操作场景

在测试环境下，用户可以用通过以下方式进行数字证书测试。在客户的运行环境中，请使用从CA认证中心申请的数字证书。

前提条件

SLES 11默认安装了openssl组件，默认安装路径一般为“/usr/share/ssl”。

自认证证书生成过程

1. 搭建CA环境。

   --假设用户为omm已存在,搭建CA的路径为test
   --以root用户身份登录SUSE Linux,切换到用户omm
   mkdir test
   cd /etc/ssl
   --copy 配置文件openssl.cnf到test下
   cp openssl.cnf ~/test
   cd ~/test
   --到test文件夹下，开始搭建CA环境
   --创建文件夹demoCA./demoCA/newcerts./demoCA/private
   mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
   chmod 777 ./demoCA/private
   --创建serial文件,写入01
   echo '01'>./demoCA/serial
   --创建文件index.txt
   touch /home/omm/test/demoCA/index.txt
   --修改openssl.cnf配置文件中的参数
   dir  = /home/omm/test/demoCA
   default_md      = sha256
   --至此CA环境搭建完成

2. 生成根私钥。

   --生成CA私钥
   openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
   Generating RSA private key, 2048 bit long modulus
   .................+++
   ..................+++
   e is 65537 (0x10001)
   --设置根私钥的保护密码，少要求4个字符，假设为Gauss@MppDB
   Enter pass phrase for demoCA/private/cakey.pem:
   --再次输入私钥密码 Gauss@MppDB
   Verifying - Enter pass phrase for demoCA/private/cakey.pem:

3. 生成根证书请求文件。

   --生成CA根证书申请文件server.req
   openssl req -config openssl.cnf -new -key demoCA/private/cakey.pem -out demoCA/careq.pem
   Enter pass phrase for demoCA/private/cakey.pem:
   --输入根私钥密码 Gauss@MppDB
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   --以下名称请牢记，生成服务器证书和客户端证书时填写的信息需要与此处的一致
   Country Name (2 letter code) [AU]:CN
   State or Province Name (full name) [Some-State]:shanxi
   Locality Name (eg, city) []:xian
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
   Organizational Unit Name (eg, section) []:hello
   --Common Name可以随意命名
   Common Name (eg, YOUR name) []:world
   --Email可以选择性填写
   Email Address []:
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:

4. 生成自签发根证书。

   --生成CA自签发根证书
   openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem
   Using configuration from openssl.cnf
   Enter pass phrase for demoCA/private/cakey.pem:
   --输入根私钥密码 Gauss@MppDB
   Check that the request matches the signature
   Signature ok
   Certificate Details:
           Serial Number: 1 (0x1)
           Validity
               Not Before: Feb 28 02:17:11 2017 GMT
               Not After : Feb 28 02:17:11 2018 GMT
           Subject:
               countryName               = CN
               stateOrProvinceName       = shanxi
               organizationName          = Abc
               organizationalUnitName    = hello
               commonName                = world
           X509v3 extensions:
               X509v3 Basic Constraints: 
                   CA:FALSE
               Netscape Comment: 
                   OpenSSL Generated Certificate
               X509v3 Subject Key Identifier: 
                   F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
               X509v3 Authority Key Identifier: 
                   keyid:F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
   Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days)
   Sign the certificate? [y/n]:y
   1 out of 1 certificate requests certified, commit? [y/n]y
   Write out database with 1 new entries
   Data Base Updated
   --至此CA根证书自签发完成，根证书demoCA/cacert.pem。

5. 生成服务端证书私钥。

   --生成服务器私钥文件server.key
   openssl genrsa -aes256 -out server.key 2048
   Generating a 2048 bit RSA private key
   .......++++++
   ..++++++
   e is 65537 (0x10001)
   Enter pass phrase for server.key:
   --服务器私钥的保护密码，少要求4个字符，假设为Gauss@MppDB
   Verifying - Enter pass phrase for server.key:
   --再次确认服务器私钥的保护密码，即为Gauss@MppDB

6. 生成服务端证书请求文件。

   --生成服务器证书请求文件server.req
   openssl req -config openssl.cnf -new -key server.key -out server.req
   Enter pass phrase for server.key:
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   --以下填写的信息与创建CA时的信息一致
   Country Name (2 letter code) [AU]:CN
   State or Province Name (full name) [Some-State]:shanxi
   Locality Name (eg, city) []:xian
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
   Organizational Unit Name (eg, section) []:hello
   --Common Name可以随意命名
   Common Name (eg, YOUR name) []:world
   Email Address []:
   --以下信息可以选择性填写
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:

7. 生成服务端证书。

   --修改demoCA/index.txt.attr中属性为no。
   vi demoCA/index.txt.attr
   --对生成的服务器证书请求文件进行签发，签发后将生成正式的服务器证书server.crt
   openssl ca  -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
   Using configuration from /etc/ssl/openssl.cnf
   Enter pass phrase for ./demoCA/private/cakey.pem:
   Check that the request matches the signature
   Signature ok
   Certificate Details:
           Serial Number: 2 (x2)
           Validity
               Not Before: Feb 27 10:11:12 2017 GMT
               Not After : Feb 25 10:11:12 2027 GMT
           Subject:
               countryName               = CN
               stateOrProvinceName       = shanxi
               organizationName          = Abc
               organizationalUnitName    = hello
               commonName                = world
           X509v3 extensions:
               X509v3 Basic Constraints: 
                   CA:FALSE
               Netscape Comment: 
                   OpenSSL Generated Certificate
               X509v3 Subject Key Identifier: 
                   EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
               X509v3 Authority Key Identifier: 
                   keyid:84:F6:A1:65:16:1F:28:8A:B7:D:CB:7E:19:76:2A:8B:F5:2B:5C:6A
   Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)
   --选择y对证书进行签发
   Sign the certificate? [y/n]:y
   --选择y，证书签发结束
   1 out of 1 certificate requests certified, commit? [y/n]y
   Write out database with 1 new entries
   Data Base Updated

   去掉私钥密码保护，方法如下：

   --去掉服务器私钥的密码保护
   openssl rsa -in server.key -out server.key
   --如果不去掉服务器私钥的密码保护需要使用gs_guc工具对存储密码进行加密保护
   source ${BIGDATA_HOME}/mppdb/.mppdbgs_profile
   gs_guc encrypt -M server -K Gauss@MppDB -D ./
   --gs_guc加密后会生成server.key.cipher,server.key.rand两个私钥密码保护文件

8. 客户端证书，私钥的生成。
   生成客户端证书和客户端私钥的方法和要求与服务器相同。

   --生成客户端私钥
   openssl genrsa -aes256 -out client.key 2048
   --生成客户端证书请求文件
   openssl req -config openssl.cnf -new -key client.key -out client.req 
   --对生成的客户端证书请求文件进行签发，签发后将生成正式的客户端证书client.crt
   openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256

   去掉私钥密码保护，方法如下：

   --去掉客户端私钥的密码
   openssl rsa -in client.key -out client.key
   --如果不去掉客户端私钥的密码保护需要使用gs_guc工具对存储密码进行加密保护
   gs_guc encrypt -M client -K Gauss@MppDB -D ./  
   gs_guc加密后会生成client.key.cipher,client.key.rand两个私钥密码保护文件。

9. 吊销证书列表的生成。
   如果需要吊销列表，可按照如下方法生成：

   --首先创建crlnumber文件
   echo '00'>./demoCA/crlnumber
   --吊销服务器证书
   openssl ca -config openssl.cnf -revoke server.crt
   --生成证书吊销列表sslcrl-file.crl
   openssl ca -config openssl.cnf -gencrl -out sslcrl-file.crl