Thanks very much! I am a newbie to use openssl! -----邮件原件----- 发件人: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 代表 Kyle Hamilton 发送时间: 2009年3月30日 15:37 收件人: openssl-users@openssl.org 主题: Re: How to make X.509v3 digital certificate?
Oh man, newbie question, which means that someone doesn't understand how X.509 is supposed to work. The simplest answer is this: 'openssl req' and 'openssl x509', along with 'openssl ca', will create X.509v3 certificates (we don't bother with the 'digital', because there's only one case where we've needed to deal with a physical certificate in all the years I've been on this list -- and that was the FIPS validation certificate). However, this isn't even scratching the surface, because X.509 (all of the versions, v3 being the latest) is a way of creating a trusted path -- meaning, a verified path of trust that started at a trusted entity. You can always trust yourself (unless you can't, but that's a problem FAR beyond the technical realm and into the psychotheraputic realm), but who else can you trust? Fortunately (or unfortunately), different companies have decided different sets of companies that most users trust by default, in their browsers. These are known as "Certifying Authorities", or CAs. Mozilla's list of CAs is different from Microsoft's list is different from Apple's list is different from Opera's list is different from KDE's list is different from Ubuntu's list is different from Debian's list is different from... and on and on and on. (No, I don't have a list of the subset of all CAs which is trusted by all of them.) Depending on your application, you may not actually need to worry about CAs, since you might be doing as Linden Lab (and others) have done, creating your own CA and issuing certificates to your own internal entities. If this is the case, great! OpenSSL can (most likely) serve your purpose entirely, with a bit/lot of configuration on your part. If you need to create a certificate for a webserver that's going to be open to the public, 'openssl req' will be able to help you, and will create a certificate signing request (CSR, or req) that you can send to the CA that you choose, and receive an X.509v3 certificate from them which will verify to be on a trusted path. (This, combined with the private key that only you possess, will provide verification that your webserver is actually yours.) Now, a word as to what a certificate is NOT: The keysize of a certificate IS NOT a way to gauge the strength of the encryption process used. (This is why SSL has terms like RSA-AES256-SHA1 -- the first is the type of public key (in the certificate) used to authenticate the connection, the second is the type of symmetric cipher in use, and the third is the type of hashing algorithm used to verify that the data hasn't been modified in-transit.) In general, longer keysizes on AES are considered to be 'more secure' (read, 'less likely to have the plaintext recovered, and less likely to have the key recovered') -- and you should not be using DES at all. (3DES, though, is okay -- at least for now.) For more information on X.509 and its relationship to cryptography in general, I recommend the Wikipedia articles: http://en.wikipedia.org/wiki/X.509 http://en.wikipedia.org/wiki/Public_key_certificate For more information on public-key cryptography in general (which is the technology which allows X.509 certificates to be verified and trusted as authentic, in a mathematical way that these words in your email box cannot): http://en.wikipedia.org/wiki/Category:Public-key_cryptography And, for SSL/TLS: http://en.wikipedia.org/wiki/Transport_Layer_Security This should provide you with enough information to at the least understand the depth of the problem, the scope of the problem, and the breadth of the problem. (The problem that X.509 is supposed to resolve is *authentication* -- making sure that the signature on the content is authentic. It only provides security as far as "knowing who signed it" provides security. You must still make an independent trust decision about whether you trust any given authenticated entity for any given thing that it is asking for permission to do.) -Kyle H On Sun, Mar 29, 2009 at 9:00 PM, shawnlau <net17sharp...@163.com> wrote: > Hi all! > > > > I just want to know how to make the X.509v3 digital certificate with > openssl-0.9.8j, if it’s impossible ? > > > > Thanks a lot and Best regards! > > > > Shawn ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __________ NOD32 3979 (20090331) Information __________ This message was checked by NOD32 antivirus system. http://www.nod32cn.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
