· 比如你剛才找到的CA.sh在/usr/lib/ssl/misc/,那麼就輸入/usr/lib/ssl/misc/CA.sh ?newca,接下來你會被問到一系列問題。問題和回答類似於下面的樣子。如果你確認哪些你有把握更改就改, ~/sslca#/usr/lib/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) (enter) Making CA certificate ... Using configuration from /usr/lib/ssl/openssl.cnf Generating a 2048 bit RSA private key ........................................+++ ........................................+++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:(enter password) Verifying password - Enter PEM pass phrase:(enter same password again) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US(enter) State or Province Name (full name) [Some-State]:State(enter) Locality Name (eg, city) []:City(enter) Organization Name (eg, company) [Internet Widgits Pty Ltd]:21vianet(enter) Organizational Unit Name (eg, section) []:(enter) Common Name (eg, YOUR name) []:CA(enter) Email Address []:ca@xxx.com(enter) ~/sslca#
· 下一步是給網關生成證書:
命令和要回答的問題如下:
~/sslca# /usr/lib/ssl/misc/CA.sh -newreq Using configuration from /usr/lib/ssl/openssl.cnf Generating a 2048 bit RSA private key ...................................+++ ...............................+++ writing new private key to 'newreq.pem' Enter PEM pass phrase:(enter password) Verifying password - Enter PEM pass phrase:(repeat password) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US(enter) State or Province Name (full name) [Some-State]:State(enter) Locality Name (eg, city) []:City(enter) Organization Name (eg, company) [Internet Widgits Pty Ltd]:ExampleCo(enter) Organizational Unit Name (eg, section) []:(enter) Common Name (eg, YOUR name) []:vpnserver.rd.xxx.com(enter) Email Address []:user@xxx.com(enter) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(enter) An optional company name []:(enter) Request (and private key) is in newreq.pem natecars@buzzword:~/sslca$ /usr/lib/ssl/misc/CA.sh -sign Using configuration from /usr/lib/ssl/openssl.cnf Enter PEM pass phrase:(password you entered for the ca certificate) Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'State' localityName :PRINTABLE:'City' organizationName :PRINTABLE:'21vianet' commonName :PRINTABLE:'vpnserver.rd.xxx.com' emailAddress :IA5STRING:'rd@xxx.com' Certificate is to be certified until Feb 13 16:28:40 2012 GMT (3650 days) Sign the certificate? [y/n]:y(enter) 1 out of 1 certificate requests certified, commit? [y/n]y(enter) Write out database with 1 new entries Data Base Updated (certificate snipped) Signed certificate is in newcert.pem
輸入哪個.p12 文件的路徑 (就是剛才你從伺服器網關複製過來的,瀏覽選擇也可), 然後點'Next' 輸入export password(密碼), 然後點Next 選'Automatically select the certificate store based on the type of certificate', 然後點Next 點Finish, 如果有任何提示窗口彈出都選yes 退出MMC,保存當前配置到管理工具中,這樣就不用每次都重新來過了。以上所做就增加了一個證書到總經理的機器上。
C:ipsec>ipsec IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller Getting running Config ... Microsoft's Windows XP identified Host name is: (local_hostname) No RAS connections found. LAN IP address: (local_ip_address) Setting up IPSec ...