1. System Environment Description
1 Linux localhost 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:39 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux2 [[email protected] /home/study]#openssl version3 OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Windows 7x64, IIS 7, default website
Ii. Create a key chain
Note: Take a look at the last note to avoid detours.
1. Create a root certificate (self-signed certificate)
1 echo "create root ca key"2 openssl genrsa -out root-key.key 10243 echo ----------------------4 echo "create root cert request"5 openssl req -new -key root-key.key -out root-req.csr -text -subj "/CN=MRootCA"6 echo ----------------------7 echo "create root self sign cert"8 openssl x509 -req -in root-req.csr -out RootCA.crt -sha1 -signkey root-key.key -days 3650 -text -extfile openssl.cnf -extensions v3_ca
2. Create an intermediate certificate (using the rootca Private Key signature)
1 echo "create 2 level cert key"2 openssl genrsa -des3 -out root-mid.key 10243 echo ----------------------4 echo "create 2 level cert csr"5 openssl req -new -key root-mid.key -out root-mid.csr -text -subj "/CN=MidCA"6 echo ----------------------7 echo "sign with root-crt"8 openssl x509 -req -in root-mid.csr -CA RootCA.crt -CAkey root-key.key -CAcreateserial -days 3650 -out RootMid.crt -text -extfile openssl.cnf -extensions v3_ca
3. Create a server certificate (using the private key signature of the intermediate Certificate)
Create a certificate application:
1 # in IIS, copy the "Create Certificate Application" file to the Linux system (assuming the name is server. CSR) 2 OpenSSL X509-req-in server. CSR-Ca rootmid. CRT-Cakey root-mid.key-cacreateserial-days 3560-out server. CRT-text-extfile OpenSSL. CNF-extensions v3_ca
4. Copy the root certificate (rootca. CRT), intermediate certificate (midca. CRT), and server certificate (server. CRT) to win7.
5. Import rootca. CRT to "Trusted Root Certificate Authority", and midca. CRT to "Intermediate Certificate Authority"-all local computers
6. perform the "Complete Certificate Application step", bind the website to SSL, and specify the certificate as the friendly name of server. CRT.
7. Access https: // ip for verification.
Iii. Notes
1. when the certificate has been issued for more than two levels, the following error occurs when viewing the Certificate in IE: "because the Certificate Authority in the certificate path does not seem to have the permission to issue the certificate or cannot be used as a terminal entity certificate, invalid Certificate "error. Modify the default OpenSSL configuration.
1 # This is what PKIX recommends but some broken software chokes on critical2 # extensions.3 #basicConstraints = critical,CA:true4 # So we do this instead.5 #basicConstraints = CA:true6 # xwliu7 basicConstraints = CA:true,pathlen:3
Iv. References
For more information about the concept of digital certificates, see the following link:
<Http://www.cnblogs.com/JeffreySun/archive/2010/06/24/1627247.html>
For a high-level understanding of the certificate and certificate chain, see the following link:
<Http://lukejin.iteye.com/blog/587200>
Other references:
<Http://firefly.iteye.com/blog/674208>
<Http://wenku.baidu.com/view/32409a4058fb770bf78a5577.html>
* **************** For reprinting, please indicate the source ******************
Use OpenSSL to create a certificate chain and apply it to iis7