Tuesday, December 19, 2006

Certification

Fidora 4.0 路徑:
/etc/pki/tls/misc/CA

RedHat Enterprise 3.0/4.0 路徑:
/usr/share/ssl/misc

產生 Root CA:
./CA -newca

看 Cert 編碼後內容:
cd ../../CA
openssl x509 -in cacert.pem -noout -text

產生 Cert Request:
./CA -newreq

看 Cert REQ 編碼後內容:
openssl req -in newreq.pem -noout -text

分出 private key:
head -18 newreq.pem > private.des3

簽發 Cert:
./CA -sign

更改 Root CA 的有效期限:
vi CA
DAYS="-days 3650"

更改簽發出來的 Cert 的有效期限:
vi /etc/pki/tls/openssl.cnf
default_days = 730 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering

拿掉 private key 上的 DES3:
openssl rsa -in private.des3 -out private.key

將 Cert 匯入 LDAP 必須先轉成 .der 格式
openssl x509 -in newcert.pem -outform der -out newcert.der

LDIF 檔內 attribute
userCertificate;binary:<file:///path/newcert.der

將個人 Cert 匯入 Outlook Express 必須先轉成 pkcs12 格式
此種格式同時含有 Cert 及 private key
openssl pkcs12 -export -in newcert.pem -out newcert.p12 -inkey private.key

No comments: