1:openssl下载,
2:安装vs2010,并安装
3:下载perl,,并安装。
二:安装openssl
1:解压到系统盘C:\openssl-0.9.8v
2、配置WIN32环境
打开CMD命令行,进入C:\openssl-0.9.8v目录,执行命令
perl Configure VC-WIN32
注意区分大小写
3、进入VC BIN目录,配置VC环境变量
进入VS安装路径VC/Bin目录下,运行:
VCVARS32.BAT
设置环境变量。
4、返回OpenSSL目录,创建makefile文件
ms\do_ms
该命令不执行汇编语言编译,如报告文末错误,可以尝试ms\do_masm(使用汇编语言)、ms\do_nasm、ms\do_nt等,这几个配置文件是针对不同的系统配置写的批处理。
5、在Openssl目录下,执行编译
nmake -f ms\ntdll.mak
最终编译动态库完成后,输出都在out32dll目录下:包括可执行文件、两个dll 和两个lib文件: libeay32.dll, libeay32.lib, ssleay32.dll, ssleay32.lib,如果使用VS/VC编程只需按照下文的方法进行即可,如果需要使用openssl命令,还需要在系统环境变量path中增加C:\openssl-0.9.8v\out32dll路径,因为openssl.exe就在该目录下,声明后可以直接在命令行中使用openssl命令。
三:生成证书
1、添加配置文件(openssl.cnf)的环境变量:OPENSSL_CONF。配置文件可从OpenSSL解压后根目录下的apps目录下拷贝,再自行修改配置。也可以在openssl命令中用-config指定配置文件的位置。
我的配置文件:
#
# SSLeay example properties file.
# This is mostly being used for generation of certificate requests.
#
RANDFILE = .rnd
####################################################################
[ ca ]
default_ca    = CA_default
# The default ca section
####################################################################
[ CA_default ]
dir
= C:\\CA    # Where everything is kept
certs
= $dir\\certs
# Where the issued certs are kept
crl_dir    = $dir\\crl
# Where the issued crl are kept
database    = $dir\\index.txt
# database index file.
new_certs_dir    = $dir\\newcerts
# default place for new certs.
certificate    = $dir\\cacert.pem
# The CA certificate
serial
= $dir\\serial
# The current serial number
crl
= $dir\\crl.pem
# The current CRL
private_key    = $dir\\private\\cakey.pem
# The private key
RANDFILE    = $dir\\private\\private.rnd
# private random number file
x509_extensions    = x509v3_extensions    # The extentions to add to the cert
default_days
= 365
# how long to certify for
default_crl_days    = 30
# how long before next CRL
default_md
= md5
# which md to use.
preserve
= no
# keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy
= policy_match
# For the CA policy
[ policy_match ]
countryName
= match
stateOrProvinceName
= match
organizationName
= match
organizationalUnitName    = optional
commonName
= supplied
emailAddress
= optional
# For the ’anything’ policy
# At this point in time, you must list all acceptable ’object’
# types.
[ policy_anything ]
countryName
= optional
stateOrProvinceName    = optional
localityName
= optional
organizationName    = optional
organizationalUnitName    = optional
commonName
= supplied
emailAddress
= optional
####################################################################
[ req ]
default_bits
= 1024
default_keyfile
= privkey.pem
distinguished_name    = req_distinguished_name
attributes
= req_attributes
[ req_distinguished_name ]
countryName
= Country Name (2 letter code)
countryName_min
= 2
countryName_max
= 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName
= Common Name (eg, your website’s domain name)
commonName_max
= 64
emailAddress
= Email Address
emailAddress_max
= 40
[ req_attributes ]
challengePassword
= A challenge password
challengePassword_min    = 4
challengePassword_max    = 20
[ x509v3_extensions ]
<完>
$dir下建立一系列目录和文件:
现在可以使用openssl命令来生成证书了:
1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key
2.openssl req -new -key server.key -out server.csr -config openssl.cnf
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱.自己做CA.
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

