millken · September 6, 2010 02:16
diff --git a/gistfile1.sh b/gistfile1.sh
 [root@H200 millken]# wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
 --2010-08-12 01:44:59--  http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
 Resolving www.openssl.org... 195.30.6.166
 Connecting to www.openssl.org|195.30.6.166|:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 13922 (14K) [application/x-tar]
 Saving to: `ssl.ca-0.1.tar.gz'

 100%[=============================================>] 13,922      19.6K/s   in 0.7s    

 2010-08-12 01:45:00 (19.6 KB/s) - `ssl.ca-0.1.tar.gz' saved [13922/13922]

 [root@H200 millken]# tar zxvf ssl.ca-0.1.tar.gz 
 ssl.ca-0.1/
 ssl.ca-0.1/COPYING
 ssl.ca-0.1/README
 ssl.ca-0.1/VERSION
 ssl.ca-0.1/new-root-ca.sh
 ssl.ca-0.1/random-bits
 ssl.ca-0.1/new-server-cert.sh
 ssl.ca-0.1/sign-user-cert.sh
 ssl.ca-0.1/new-user-cert.sh
 ssl.ca-0.1/p12.sh
 ssl.ca-0.1/sign-server-cert.sh
 [root@H200 millken]# cd ssl.ca-0.1
 [root@H200 ssl.ca-0.1]# ls
 COPYING             new-user-cert.sh  README               VERSION
 new-root-ca.sh      p12.sh            sign-server-cert.sh
 new-server-cert.sh  random-bits       sign-user-cert.sh
 [root@H200 ssl.ca-0.1]# vim new-root-ca.sh 

 #!/bin/sh
 ##
 ##  new-root-ca.sh - create the root CA
 ##  Copyright (c) 2000 Yeak Nai Siew, All Rights Reserved. 
 ##

 # Create the master CA key. This should be done once.
 if [ ! -f ca.key ]; then
        echo "No Root CA key round. Generating one"
        openssl genrsa -des3 -out ca.key 1024 -rand random-bits
        echo ""
 fi

 # Self-sign it.
 CONFIG="root-ca.conf"
 cat >$CONFIG <<EOT
 [ req ]
 default_bits                    = 1024
 default_keyfile                 = ca.key
 distinguished_name              = req_distinguished_name
 x509_extensions                 = v3_ca
 string_mask                     = nombstr
 req_extensions                  = v3_req
 [ req_distinguished_name ]
 countryName                     = Country Name (2 letter code)
 countryName_default             = MY
 countryName_min                 = 2
 countryName_max                 = 2
 stateOrProvinceName             = State or Province Name (full name)
 stateOrProvinceName_default     = Perak
 localityName                    = Locality Name (eg, city)
 localityName_default            = Sitiawan
 0.organizationName              = Organization Name (eg, company)
 0.organizationName_default      = My Directory Sdn Bhd
 organizationalUnitName          = Organizational Unit Name (eg, section)
 organizationalUnitName_default  = Certification Services Division
 commonName                      = Common Name (eg, MD Root CA)
 commonName_max                  = 64
 emailAddress                    = Email Address
 emailAddress_max                = 40
 [ v3_ca ]
 basicConstraints                = critical,CA:true
 subjectKeyIdentifier            = hash
 [ v3_req ]
 nsCertType                      = objsign,email,server
 EOT

 echo "Self-sign the root CA..."
 openssl req -new -x509 -days 3650 -config $CONFIG -key ca.key -out ca.crt

 rm -f $CONFIG
 [root@H200 ssl.ca-0.1]# ./new-root-ca.sh             
 No Root CA key round. Generating one
 Generating RSA private key, 1024 bit long modulus
 .......................................++++++
 ..........................................++++++
 e is 65537 (0x10001)
 Enter pass phrase for ca.key:
 Verifying - Enter pass phrase for ca.key:

 Self-sign the root CA...
 Enter pass phrase for ca.key:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [MY]:CN
 State or Province Name (full name) [Perak]:Shanghai
 Locality Name (eg, city) [Sitiawan]:XujiaHui         
 Organization Name (eg, company) [My Directory Sdn Bhd]:Miiduu
 Organizational Unit Name (eg, section) [Certification Services Division]:Miiduu Lc^H  
 Common Name (eg, MD Root CA) []:MD root CA
 Email Address []:millken@miiduu.com
 [root@H200 ssl.ca-0.1]# ls
 ca.crt   new-root-ca.sh      p12.sh       sign-server-cert.sh
 ca.key   new-server-cert.sh  random-bits  sign-user-cert.sh
 COPYING  new-user-cert.sh    README       VERSION
 [root@H200 ssl.ca-0.1]# ./sign-server-cert.sh server
 No server.csr round. You must create that first.
 [root@H200 ssl.ca-0.1]# ./sign-server-cert.sh ca
 No ca.csr round. You must create that first.
 [root@H200 ssl.ca-0.1]# ./new-server-cert.sh server
 No server.key round. Generating one
 Generating RSA private key, 1024 bit long modulus
 .........................++++++
 ...++++++
 e is 65537 (0x10001)

 Fill in certificate data
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [MY]:CN
 State or Province Name (full name) [Perak]:Shanghai
 Locality Name (eg, city) [Sitiawan]:xujiahui
 Organization Name (eg, company) [My Directory Sdn Bhd]:Miiduu
 Organizational Unit Name (eg, section) [Secure Web Server]:Miiduu Lc^H     
 Common Name (eg, www.domain.com) []:www.miiduu.lo
 Email Address []:millken@miiduu.com

 You may now run ./sign-server-cert.sh to get it signed
 [root@H200 ssl.ca-0.1]# ./sign-server-cert.sh server
 CA signing: server.csr -> server.crt:
 Using configuration from ca.config
 Enter pass phrase for ./ca.key:
 Check that the request matches the signature
 Signature ok
 The Subject's Distinguished Name is as follows
 countryName           :PRINTABLE:'CN'
 stateOrProvinceName   :PRINTABLE:'Shanghai'
 localityName          :PRINTABLE:'xujiahui'
 organizationName      :PRINTABLE:'Miiduu'
 organizationalUnitName:T61STRING:'Miiduu Lc^H'
 commonName            :PRINTABLE:'www.miiduu.lo'
 emailAddress          :IA5STRING:'millken@miiduu.com'
 Certificate is to be certified until Aug 11 18:27:27 2011 GMT (365 days)
 Sign the certificate? [y/n]:y


 1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated
 CA verifying: server.crt <-> CA cert
 server.crt: OK
 [root@H200 ssl.ca-0.1]# ls
 ca.crt       ca.db.index       ca.db.serial  COPYING         new-server-cert.sh  p12.sh       README      server.csr  sign-server-cert.sh  VERSION
 ca.db.certs  ca.db.index.attr  ca.key        new-root-ca.sh  new-user-cert.sh    random-bits  server.crt  server.key  sign-user-cert.sh
 [root@H200 ssl.ca-0.1]# shmcb:shmcb:shmcb:shmcb:
	[root@H200 millken]# wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
	--2010-08-12 01:44:59-- http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
	Resolving www.openssl.org... 195.30.6.166
	Connecting to www.openssl.org\|195.30.6.166\|:80... connected.
	HTTP request sent, awaiting response... 200 OK
	Length: 13922 (14K) [application/x-tar]
	Saving to: `ssl.ca-0.1.tar.gz'

	100%[=============================================>] 13,922 19.6K/s in 0.7s

	2010-08-12 01:45:00 (19.6 KB/s) - `ssl.ca-0.1.tar.gz' saved [13922/13922]

	[root@H200 millken]# tar zxvf ssl.ca-0.1.tar.gz
	ssl.ca-0.1/
	ssl.ca-0.1/COPYING
	ssl.ca-0.1/README
	ssl.ca-0.1/VERSION
	ssl.ca-0.1/new-root-ca.sh
	ssl.ca-0.1/random-bits
	ssl.ca-0.1/new-server-cert.sh
	ssl.ca-0.1/sign-user-cert.sh
	ssl.ca-0.1/new-user-cert.sh
	ssl.ca-0.1/p12.sh
	ssl.ca-0.1/sign-server-cert.sh
	[root@H200 millken]# cd ssl.ca-0.1
	[root@H200 ssl.ca-0.1]# ls
	COPYING new-user-cert.sh README VERSION
	new-root-ca.sh p12.sh sign-server-cert.sh
	new-server-cert.sh random-bits sign-user-cert.sh
	[root@H200 ssl.ca-0.1]# vim new-root-ca.sh

	#!/bin/sh
	##
	## new-root-ca.sh - create the root CA
	## Copyright (c) 2000 Yeak Nai Siew, All Rights Reserved.
	##

	# Create the master CA key. This should be done once.
	if [ ! -f ca.key ]; then
	echo "No Root CA key round. Generating one"
	openssl genrsa -des3 -out ca.key 1024 -rand random-bits
	echo ""
	fi

	# Self-sign it.
	CONFIG="root-ca.conf"
	cat >$CONFIG <<EOT
	[ req ]
	default_bits = 1024
	default_keyfile = ca.key
	distinguished_name = req_distinguished_name
	x509_extensions = v3_ca
	string_mask = nombstr
	req_extensions = v3_req
	[ req_distinguished_name ]
	countryName = Country Name (2 letter code)
	countryName_default = MY
	countryName_min = 2
	countryName_max = 2
	stateOrProvinceName = State or Province Name (full name)
	stateOrProvinceName_default = Perak
	localityName = Locality Name (eg, city)
	localityName_default = Sitiawan
	0.organizationName = Organization Name (eg, company)
	0.organizationName_default = My Directory Sdn Bhd
	organizationalUnitName = Organizational Unit Name (eg, section)
	organizationalUnitName_default = Certification Services Division
	commonName = Common Name (eg, MD Root CA)
	commonName_max = 64
	emailAddress = Email Address
	emailAddress_max = 40
	[ v3_ca ]
	basicConstraints = critical,CA:true
	subjectKeyIdentifier = hash
	[ v3_req ]
	nsCertType = objsign,email,server
	EOT

	echo "Self-sign the root CA..."
	openssl req -new -x509 -days 3650 -config $CONFIG -key ca.key -out ca.crt

	rm -f $CONFIG
	[root@H200 ssl.ca-0.1]# ./new-root-ca.sh
	No Root CA key round. Generating one
	Generating RSA private key, 1024 bit long modulus
	.......................................++++++
	..........................................++++++
	e is 65537 (0x10001)
	Enter pass phrase for ca.key:
	Verifying - Enter pass phrase for ca.key:

	Self-sign the root CA...
	Enter pass phrase for ca.key:
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [MY]:CN
	State or Province Name (full name) [Perak]:Shanghai
	Locality Name (eg, city) [Sitiawan]:XujiaHui
	Organization Name (eg, company) [My Directory Sdn Bhd]:Miiduu
	Organizational Unit Name (eg, section) [Certification Services Division]:Miiduu Lc^H
	Common Name (eg, MD Root CA) []:MD root CA
	Email Address []:millken@miiduu.com
	[root@H200 ssl.ca-0.1]# ls
	ca.crt new-root-ca.sh p12.sh sign-server-cert.sh
	ca.key new-server-cert.sh random-bits sign-user-cert.sh
	COPYING new-user-cert.sh README VERSION
	[root@H200 ssl.ca-0.1]# ./sign-server-cert.sh server
	No server.csr round. You must create that first.
	[root@H200 ssl.ca-0.1]# ./sign-server-cert.sh ca
	No ca.csr round. You must create that first.
	[root@H200 ssl.ca-0.1]# ./new-server-cert.sh server
	No server.key round. Generating one
	Generating RSA private key, 1024 bit long modulus
	.........................++++++
	...++++++
	e is 65537 (0x10001)

	Fill in certificate data
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [MY]:CN
	State or Province Name (full name) [Perak]:Shanghai
	Locality Name (eg, city) [Sitiawan]:xujiahui
	Organization Name (eg, company) [My Directory Sdn Bhd]:Miiduu
	Organizational Unit Name (eg, section) [Secure Web Server]:Miiduu Lc^H
	Common Name (eg, www.domain.com) []:www.miiduu.lo
	Email Address []:millken@miiduu.com

	You may now run ./sign-server-cert.sh to get it signed
	[root@H200 ssl.ca-0.1]# ./sign-server-cert.sh server
	CA signing: server.csr -> server.crt:
	Using configuration from ca.config
	Enter pass phrase for ./ca.key:
	Check that the request matches the signature
	Signature ok
	The Subject's Distinguished Name is as follows
	countryName :PRINTABLE:'CN'
	stateOrProvinceName :PRINTABLE:'Shanghai'
	localityName :PRINTABLE:'xujiahui'
	organizationName :PRINTABLE:'Miiduu'
	organizationalUnitName:T61STRING:'Miiduu Lc^H'
	commonName :PRINTABLE:'www.miiduu.lo'
	emailAddress :IA5STRING:'millken@miiduu.com'
	Certificate is to be certified until Aug 11 18:27:27 2011 GMT (365 days)
	Sign the certificate? [y/n]:y


	1 out of 1 certificate requests certified, commit? [y/n]y
	Write out database with 1 new entries
	Data Base Updated
	CA verifying: server.crt <-> CA cert
	server.crt: OK
	[root@H200 ssl.ca-0.1]# ls
	ca.crt ca.db.index ca.db.serial COPYING new-server-cert.sh p12.sh README server.csr sign-server-cert.sh VERSION
	ca.db.certs ca.db.index.attr ca.key new-root-ca.sh new-user-cert.sh random-bits server.crt server.key sign-user-cert.sh
	[root@H200 ssl.ca-0.1]# shmcb:shmcb:shmcb:shmcb:
No results found