֤֤֤

һ֤ļĿ¼˵
libeay32.dll	----	SSL ֿ֧
SSLeay32.dll	----	SSL ֿ֧
openssl.cnf	----	֤
demoCAĿ¼
index.txt	----	¼ǩٵ֤Ϣһļݿ
index.txt.old	----	˼index.txtһθǰļ
serial		----	֤ŵļ¼ǰ
serial.old	----	serialһθǰļ
privateĿ¼	----	CA֤˽Կļ cakey.pem
newcertsĿ¼	----	CAǩ֤ıĿ¼

CA֤ĳʼ
ÿCA֤ҪԼһ֤飬ǩ/֤
֤ʵһǩ֤飬˽CAһҪһǩĸ֤
:
openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -days 3650 -config openssl.cnf
ȻʾӦϢ,:
     PEM pass phrase123456				//˴֤룬ҪǺ
     ȻҪϢ 
     Country Name: CN  					//λĹдCNUSȣҪ
     State or Province Name: beijing			//ʡ 
     Locality Name: bj 					//
     Organization Name: casoft 				//˾/ƣCA
     Organizational Unit Name: tech 			
     Common Name: yyc					//üǵ
     Email Address: yycnet@163.com			//email
     
гɹopenssl.exeĿ¼»ļ cacert.pem cakey.pem
ֱǩĸ֤֤˽Կļ
cakey.pem demoCA\privateĿ¼, cacert.pemdemoCAĿ¼

ע: ñCAǩ֤ʱorganizationNameҪ͸֤organizationNameͬ
ø֤ǩʱᱨд
The organizationName field needed to be the same in the
CA certificate (casoft) and the request (casoftX)

ͨCAǩ֤
֧SSLķôҪ֤飬ñCAǩ
1ɷ˽Կ
openssl genrsa -des3 -out server.key 1024
Ϣ
     Enter pass phrase for server.key123456		//֤
2֤ˣһcsrļ(Certificate Signing Request). 
openssl req -new -key server.key -out server.csr -config openssl.cnf
CSRʱĻϽʾ,ָʾһһҪϢ.
Common Name:һҪIP
3ɵķCSRCA֤ǩ
openssl ca -in server.csr -out server.pem -config openssl.cnf
ע: ɵserver.pem֤аһЩʾϢɾӰ֤ļ
˷֤ɲǩ
Ҫpemʽ֤תΪx509ʽ
openssl x509 -in server.pem -out server.cer

ȻҲIIS WEB SERVERһ֤certreq.txt
IIS WEB SERVERվԡĿ¼ȫԡ֤顪һ֤顪׼󣬵Ժ͡
     Ͱȫãƣserver,λ1024
     ֯Ϣ֯casoft֯ţxxxx1xxx
     վĹƣվƣ߷˵ip
     ϢңCN,ʡУbeijingУbj(עһҪǰĸ֤ͬǩʱ)
     certreq.txt
֤CAǩ
openssl ca -in certreq.txt -out server.pem Cconfig \openssl.cnf
     
ġͨCAǩͻ֤
ɷ֤һ뼴
1˽Կ
openssl genrsa -des3 -out client.key 1024
2ɿͻcsrļ(Certificate Signing Request). 
openssl req -new -key client.key -out client.csr -config openssl.cnf
3ɿͻCAǩ֤
openssl ca -in client.csr -out client.pem -config openssl.cnf

ҪͻPEM֤תΪʽ:
Ҫpemʽ֤תΪx509ʽ
openssl x509 -in client.pem -out client.cer
תΪpkcs12ʽ֤
openssl pkcs12 -export -in client.pem -inkey client.key -out client.p12

塢ĳ֤
볷ĳCAǩ֤(ҲԴdemoCA/newcertsҵҪ֤鱸ļ)
openssl ca -gencrl -revoke xxxx.pem -out list.crl -config openssl.cnf

CRLļ
openssl ca -gencrl -out list.crl -config openssl.cnf

!!!CRLҲйʱ䣬ָ-crldaysĬ1
CRLҪע

