重要注意事項 An Important Note Before You Start 在生成CSR檔時同時生成您的私鑰,如果您丟了私鑰或忘了私鑰密碼,則頒發 憑證給您後不能安裝成功!您必須重新生成私鑰和CSR檔,免費重新頒發新的憑證。為了避免此情況的發生,請在生成CSR後一定要備份私鑰檔和記住私鑰密碼,最好是在收到 憑證之前不要再動伺服器。
By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key. “openssl”用於生成私鑰和CSR,OpenSSL一般安裝在/user/bin下,如果您的系統安裝在其他目錄,請指定正確的目錄路徑。
The utility "openssl" that you use to generate the private key and CSR comes with the OpenSSL toolkit and is usually installed under /usr/bin. If you have installed it elsewhere you will need to modify these instructions appropriately. 以下所有命令假設您已經成功安裝OpenSSL,將產生1024位的密鑰,加密演算法採用3DES,您必須使用您要申請SSL憑證的功能變數名稱來命名密鑰文件。
The following sequence of commands will generate a 1024 bit key, encrypt it using the triple-DES cipher, and create a CSR based upon it (they assume that you have openssl in your path - if not then you should prefix the openssl command with the path to the binary). You should use the domain name that you are wishing to have certified as the core of the filenames. You should also make sure you do not overwrite existing keys and CSR's: 1. 生成私鑰 Generate the private key 請使用以下命令來生成私鑰 Please type the following command at the prompt: openssl genrsa -des3 -out www.mydomain.com.key 1024
如上圖所示,此命令將生成1024位的RSA私鑰,私鑰檔案名為: www.mydomain.com.key,會提示您設定私鑰密碼,請設置密碼,並牢記!
This command will generate a 1024 bit RSA private key and stores it in the file www.mydomain.com.key. It will ask you for a pass phrase: use something secure and remember it. Your certificate will be useless without it's corresponding key. 2. 生成CSR檔 Generate the CSR 請使用以下命令來生成CSR Please type the following command at the prompt: openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr 如果提示“Unable to load config info from /usr/local/ssl/openssl.cnf ”,則加上一個指定openssl.cnf 路徑的參數: openssl req -new -config openssl.cnf -key www.mydomain.com.key -out www.mydomain.com.csr
此命令將提示您輸入X.509憑證所要求的欄位資訊,包括國家(中國添CN)、省份、所在城市、單位名稱、單位部門名稱(可以不填直接回車)。請注意: 除國家縮寫必須填CN外,其餘都可以是英文或中文。
This command will prompt you for the X.509 attributes of your certificate. Enter your country, state or province and locality or city. You should enter the company name as it appears on your official company registration documents. The organization unit is optional, we verify and authenticate the company name and not the organization unit. To skip the organization unit (OU) field please press enter on your keyboard. 請輸入您要申請SSL憑證的功能變數名稱,如果您需要為www.domain.com申請SSL憑證就不能只輸入domain.com。SSL憑證是嚴格綁定功能變數名稱的。
The term "Common Name" is X.509 speak for the name that distinguishes the certificate best, and ties it to your Organization. Enter your exact host and domain name that you wish to secure. Example: If you wish to secure www.mydomain.com, then you will need to enter the exact host (www) and domain name (mydomain.com) in this field. If you enter mydomain.com then the certificate issued to you will only work error free on https://mydomain.com. It will cause a certificate mismatch error when you or your users access the domain via https:// www.mydomain.com. 請不要輸入Email、口令(challenge password)和可選的公司名稱,直接打回車即可。
Please do not enter your email address, challenge password or an optional company name when generating the CSR. 您現在已經成功生成了密鑰對,私鑰檔:www.mydomain.com.key 保存在您的伺服器中, 請把CSR檔:www.mydomain.com.csr 發給WoSign/Thawte即可,CSR檔格式如下圖所示。
You have now created a public/private key pair. The private key (www.mydomain.com.key) is stored locally on your machine and is used for decryption. The public portion is sent to thawte in the form of a Certificate Signing Request, and will be used by your users to encrypt the data they send to your site. The Certificate Signing Request (CSR) looks something like this:
您也可以直接使用一個命令同時生成私鑰和CSR檔: openssl req -new -nodes -keyout myserver.key -out myserver.csr
或
openssl req -new -config openssl.cnf -nodes -keyout myserver.key -out myserver.csr
3. 備份私鑰檔 Backup your private key 請備份您的私鑰檔並記下私鑰密碼。最好是把私鑰檔備份到軟碟或光碟中。
Please backup your keystore file and make a note of the password. A good choice is to create a copy of this file onto a diskette or other removeable media.
|