Ci t OpenSSL: + Ti file OpenSSL-0.9.8g.tar.gz ti a ch: http://www.openssl.org/source/openssl-0.9.8g.tar.gz + Copy file openssl-0.9.8g.tar.gz vo th mc /opt + Gii nn file openssl-0.9.8g.tar.gz: $ tar zxvf /opt/openssl-0.9.8g.tar.

gz + Chuyn vo th mc openssl-0.9.8g va c to ra: $ cd /opt/openssl-0.9.8g + Cu hnh openssl: $ ./config --prefix=/opt/openssl + Ci t openssl: $ make $ make install S dng OpenSSL: + Chnh sa file /opt/openssl/ssl/openssl.cnf
#################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = certs = crl_dir = database = #unique_subject new_certs_dir certificate serial crlnumber crl private_key RANDFILE /opt/openssl $dir/certs $dir/crl $dir/index.txt = no # # # # Where everything is kept Where the issued certs are kept Where the issued crl are kept database index file. # Set to 'no' to allow creation of # several ctificates with same subject. # default place for new certs. # # # #

= $dir/newcerts = $dir/cacert.pem = $dir/serial = $dir/crlnumber

The CA certificate The current serial number the current crl number must be commented out to leave a V1 CRL = $dir/crl.pem # The current CRL = $dir/private/cakey.pem# The private key = $dir/private/.rand # private random number file = usr_cert # The extentions to add to the cert

x509_extensions

# Comment out the following two lines for the "traditional" # (and highly broken) format.

name_opt cert_opt

= ca_default = ca_default

# Subject Name options # Certificate field options

# Extension copying option: use with caution. # copy_extensions = copy # # # # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL. crlnumber must also be commented out to leave a V1 CRL. crl_extensions = crl_ext # # # # how long to certify for how long before next CRL which md to use. keep passed DN ordering

default_days = 365 default_crl_days= 30 default_md = sha1 preserve = no

# A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = stateOrProvinceName = organizationName = organizationalUnitName = commonName = emailAddress =

match match match optional supplied optional

# For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # # # # # # # # This sets a mask for permitted string types. There are several options. default: PrintableString, T61String, BMPString. pkix : PrintableString, BMPString. utf8only: only UTF8Strings. nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). MASK:XXXX a literal mask value. WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings so use this option with caution!

string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName countryName_default countryName_min countryName_max stateOrProvinceName stateOrProvinceName_default localityName localityName_default 0.organizationName 0.organizationName_default

= Country Name (2 letter code) = VN = 2 = 2 = State or Province Name (full name) = HaNoi = Locality Name (eg, city) = HaNoi = Organization Name (eg, company) = BCA

# we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Islab commonName commonName_default commonName_max emailAddress emailAddress_default emailAddress_max # SET-ex3 [ req_attributes ] challengePassword challengePassword_default challengePassword_min challengePassword_max unstructuredName unstructuredName_default = Common Name (eg, YOUR name) = Q_Dung = 64 = Email Address = islab@yahoo.com = 64 = SET extension number 3

= = = =

A challenge password quangdung 4 20

= An optional company name = ISLAB

+ Vo th mc /opt/openssl: $ cd /opt/openssl + To cc th mc: $ mkdir /opt/openssl/certs | mkdir /opt/openssl/newcerts | mkdir /opt/openssl/CA | mkdir /opt/openssl/server | mkdir /opt/openssl/user + To cc file: $ echo '01' > /opt/openssl/serial | touch /opt/openssl/index.txt

+ To kho cho CA: $ ./bin/openssl genrsa des3 -out /opt/openssl/CA/CA.key 1024 Gi s t password l 123456 + To certificate request cho CA: $ ./bin/openssl req -new -key ./CA/CA.key -out ./CA/CA.csr + CA t k vo chng ch ca mnh: $ ./bin/openssl x509 -req -days 365 -in ./CA/CA.csr -out ./CA/CA.crt -signkey ./CA/CA.key + To kho cho server: $ ./bin/openssl genrsa -des3 -out /opt/openssl/server/server.key 1024 + To Certificate request cho server: $ ./bin/openssl req -new -key ./server/server.key -out ./server/server.csr + K chng ch ca server bng kho ca CA: $ ./bin/openssl ca -days 365 -keyfile ./CA/CA.key -cert ./CA/CA.crt -in ./server/server.csr -out ./server/server.crt -key 123456 -batch + To kho cho user: $ ./bin/openssl genrsa -des3 -out ./user/user.key 1024 + To Certificate request cho user: $ ./bin/openssl req -new -key ./user/user.key -out ./user/user.csr + K chng ch cho user: $ ./bin/openssl ca -days 365 -keyfile ./CA/CA.key -cert ./CA/CA.crt -in ./user/user.csr -out ./user/user.crt -key 123456 -batch + To chng ch dng .P12 add vo browser: $ ./bin/openssl pkcs12 -export -clcerts -in ./user/user.crt -inkey ./user/user.key -out ./user/user.P12