~/sslca#/usr/lib/ssl/misc/CA.sh -newcaCA certificate filename (or enter to create)(enter)Making CA certificate ...Using configuration from /usr/lib/ssl/openssl.cnfGenerating a 2048 bit RSA private key................................................................................writing new private key to "./demoCA/private/./cakey.pem"Enter PEM pass phrase:(enter password)Verifying password - Enter PEM pass phrase:(enter same password again)-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ".", the field will be left blank.-----Country Name (2 letter code) [AU]:US(enter)State or Province Name (full name) [Some-State]:State(enter)Locality Name (eg, city) []:City(enter)Organization Name (eg, company) [Internet Widgits Pty Ltd]:21vianet(enter)Organizational Unit Name (eg, section) []:(enter)Common Name (eg, YOUR name) []:CA(enter)Email Address []:ca@xxx.com(enter)~/sslca#
2.7 下一步是给网关生成证书:
命令和要回答的问题如下:
~/sslca# /usr/lib/ssl/misc/CA.sh -newreqUsing configuration from /usr/lib/ssl/openssl.cnfGenerating a 2048 bit RSA private key..................................................................writing new private key to "newreq.pem"Enter PEM pass phrase:(enter password)Verifying password - Enter PEM pass phrase:(repeat password)-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ".", the field will be left blank.-----Country Name (2 letter code) [AU]:US(enter)State or Province Name (full name) [Some-State]:State(enter)Locality Name (eg, city) []:City(enter)Organization Name (eg, company) [Internet Widgits Pty Ltd]:ExampleCo(enter)Organizational Unit Name (eg, section) []:(enter)Common Name (eg, YOUR name) []:vpnserver.rd.xxx.com(enter)Email Address []:user@xxx.com(enter)Please enter the following "extra" attributesto be sent with your certificate requestA challenge password []:(enter)An optional company name []:(enter)Request (and private key) is in newreq.pemnatecars@buzzword:~/sslca$ /usr/lib/ssl/misc/CA.sh -signUsing configuration from /usr/lib/ssl/openssl.cnfEnter PEM pass phrase:(password you entered for the ca certificate)Check that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:"US"stateOrProvinceName:PRINTABLE:"State"localityName:PRINTABLE:"City"organizationName:PRINTABLE:"21vianet"commonName:PRINTABLE:"vpnserver.rd.xxx.com"emailAddress:IA5STRING:"rd@xxx.com"Certificate is to be certified until Feb 13 16:28:40 2012 GMT (3650 days)Sign the certificate? [y/n]:y(enter)1 out of 1 certificate requests certified, commit? [y/n]y(enter)Write out database with 1 new entriesData Base Updated(certificate snipped)Signed certificate is in newcert.pem
在以上步骤中一定要记住你输入的密码 。如果哪一不错了,想重新来过的话,记住删除/var/sslca目录下面的所有子目录即可 。
2.8 把文件名字改为你需要的
~/sslca# mv newcert.pem vpnserver.rd.xxx.com.pem~/sslca# mv newreq.pem vpnserver.rd.xxx.com.key
2.9 编辑.key文件,删除"-----BEGIN CERTIFICATE REQUEST-----"后面所有的东西,之后,这个文件应该从"-----BEGIN RSA PRIVATE KEY-----"至"-----END RSA PRIVATE KEY-----"结束 。
2.10 如果正常的安装了x.509补丁,你应该可以看到/etc/ipsec.d及其下面的目录 。如果没有,你就自己建立 。然后按照下面的位置复制合适的文件:(此时你仍然在/var/sslca目录中)
# cp vpnserver.rd.xxx.com.key /etc/ipsec.d/private# cp vpnserver.rd.xxx.com.pem /etc/ipsec.d# openssl x509 -in demoCA/cacert.pem -outform der -out rootca.der# cp rootca.der /etc/ipsec.d/cacerts/RootCA.der# openssl x509 -in host.example.com.pem -outform der -out /etc/x509cert.der# openssl ca -gencrl -out crl.pem# cp crl.pem /etc/ipsec.d/crls
推荐阅读
- 一 Linux简明系统维护手册
- 二 Linux简明系统维护手册
- Linux环境下发现并阻止系统攻击
- linux内核的编译
- 三 Linux简明系统维护手册
- 四 Linux简明系统维护手册
- Linux远程启动
- 在Linux中制作VCD
- 寻找Linux下的网络邻居
- Linux 每次启动时钟日期就多了 8 小时