當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

使用easyrsa来制作证书

發布時間：2023/12/3 编程问答 23 豆豆

生活随笔收集整理的這篇文章主要介紹了使用easyrsa来制作证书小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

一、基于easy_rsa 2.x制作證書：

????鏈接：https://blog.51cto.com/wzlinux/1736459? 最后附錄部分。

下載密鑰制作工具easy_rsa 2：

?????????wget https://github.com/Open×××/easy-rsa/archive/release/2.x.zip

解壓easy_rsa并拷貝到/etc/open***：

?????????unzip 2.x.zip

???????? mv easy-rsa-release-2.x/?/etc/open***/

編輯easy-rsa的vars文件，設定相關變量信息：

?????????cd /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0

?????????vim vars

export KEY_COUNTRY="CN"

export KEY_PROVINCE="Beijing"

export KEY_CITY="Beijing"

export KEY_ORG="APICloud"

export KEY_EMAIL="ADMIN@APICloud.COM"

export KEY_OU="***.apicloud.com"

?????????編輯完之后，保存退出。

將剛才編輯的vars文件，執行如下命令：

?????????source vars?

???????? ./clean-all

???????? ./build-ca

創建服務器的證書和密鑰：

???????./build-key-server Open×××_Server

[root@cloud 2.0]# ./build-key-server Open×××_Server

Generating a 2048 bit RSA private key

.................................+++

............+++

writing new private key to 'Open×××_Server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpen×××]:

Common Name (eg, your name or your server's hostname) [Open×××_Server]:

Name [EasyRSA]:

Email Address [ADMIN@ XIAOCUI.COM]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName?????????? :PRINTABLE:'CN'

stateOrProvinceName?? :PRINTABLE:'BEIJING'

localityName????????? :PRINTABLE:'BEIJING'

organizationName????? :PRINTABLE:' XIAOCUI '

organizationalUnitName:PRINTABLE:'MyOpen×××'

commonName??????????? :T61STRING:'Open×××_Server'

name????????????????? :PRINTABLE:'EasyRSA'

emailAddress????????? :IA5STRING:'ADMIN@ XIAOCUI.COM'

Certificate is to be certified until May? 2 07:49:13 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

創建客戶端的證書和密鑰：

???????./build-key client-user-test1

[root@cloud 2.0]# ./build-key client-user-test1

Generating a 2048 bit RSA private key

....................+++

...............................................................................+++

writing new private key to 'client-user-cuiyuanrong.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [XIAOCUI]:

Organizational Unit Name (eg, section) [MyOpen×××]:

Common Name (eg, your name or your server's hostname) [client-user-test1]:

Name [EasyRSA]:

Email Address [ADMIN@XIAOCUI.COM]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/open***/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName?????????? :PRINTABLE:'CN'

stateOrProvinceName?? :PRINTABLE:'BEIJING'

localityName????????? :PRINTABLE:'BEIJING'

organizationName????? :PRINTABLE:'XIAOCUI'

organizationalUnitName:PRINTABLE:'MyOpen×××'

commonName??????????? :PRINTABLE:'client-user-test1'

name????????????????? :PRINTABLE:'EasyRSA'

emailAddress????????? :IA5STRING:'ADMIN@XIAOCUI.COM'

Certificate is to be certified until May? 2 07:53:17 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

創建Diffie Hellman?參數：

???????./build-dh

二、基于easy_rsa 3.x制作證書：

????鏈接：http://openwrt.iteye.com/blog/2305318?

最近研究如何在路由器上面實現open***的功能，其中便涉及到使用easyrsa來制作證書的問題，針對最新的open***-2.3.11源碼包,easyrsa已經不包含在里面，需要單獨下載，下載網址為https://github.com/Open×××/easy-rsa，下載下來是一個easy-rsa-master.zip壓縮包，已上傳為附件，在linux上面將其解壓得到easy-rsa-master，進入easyrsa3，將vars.example復制一份命名為vars，此文件為制作證書時所使用到的配置文件，根據我的需要，我只打開了如下選項：?

set_var EASYRSA_DN? "org"?

set_var EASYRSA_REQ_COUNTRY "CN"?

set_var EASYRSA_REQ_PROVINCE? ? "Guangdong"?

set_var EASYRSA_REQ_CITY? ? "Shenzhen"?

set_var EASYRSA_REQ_ORG "XXX"?

set_var EASYRSA_REQ_EMAIL? ?"me@myhost.mydomain"?

/*************************************/?

如果open*** client的配置文件中使用了ns-cert-type server則要打開此選項，制作server證書時會將一些信息寫入證書，如不打開此選項，則open*** client會提示server certificate verify fail?

set_var EASYRSA_NS_SUPPORT? "yes"?

/*************************************/??

下面就可以制作證書了，每條命令執行之后都有些信息輸出，如出錯，會提示相關錯誤信息?

1 ./easyrsa init-pki?

初始化，會在當前目錄創建PKI目錄，用于存儲一些中間變量及最終生成的證書?

2 ./easyrsa build-ca?

創建根證書，首先會提示設置密碼，用于ca對之后生成的server和client證書簽名時使用，然后會提示設置Country Name，State or Province Name，Locality Name，Organization Name，Organizational Unit Name，Common Name，Email Address，可以鍵入回車使用默認的，也可以手動更改?

3 ./easyrsa gen-req server nopass?

創建server端證書和private key，nopass表示不加密private key，然后會提示設置Country Name，State or Province Name，Locality Name，Organization Name，Organizational Unit Name，Common Name，Email Address，可以鍵入回車使用默認的，也可以手動更改?

4 ./easyrsa sign server server?

給server端證書做簽名，首先是對一些信息的確認，可以輸入yes，然后輸入build-ca時設置的那個密碼?

5 ./easyrsa gen-dh?

創建Diffie-Hellman，時間會有點長，耐心等待?

6 創建client端證書，需要單獨把easyrsa3文件夾拷貝出來一份，刪除里面的PKI目錄，然后進入到此目錄?

./easyrsa init-pki?

初始化，會在當前目錄創建PKI目錄，用于存儲一些中間變量及最終生成的證書?

7 ./easyrsa gen-req client nopass?

創建client端證書和private key，nopass表示不加密private key，然后會提示設置Country Name，State or Province Name，Locality Name，Organization Name，Organizational Unit Name，Common Name，Email Address，可以鍵入回車使用默認的，也可以手動更改?

8 回到制作server證書時的那個easyrsa3目錄，導入client端證書，準備簽名?

./easyrsa import-req client.req所在路徑 client?

client.req應該在剛才制作client端證書的easyrsa3/pki/reqs/下面?

9 ./easyrsa sign client client?

給client端證書做簽名，首先是對一些信息的確認，可以輸入yes，然后輸入build-ca時設置的那個密碼?

注意：ca、server和client的Common Name最好不要設置為一樣，我沒有驗證，不過網上有人說設置一樣后，open***連接時會有問題?

至此，server和client端證書已制作完畢?

open*** server端需要的是?

easyrsa3/pki/ca.crt? ?<制作server證書的文件夾>?

easyrsa3/pki/private/server.key <制作server證書的文件夾>?

easyrsa3/pki/issued/server.crt <制作server證書的文件夾>?

easyrsa3/pki/dh.pem?

open*** client端需要的是?

easy-rsa/easyrsa3/pki/ca.crt <制作server證書的文件夾>?

easy-rsa/easyrsa3/pki/issued/client.crt <制作server證書的文件夾>?

easy-rsa/easyrsa3/pki/private/client.key <制作client證書的文件夾>

轉載于:https://blog.51cto.com/nanfeibobo/2119557

總結

以上是生活随笔為你收集整理的使用easyrsa来制作证书的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇：使用openssl制作https的证书
下一篇：经典快速制作套打证书模板(doc)大全