使用 openssl 產生 SSL 電子證書

產生 SSL 電子證書很多方法,而使用 openssl 屬較手動的方法,繁瑣但適用於所有 GNU/LinuxUnix 平台。

目錄

基本流程

產生金鑰對 (public-private key pair)

首先您需要產生一對 RSA 金鑰對 (public-private key pair),可以使命令「openssl -out 私鑰檔案 genrsa [-des|des3|-idea] 大小」:

$ openssl genrsa -out www.example.com.key -des3 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..............................................................................+++
e is 65537 (0x10001)
Enter pass phrase for www.example.com.key: Don't show my passphrase
Verifying - Enter pass phrase for www.example.com.key: Don't show my passphrase

命令中最尾的參數表示要產生的金鑰對位元大小,以現今電腦的效能,建議使用 2048 位元會較安全。此外,在命令中因為加入選項 -des3, 產生出來的金鑰對會以 TriDES 加密來加強私鑰 (private key) 的安全性。您亦可以使用 -des 或 -idea 取代 -des3 來改用 DES 或 IDEA 對私鑰進行加密。(當然 DES 加密演算法大弱,絕不應使用) 加密了的私鑰在會次被使用時都會輸入密碼解密才可以使用,會較安全。如果您的電子證書是用在 Apache HTTTd 等伺服器中,每次啟動伺服器時都要輸入密碼一次。不少人會選擇省去選項 -des3 來產生一個不被加密的私鑰 (即是不會問您輸入密碼,也不會把私鑰加密) :

$ openssl genrsa -out www.example.com.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..............................................................................+++
e is 65537 (0x10001)

這個命令和上面幾乎沒有分別,只是這次不會問您輸入密碼了。這方法當然免卻每次要輸入密碼的麻煩,但如果別人只要抄走有私鑰檔案就可以較易真接盜用電子證書,非常危險。

完成後,新金鑰會以 PKCS#1 PEM 格式記錄在金鑰檔案 www.example.com.key 中 (雖然金鑰的標頭為 RSA PRIVATE KEY,意思為 RSA 私鑰,但內容載有產生對應公鑰 public key 的資料):

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5xcy3JVptzucvBQI2tzK9HkQ7pVhdqf4x8dID9K2z6A5W4Uc
/NByWOq80EGSetm/hZxj/JIPwOoOSlV2DZx423wtM8xfV9/7nkdiE1FwBVOZTprN
l1KgHY9rvcakNFclUU1xyTcLRWATrAKq4YU8TiR7yuvsNy0CxsZNX7zJszuX8aoQ
SbKTr3ckhJveDXPGGu96TebE146MRuFo1LNZ42AjVVXF0U5RqNtzdRJjxwjgMnQ5
1xEVb4InkW2Zgy/bJDYwCuQcgvswH+43EEou/eOLPeZDp8j2VZjLk/MDcDatEDFQ
Ayd8T3Cg+YSdYj/jLSEc17ZD0r5KSzRwYRa26QIDAQABAoIBAQDfTERib6ICY4D1
ICraSWV3zBB3ajMOdArqCH9ygrsRb5JdBAhZppYHo3OljOcc/JGbat4W7ZB5afE7
FM+JIXyLIbeQCNjMUeuSKwny/stO6lQGZ4Fnynhbd/21GGAND3RI1puvwheLBuab
XMyANL1sCMbx8vyC6GR5bJ7Rdtwz6fiyPOvOBmZV920R3ZnuScI4kWwxz6dzwLP3
wzFVqozD8RiPdP5mWEmEXTDEProNEPqUA0D0ydQg+OwanrUUhavnDu1fvJ5VdWqV
K9HgHJ1PSWJEsiRe9PkDmcFrjyLdgf36pl61CTOGMyhWj7lq9zT3SQxOdtXe4Hsp
wfhKkbY9AoGBAPbPKUAIkDecHwTE5ZkVyQg7W9U6H4iPYowlOMfnntP5+arhq5cl
/CJnzIEd55tgIWgJCjtptG1qodJU52kFL0rR4Z1ce9dRPSMY2Z7hEPl1PkMeRooo
Wr8+FrXhakONQ3Kro0cH5qMkBekwXxFJ+ZQ29O+3EMLaR69iHPNi4lwjAoGBAO+y
MRIeh43qB985ps23yNDfL6FL69besKcNiuMyDc6GfBNg9j4hZVrPPiJjVDvHsqnc
RHiuO6MvXOT9atXAyyX6/h00CVoU5mxbEe4mEbpvivqaosW64eAkqdSj2HInkG9u
lTeZGPZwleK9EDgTmVZ7lFEoBgRxNSUEkXJPfLuDAoGAArkIWHd/t81WHkRZ0BWI
cTnOaozImkYSrT8f4Dyy6N3CHlt8/B7kKDEC9Y2x52npFG+9GCizX92kSWC8aNEw
0197YLQLfbWcug1lITaUbFwZwr3Lw2xsi92QfJMvC+28B8DS/U6eAcC8+/SXp+Ys
BbGRhC991Nh5n/qyHRFDNAcCgYBmH1NM1vkF+5nS/2sT5qOGajCO1hvq9gHpipmL
5r1/KkkesIb5PZ1DLVzZpdwzhAeY2yHJEOKTyhAX9+hWncdvrRorMwpw+Mqbi8l9
33ZaKj/aOZv0BoVJzBUXZZ9IM5cUAtdMUswR4zHY4phQa/k+oXQ1h4nYxqrP1Lxr
KXaJJQKBgQDVLfOLgH6sN+I1f4B3/n6pOgjiosQd1c1K6NyjD3E8lnL5W/wI0CfP
SK80ZkUwAlrGFMpL9K/qyswc0ejaswvQGTcra0V0DVzfZ4DhCOYC3shAGV3lsWzD
VQAG4iwwf61wNBVuXBKl6xBIIzu1JoqB+in+IJ3MP4u0y9IF3VV+/w==
-----END RSA PRIVATE KEY-----

以上金鑰是沒有被加密。加密的金鑰會有「Proc-Type: 4,ENCRYPTED

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B5400D0F10CAF72B

Gkxpb1n8M3cQBH3J/l5ZzLE9GyYE+nv9+2Fk7jSJZM0W+ek/aeQYnE37OaGrabRD
1hCk0j5BoH8xa5hlwxpHM48cJbLsFmuMlVag1FTdtPozXNRBLHCNWUFWq9qQoa6K
IY/efrkzTx5WFXmidroKUPAA1kTXNjpSAjO0kLO/sqwS57bTMKb4cwxu21p3Crcy
Z1BBUPHaRdunK2Q/Gj05NO0ARX0VScKbr/sY9tt/D/viH89zwBAKmGVr3+RQlUP0
Lx9vhKK2S+Ut+GvWYPzitgrlE1txHywe9pLJ/LzJEZsBVm7M4HmNq1yoeoy95jo+
p974utG9MerlS84Wy5T4neNn2LamWCOFgOTIOfNfpvkan4KTEw5okvHCWQ+/pHcT
wDionMztMaExj4XHbtutUMVZVjsNhR3zzuZ62KQNkwLUYNHTGCKwZYc+5JJ5dWMU
dZyxHqJ+qcO4UTFoMKT1HxoYZUWhH6V2keS0NaULLXuJq5D4GZkIAl3Zb/4u83kK
0siqoIdd/97s5PnSKfsrztF8zZHxrFl8CGQp6iht+tI68m9t1WONSQ38nxzDZlWu
TA6vX78229dOs+HiQzwRYayPvC541re9ZQuj49aVWcU1oi8JcdvxlbV7cXl/Z6JB
j6PL481fiRiCSBW4WxmfNldrlNRXa7nULmwaM9dyFENE0zmWJaMfmnTAQAtZ3Bhq
p4rtRG9sDIbNvF3HPmPy/cRfwFWFE/KiW4yhodrmj6IgrB+VwK7Es7UraFWhclZk
wsVVQNAEn/22RlyHvkpN9bMuXQuiBPMPsP51TnXsy0SBBgE1bUpOxkIG3EbQ4W5Z
aPVki2Aa8gJQ5UeRv1ob4M3nkYeJjEUwo4qV5PyQnAlaEiqTCKKuFa4IdHxOeAlB
PIs5bsKMZwsBFrWGyy15W7LnHbhodvHhAyw3bGOZ0hwODAKOAaXgvN1K1fO/TqNa
DCTCm1OfDuZQVU1cS2n/HTxAOptD0XLBWQKUuQ7HX2BVbifsjAhnYIkzxq2yLafv
MRxPfrYTh1frZkUYYkQ6C9m0vkhl0vqBygeBuQLK6mMaP09uOggJklLg86roAVn9
5ZGlc5tWqnlmDqusFDvUOGJVfPTGDI7aFYn9AGS2nDGT16pGDnUgQwpMZX2Tp0Pm
iafdI8jKQjWLyDsVInfl19QytOwM2sAWegsgt2FG+KhvTQyuUbOBX+fmKaxCkL4R
3Op6nFYFGHJGiTrkNThRWDpzXYnoyl38S6rV6cmA1Oq6oD1O0W9qF1l4oHP1aKty
iMTml39UepVtvG88b/MN8sK3LsCFZ5B7flNLjnRgiyeI8rBi9Bj+TUeE/wFYUFqP
Jm6u0fWuN/RPyXaMBtfzGpBUk7If9lSpVj/36iVYxn5OCcgtncUk8JE8+hXEoV7J
InD+CAlA/RQhxgHRXUQmBJpKHhBmMFph8OwTTExLrEzO+VlxHqaXPUYfM9XaMYQl
KBzZUPMvI9TkEzVD00OH6J1J7tr8fDCvK/OoIFQQVZ1sbK+jJpEIwPlsu/gPNyWQ
EdRUrYSRJhocOwtym4+Bvq6Bed4QXeIQJbYv4t3nOQywXNzkotJ46ODAcPoa5aAA
-----END RSA PRIVATE KEY-----

產生 Certificate Signing Request (CSR)

產生了金鑰對後,您需要有公信加的人當中的公鑰 (public key) 為您所有。所以您需要產生這個公鑰的 Certificate Signing Request (CSR) 給一個 Certificate Authority (CA) 簽署才可以使用。要產生 CSR ,可以使用命令「openssl req -new -key 金鑰檔案 > CSR檔案」:

$ openssl req -new -key www.example.com.key > www.example.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HK
State or Province Name (full name) [Some-State]:HKSAR
Locality Name (eg, city) []:Hong Kong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd.
Organizational Unit Name (eg, section) []:Web Team
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:webmaster@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc123
An optional company name []:Example Ltd.

以上命令會詢問要產生電子證書的資料並由金鑰檔案抽出有關公鑰並產生 CSR。記謹 Common Name 必須填上將會使用此電子證書網站的全名 (FQDN, Full Qualified Domain Name),填錯了又已送去 CA 將會浪費金錢。

產生出來的 CSR 會放在 www.example.com.csr 中:

-----BEGIN CERTIFICATE REQUEST-----
MIICEDCCAXkCAQAwgZsxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIEwVIS1NBUjESMBAG
A1UEBxMJSG9uZyBLb25nMRUwEwYDVQQKEwxFeGFtcGxlIEx0ZC4xETAPBgNVBAsT
CFdlYiBUZWFtMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20xJDAiBgkqhkiG9w0B
CQEWFXdlYm1hc3RlckBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAucC/Gxdd1v/5kGMLr6OoQN3BHFsFuAaNRUZs4/JITGaw7fhKwOyZux04
AUQTjeyVTfH6TTX1A0GWISwfKkqxNg4jx9LOqiecMnjKH/fzBvCZE1iNhz1mtkPh
pxWV9K6keuf6nuLXfU/NSWd9EY/VWUQX0PUDmjynrVYI29Zl1sMCAwEAAaA0MBUG
CSqGSIb3DQEJBzEIEwZhYmMxMjMwGwYJKoZIhvcNAQkCMQ4TDEV4YW1wbGUgTHRk
LjANBgkqhkiG9w0BAQQFAAOBgQAxdevQ9KuHhUf+XYHrDS04+yhesSmg2muC65mq
WHn9iIMQZIcWlcm5WtZZlamDnSxui8Utyh15U0cJDeIo8jebht+DDfC3BXc5LUaV
1TjbieB5gaM+oCNJFI3STC77ldwowCqgrbAQTpO3mx84M1gunJgGPKy/SHR3DwfN
Drzq2A==
-----END CERTIFICATE REQUEST-----

您只要把這個 CSR 檔案提交給 CA ,CA 核實您的資料後就會簽署並產生您的電子證書。

自簽 (Self-sign) 電子證書

如果您只是想做一張測試用的電子證書或不想花錢去找個 CA 簽署,您可以造一張自簽 (Self-signed) 的電子證書。當然這類電子證書沒有任何保證,大部份軟件遇到這證書會發出警告,甚至不接收這類證書。要自簽電子證書可以使用命令「openssl req -x509 -days 有效日數 -key 金鑰檔案 -in CSR檔案 > 電子證書檔案」,例如:

$ openssl req -x509 -days 60 -key www.example.com.key -in www.example.com.csr > www.example.com.crt

完成後, 檔案 www.example.com.crt 就是自簽證書。

請參看

Leave a Reply