发布一个小工具CATool,用来在Windows下生成Apache的证书
ipaddr
|
1#
ipaddr 发表于 2008-04-06 23:31
发布一个小工具CATool,用来在Windows下生成Apache的证书
CATool
一、简介 CATool是 鱼漂[admin.net(#)163.com] 使用DOS命令编写的,一个简单的,生成供Apache使用的数字证书的小工具,CATool运行在Windows操作系统上;此工具已内置openssl,并使用它来生成数字证书。 CATool参考了另外一个Bash写的脚本 ( http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz ),并增加了部分功能。(如果您在Windows中安装Cygwin的话,仍然可以在Windows下使用ssl.ca-0.1.tar.gz,如果没有安装Cygwin,请在Windows下使用CATool). CATool调用openssl来生成数字证书,生成的证书可以给Windows或Unix(Linux)下的Apache使用,以支持Apahce的HTTPS。 您可以在 http://www.eit.name/catool/ 找到CATool的最新版本和用法。 二、如何使用 [[请点击此处下载]] 下载并解压后,打开Windows的DOS命令窗口,进入到CATool目录,您就可以使用里面的几个命令。 请按实际需要,选择以下三种用法之一: 1 创建自己的Root CA和服务器证书 在DOS命令行窗口,进入到CATool目录,分别运行以下命令: a. CreateRootCA.bat E:\CATool>CreateRootCA.bat No Root CA key found, Generating one Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus ..........................................++++++ ...............++++++ e is 65537 (0x10001) Enter pass phrase for cert\ca.key: <=输入root ca的密码,需要记住此密码 Verifying - Enter pass phrase for cert\ca.key: <=重复输入上面的密码 Self-sign the root CA... Enter pass phrase for cert\ca.key: <=输入上面的密码,用来签署根证书 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: <=以下的内容,按您的实际情况填写 State or Province Name (full name) [GuangDong]: Locality Name (eg, city) [GuangZhou]: Organization Name (eg, company) [EIT.NAME]: Organizational Unit Name (eg, section) [SystemAdmin Team]: Common Name (eg, MD Root CA) []:EIT CA Email Address []:admin@eit.name E:\CATool> 运行上面的命令后,将在Cert/目录,生成ca.key, ca.crt b. CreateServerCert.bat E:\CATool>CreateServerCert.bat Please input the server name:server <=输入Apache的server name(这里的输入决定生成的文件名) No cert\www.eit.name.key found, Generating one Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus ........................................................++++++ ..++++++ e is 65537 (0x10001) Fill in certificate data You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GuangDong]: Locality Name (eg, city) [GuangZhou]: Organization Name (eg, company) [EIT.NAME]: Organizational Unit Name (eg, section) [SystemAdmin Team]: Common Name (eg, www.domain.com) []:www.eit.name <=输入Apache的host name Email Address []:webmaster@eit.name E:\CATool> 运行上面的命令后,将在Cert/目录,生成server.key,server.csr (如果你输入的server name=myserver,那么将生成myserver.*) c. SignServerCert.bat E:\CATool>SignServerCert.bat Please input the server name:server <=输入上面的server name template\ca.db.index template\ca.db.serial 已复制 2 个文件。 Singing... Using configuration from template\sign.conf Loading 'screen' into random state - done Enter pass phrase for ./cert/ca.key: <=输入root ca的密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName RINTABLE:'CN' stateOrProvinceName RINTABLE:'GuangDong' localityName RINTABLE:'GuangZhou' organizationName RINTABLE:'EIT.NAME' organizationalUnitNameRINTABLE:'SystemAdmin Team' commonName RINTABLE:'www.eit.name' emailAddress :IA5STRING:'webmaster@eit.name' Certificate is to be certified until Apr 6 15:04:55 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y <=输入Y确认 Write out database with 1 new entries Data Base Updated Verfiying... cert\www.eit.name.crt: OK E:\CATool> 将在cert/目录,生成server.crt, server.key两个文件,将这两个文件复制到Apache的conf/目录,并如下配置httpd-ssl.conf SSLCertificateFile "C:/Apache2/conf/server.crt" SSLCertificateKeyFile "C:/Apache2/conf/server.key" 2 创建自签名的服务器证书 在DOS命令行窗口,进入到CATool目录,运行以下命令: a. SelfSignCert.bat E:\CATool>SelfSignCert.bat Loading 'screen' into random state - done Generating a 1024 bit RSA private key .....++++++ .........++++++ writing new private key to 'cert\selfsign.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GuangDong]: Locality Name (eg, city) [GuangZhou]: Organization Name (eg, company) [EIT.NAME]: Organizational Unit Name (eg, section) [SystemAdmin Team]: Common Name (eg, MD Root CA) []:MY CA Email Address []:self@eit.name E:\CATool> 将在cert/目录,生成selfsign.pem文件,将此文件复制到Apache的conf/目录,并如下配置httpd-ssl.conf SSLCertificateFile "C:/Apache2/conf/selfsign.pem" #SSLCertificateKeyFile "C:/Apache2/conf/server.key" (注释掉) 3 使用第三方签名服务器证书 在DOS命令行窗口,进入到CATool目录,运行以下命令: a. CreateServerCert.bat E:\CATool>CreateServerCert.bat Please input the server name:server <=输入Apache的server name(这里的输入决定生成的文件名) No cert\www.eit.name.key found, Generating one Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus ........................................................++++++ ..++++++ e is 65537 (0x10001) Fill in certificate data You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GuangDong]: Locality Name (eg, city) [GuangZhou]: Organization Name (eg, company) [EIT.NAME]: Organizational Unit Name (eg, section) [SystemAdmin Team]: Common Name (eg, www.domain.com) []:www.eit.name <=输入Apache的host name Email Address []:webmaster@eit.name E:\CATool> 将在cert/目录下生成的server.csr, server.key文件,将server.csr提交给第三方机构签署,签署后得到server.crt,将server.crt, server.key文件复制到Apache的conf目录。并按如下方式配置: SSLCertificateFile "C:/Apache2/conf/server.crt" SSLCertificateKeyFile "C:/Apache2/conf/server.key" 补充说明: 让Apache支持HTTPS,除了需要上面生成的证书和配置外,还需要Apache支持并配置了mod_ssl,详细配置请参考: http://httpd.apache.org/docs/2.2/ssl/ |