發布一個小工具CATool,用來在Windows下生成Apache的證書
CATool
一、簡介
CATool是 魚漂 使用DOS命令編寫的,一個簡單的,生成供Apache使用的數字證書的小工具,CATool運行在Windows操作系統上;此工具已內置openssl,並使用它來生成數字證書。
CATool參考了另外一個Bash寫的腳本 ( http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz ),並增加了部分功能。(如果您在Windows中安裝Cygwin的話,仍然可以在Windows下使用ssl.ca-0.1.tar.gz,如果沒有安裝Cygwin,請在Windows下使用CATool).
CATool調用openssl來生成數字證書,生成的證書可以給Windows或Unix(Linux)下的Apache使用,以支持Apahce的HTTPS。
您可以在 http://www.eit.name/catool/ 找到CATool的最新版本和用法。
二、如何使用
[[請點擊此處下載]] 下載並解壓后,打開Windows的DOS命令窗口,進入到CATool目錄,您就可以使用裡面的幾個命令。
請按實際需要,選擇以下三種用法之一:
1 創建自己的Root CA和伺服器證書
在DOS命令行窗口,進入到CATool目錄,分別運行以下命令:
a. CreateRootCA.bat
E:\CATool>CreateRootCA.bat
No Root CA key found, Generating one
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..........................................++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for cert\ca.key: <=輸入root ca的密碼,需要記住此密碼
Verifying - Enter pass phrase for cert\ca.key: <=重複輸入上面的密碼
Self-sign the root CA...
Enter pass phrase for cert\ca.key: <=輸入上面的密碼,用來簽署根證書
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) : <=以下的內容,按您的實際情況填寫
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, MD Root CA) []:EIT CA
Email Address []:admin@eit.name
E:\CATool>
運行上面的命令后,將在Cert/目錄,生成ca.key, ca.crt
b. CreateServerCert.bat
E:\CATool>CreateServerCert.bat
Please input the server name:server <=輸入Apache的server name(這裡的輸入決定生成的文件名)
No cert\www.eit.name.key found, Generating one
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........................................................++++++
..++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, www.domain.com) []:www.eit.name <=輸入Apache的host name
Email Address []:webmaster@eit.name
E:\CATool>
運行上面的命令后,將在Cert/目錄,生成server.key,server.csr (如果你輸入的server name=myserver,那麼將生成myserver.*)
c. SignServerCert.bat
E:\CATool>SignServerCert.bat
Please input the server name:server <=輸入上面的server name
template\ca.db.index
template\ca.db.serial
已複製 2 個文件。
Singing...
Using configuration from template\sign.conf
Loading 'screen' into random state - done
Enter pass phrase for ./cert/ca.key: <=輸入root ca的密碼
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GuangDong'
localityName :PRINTABLE:'GuangZhou'
organizationName :PRINTABLE:'EIT.NAME'
organizationalUnitName:PRINTABLE:'SystemAdmin Team'
commonName :PRINTABLE:'www.eit.name'
emailAddress :IA5STRING:'webmaster@eit.name'
Certificate is to be certified until Apr 6 15:04:55 2009 GMT (365 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y <=輸入Y確認
Write out database with 1 new entries
Data Base Updated
Verfiying...
cert\www.eit.name.crt: OK
E:\CATool>
將在cert/目錄,生成server.crt, server.key兩個文件,將這兩個文件複製到Apache的conf/目錄,並如下配置httpd-ssl.conf
SSLCertificateFile "C:/Apache2/conf/server.crt"
SSLCertificateKeyFile "C:/Apache2/conf/server.key"
2 創建自簽名的伺服器證書
在DOS命令行窗口,進入到CATool目錄,運行以下命令:
a. SelfSignCert.bat
E:\CATool>SelfSignCert.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....++++++
.........++++++
writing new private key to 'cert\selfsign.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, MD Root CA) []:MY CA
Email Address []:self@eit.name
E:\CATool>
將在cert/目錄,生成selfsign.pem文件,將此文件複製到Apache的conf/目錄,並如下配置httpd-ssl.conf
SSLCertificateFile "C:/Apache2/conf/selfsign.pem"
#SSLCertificateKeyFile "C:/Apache2/conf/server.key" (註釋掉)
3 使用第三方簽名伺服器證書 在DOS命令行窗口,進入到CATool目錄,運行以下命令:
a. CreateServerCert.bat
E:\CATool>CreateServerCert.bat
Please input the server name:server <=輸入Apache的server name(這裡的輸入決定生成的文件名)
No cert\www.eit.name.key found, Generating one
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........................................................++++++
..++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, www.domain.com) []:www.eit.name <=輸入Apache的host name
Email Address []:webmaster@eit.name
E:\CATool>
將在cert/目錄下生成的server.csr, server.key文件,將server.csr提交給第三方機構簽署,簽署后得到server.crt,將server.crt, server.key文件複製到Apache的conf目錄。並按如下方式配置:
SSLCertificateFile "C:/Apache2/conf/server.crt"
SSLCertificateKeyFile "C:/Apache2/conf/server.key"
補充說明:
讓Apache支持HTTPS,除了需要上面生成的證書和配置外,還需要Apache支持並配置了mod_ssl,詳細配置請參考:
http://httpd.apache.org/docs/2.2/ssl/
[ 本帖最後由 ipaddr 於 2008-4-6 23:34 編輯 ]
《解決方案》
CU排版不是很方便,完整版本請參考:
http://www.eit.name/catool/
《解決方案》
鬱悶呀,沒人看?還是沒人看明白了?
《解決方案》
恩 不錯 支持你下
《解決方案》
既然瘟到死了,不如GUI了。
《解決方案》
原帖由 HonestQiao 於 2008-4-19 08:26 發表 http://bbs.chinaunix.net/images/common/back.gif
既然瘟到死了,不如GUI了。
有類似GUI的工具嗎?
這只是個小工具而已,小巧且易用。
《解決方案》
能不能可以讓它支持指定DN名字.並可以自定義DN的數量
