我選擇 openssl 來做數碼証書,原因簡單:Open Source 唔使錢、點玩都得。
事先聲明,我用的是 windows 7 home premium 64bit version。
先決 software:
1. 7-Zip www.7-zip.org
2. ActivePerl,選windows (64-bit, x64) version www.activestate.com/activeperl
3. .Net Framework 4 msdn.microsoft.com/en-us/netframework/aa569263.aspx
4. Windows SDK go.microsoft.com/fwlink/?LinkID=191420
實際安裝:
1. 先到 openssl 下載 source code: www.openssl.org/source/
2. 選最新的版本下載,我選的是 openssl-1.0.0a.tar.gz
2. 解壓。
3. 在 Program menu, 選 Microsoft Windows SDK v7.1 > Windows SDK 7.1 Command Prompt
4. 到 openssl 解壓的 directory
5. 打入:
perl Configure VC-WIN64A --prefix=c:\progra~1 <enter>
ms\do_win64a <enter>
nmake -f ms\ntdll.mak <enter>
cd out32dll <enter>
..\ms\test <enter>
最後的一句會將剛 compile 的 program 做測試,看是否全是 “OK ”。
如果全部 OK,就可以手動安裝。
6. 手動安裝其實很簡單,Copy file:
$ md c:\Program Files\ssl
$ md c:\Program Files\ssl\bin
$ md c:\Program Files\ssl\lib
$ md c:\Program Files\ssl\include
$ md c:\Program Files\ssl\include\openssl
$ copy /b inc32\openssl\* c:\Program Files\ssl\include\openssl
$ copy /b out32dll\ssleay32.lib c:\Program Files\ssl\lib
$ copy /b out32dll\libeay32.lib c:\Program Files\ssl\lib
$ copy /b out32dll\ssleay32.dll c:\Program Files\ssl\bin
$ copy /b out32dll\libeay32.dll c:\Program Files\ssl\bin
$ copy /b out32dll\openssl.exe c:\Program Files\ssl\bin
$ md c:\Program Files\ssl\CA #certifying authority 資料
$ md c:\Program Files\ssl\CA\newcerts
$ md c:\Program Files\ssl\CA\private
$ md c:\Program Files\ssl\user #用來儲存 user certificates
7. 用 notepad create 下列的 file:
c:\Program Files\ssl\CA\index.txt
內容:空白
c:\Program Files\ssl\CA\index.txt.attr
內容:unique_subject = no
c:\Program Files\ssl\CA\serial
內容:00
c:\Program Files\ssl\openssl.cnf
內容:
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
dirstring_type = nobmp
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = HK
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_default = Your Name
commonName_max = 64
emailAddress = Email Address
emailAddress_default = Your Name @hotmail.com
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = "C:/Program Files/ssl/CA" # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/ca-cert.crt # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/ca-cert.key # CA private key
RANDFILE = $dir/private/.rand # random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
policy = policy_any # default policy
email_in_dn = no # Don't add the email into cert DN
nameopt = ca_default # Subject name display option
certopt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
unique_subject = no
[ policy_any ]
countryName = supplied
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
nsCertType = client, email, objsign, server
# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "Certificate issued by Your Name"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
# This is the base URL for all others URL addresses
# if not supplied
nsBaseUrl = https://YourWebServer/ssl/
# This is the link where to download the latest Certificate
# Revocation List (CRL)
nsCaRevocationUrl = https://YourWebServer/ssl/crl.pem
# This is the link where to revoke the certificate
nsRevocationUrl = https://YourWebServer/ssl/revocation.html?
# This is the location where the certificate can be renewed
nsRenewalUrl = https://YourWebServer/ssl/renewal.html?
# This is the link where the CA policy can be found
nsCaPolicyUrl = https://YourWebServer/ssl/policy.html
# This is the link where we can get the issuer certificate
issuerAltName = URI:https://YourWebServer/ssl/ca-cert.crt
# This is the link where to get the latest CRL
crlDistributionPoints = URI:https://YourWebServer/ssl/crl.pem
8. 完成安裝!
沒有留言:
發佈留言