|  | 
| 
 | |||||||
| 論壇說明 | 
| 歡迎您來到『史萊姆論壇』  ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 | 
|    | 
|  | 主題工具 | 顯示模式 | 
|  2006-11-17, 11:23 AM | #1 | ||
| 長老會員  |  技術 - vsftpd+TLS 實現安全FTP資料傳輸 在 vsftpd.conf 設定檔中加入: 引用: 
 使用 OpenSSL 產生數位憑證 一、產生 CA 憑證 FC5 或 RHEL4 等用 rpm 安裝的 openssl 可能會有事先建立 /etc/pki/CA 這個目錄,必須要先把這個目錄手動刪除才能夠重新建立新的 CA。而新建立的 CA 憑證,將放置在 /etc/pki/CA 中,以下介紹如何產生出最上層的 CA 憑證。 1.修改 /etc/pki/tls/openssl.cnf。 dir= /etc/pki/CA #設定存取 CA 憑證的路徑 預設_days= 365 #設定憑證可使用之天數 預設_bits = 2048 #設定金鑰長度(bits) 2.執行 CA 憑證產生程式。 cd /etc/pki/tls/misc 這個步驟一定要做,因為 /etc/pki/tls/misc/CA 這支 script 是使用相對路徑的方式來存取 /etc/pki/CA 這個目錄,所以要先把目前的工作目錄切到 /etc/pki/tls/misc。 ./CA -newca CA certificate filename (or enter to create) [enter] Making CA certificate ... Generating a 2048 bit RSA private key .............................................................++++++ ..++++++ writing new private key to '/etc/pki/CA/private/./cakey.pem' Enter PEM pass phrase:[設定通行碼] Verifying - Enter PEM pass phrase:[確認通行碼] ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a 預設 value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taiwan Locality Name (eg, city) [Newbury]:Taipei Organization Name (eg, company) [My Company Ltd]:slime_ca Organizational Unit Name (eg, section) []:mis Common Name (eg, your name or your server's hostname) []:slime_ca Email Address []:slime@slime.com.tw 3. 確認 CA 憑證及金鑰是否產生。 cd /etc/pki/CA ls cacert.pem certs crl index.txt newcerts private serial 可見「cacert.pem」即是最上層的 CA 憑證,而「private」目錄即是存放最上層 CA 的私鑰。 4設定 CA 憑證的存取權限。 chmod 755 /etc/pki/CA chmod -R 400 /etc/pki/CA/* 二、以 CA 產生次級憑證 在製作完最上層的 CA 憑證後,我們便可以最上層的 CA 憑證為依據,來產生要實際佈署到 Server(eg. apache) 上的次級憑證。 1. 製作 private key、CSR(Certificate Signing Request) CSR 就類似於 public key,可以把它想成是還沒被最上層的 CA 簽名過的 public key。而 CA 簽名過的 public key 就稱為憑證(certificate)。 假設目前的工作目錄是:/etc/pki/ openssl req -nodes -new -keyout slime_key.pem \ -out slime_req.pem -days 365 -keyout:Private key 之檔名(slime_key.pem) -out:CSR 之檔名(slime_req.pem) Generating a 2048 bit RSA private key ..........................................................+++ ................................................................................................+++ writing new private key to 'slime_key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a 預設 value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [TW]:TW State or Province Name (full name) [TAIWAN]:Taiwan Locality Name (eg, city) []:Taipei Organization Name (eg, company) []:slime_ca <= 要與最上層的 CA 一致 Organizational Unit Name (eg, section) []:mis Common Name (eg, YOUR name) []:www.slime.com.tw #Common Name 請輸入您所欲使用之名稱,如此憑證產生後欲使用在 Email #簽章,則必須填入 email 名稱;若此憑證欲使用在 https,則必須填網址。 Email Address []:slime@slime.com.tw Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: #以上兩項輸入空白即可。 2. 簽署次級憑證 openssl ca -out slime_cert.pem -infiles slime_req.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem:[輸入CA通行碼] Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Feb 24 14:34:58 2005 GMT Not After : Feb 22 14:34:58 2015 GMT Subject: countryName = TW stateOrProvinceName = Taiwan localityName = Taipei organizationName = slime_ca organizationalUnitName = mis commonName = www.slime.com.tw emailAddress = slime@slime.com.tw X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EC:88:66  E:FF:79:CE:81:C2:EE:93:BF:9A:65:92:3B:AC:2C:CD:7E X509v3 Authority Key Identifier: keyid:37:AA:42:CF:FA  9:73:C7:80:E5:0C:E2:9F:7B:95:86:40:66:72:C5 DirName:/C=TW/ST=Taiwan/L=Taichung/O=Tung-hai University/OU=ISLAB/CN=ISLAB_CA/emailAddress=blave@islab.csie.thu.edu.tw serial:00 Certificate is to be certified until Feb 22 14:34:58 2015 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 3. 確認憑證是否產生:slime_cert.pem、slime_req.pem 及 slime_key.pem 分別為剛剛所產生出來的已簽署次級憑證、CSR 及 Private Key。 引用: 此帖於 2006-11-17 11:39 AM 被 Chin-Wei 編輯. | ||
| __________________ 思考,正是從一個錯誤,跳進另外一個錯誤。 | |||
|   | 
		送花文章: 5387,
		
			
		   |