssl ca -ss_cert Server.crt -cert RootCA$LV.pem -keyfile RootCA$LV.key $PASSIN -config openssl.cnf -policy $POLICY -out Server.pem -outdir ./ -batch echo echo "======= creating Client.pem =======" echo openssl genrsa $PASSOUT -out Client.key 2048 openssl req -new -x509 -days $DAYS -key Client.key $PASSIN -out Client.crt -subj /C=CN/ST=GS/L=LZ/O=LZUiversity/OU=ETS/CN=Client/emailAddress=RootCA$LV@lzu.cn -config openssl.cnf openssl ca -ss_cert Client.crt -cert RootCA$LV.pem -keyfile RootCA$LV.key $PASSIN -config openssl.cnf -policy $POLICY -out Client.pem -outdir ./ -batch echo echo "======= verify Server.pem Client.pem =======" echo cp RootCA$LV.pem RootCA$LV.pem.bak ROOTS=0 while [ $ROOTS -lt $LV ] do cat ../RootCA$ROOTS/RootCA$ROOTS.pem >> RootCA$LV.pem ((ROOTS+=1)) done openssl verify -CAfile RootCA$LV.pem Server.pem Client.pem echo echo "======= collect cert =======" echo cd ..;mkdir newCert mv RootCA$LV/Server.key RootCA$LV/Server.pem RootCA$LV/Client.key RootCA$LV/Client.pem RootCA$LV/RootCA$LV.key RootCA$LV/RootCA$LV.pem newCert echo echo "======= verify the cert and private key =======" echo cd newCert openssl rsa -modulus -noout -in Server.key | openssl md5 openssl x509 -modulus -noout -in Server.pem | openssl md5 openssl rsa -modulus -noout -in Client.key | openssl md5 openssl x509 -modulus -noout -in Client.pem | openssl md5 #generate pkcs12 for java program echo echo "======= generate pkcs12 without chain for java program =======" echo openssl pkcs12 -export -in Server.pem -inkey Server.key -name Server $PKCSPASSOUT -out Server.p12 openssl pkcs12 -export -in Client.pem -inkey Client.key -name Client $PKCSPASSOUT -out Client.p12 keytool -import -alias Client -keystore ServerTrust.p12 -storepass $TRUSTKEYSTOREPASSWORD -noprompt -file Client.pem keytool -import -alias Server -keystore ClientTrust.p12 -storepass $TRUSTKEYSTOREPASSWORD -noprompt -file Server.pem echo echo "======= generate pkcs12 with chain for java program =======" echo openssl pkcs12 -export -chain -CAfile RootCA$LV.pem -in Server.pem -inkey Server.key -name Server $PKCSPASSOUT -out Server_wc.p12 openssl pkcs12 -export -chain -CAfile RootCA$LV.pem -in Client.pem -inkey Client.key -name Client $PKCSPASSOUT -out Client_wc.p12 |
将上面的内容保存成mk.sh脚本,然后将/etc/ssl/openssl.cnf文件拷贝到当前目录和mk.sh放在一起,修改openss […]
使用ARM GCC编译openssl
1.下载arm-linux-gcc和openssl arm-gcc下载地址推荐: http://ftp.arm.linux.org.uk/pub/armlinux/toolchain 截止目前的版本是cross-3.2.tar.bz2 opensssl使用的是openssl-1.0.1j.tar.gz