CATool是 鱼漂[admin.net(#)163.com] 使用DOS命令编写的,一个简单的,生成供Apache使用的数字证书的小工具,CATool运行在Windows操作系统上;此工具已内置openssl,并使用它来生成数字证书。
CATool参考了另外一个Bash写的脚本 ( http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz ),并增加了部分功能。(如果您在Windows中安装Cygwin的话,仍然可以在Windows下使用ssl.ca-0.1.tar.gz,如果没有安装Cygwin,请在Windows下使用CATool).
CATool调用openssl来生成数字证书,生成的证书可以给Windows或Unix(Linux)下的Apache使用,以支持Apahce的HTTPS。
您可以在 http://www.eit.name/catool/ 找到CATool的最新版本和用法。
[[请点击此处下载]] 下载并解压后,打开Windows的DOS命令窗口,进入到CATool目录,您就可以使用里面的几个命令。
请按实际需要,选择以下三种用法之一:
在DOS命令行窗口,进入到CATool目录,分别运行以下命令:
a. CreateRootCA.bat
E:\CATool>CreateRootCA.bat
No Root CA key found, Generating one
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..........................................++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for cert\ca.key: <=输入root ca的密码,需要记住此密码
Verifying - Enter pass phrase for cert\ca.key: <=重复输入上面的密码
Self-sign the root CA...
Enter pass phrase for cert\ca.key: <=输入上面的密码,用来签署根证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: <=以下的内容,按您的实际情况填写
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [EIT.NAME]:
Organizational Unit Name (eg, section) [SystemAdmin Team]:
Common Name (eg, MD Root CA) []:EIT CA
Email Address []:admin@eit.name
E:\CATool>
运行上面的命令后,将在Cert/目录,生成ca.key, ca.crt
b. CreateServerCert.bat
E:\CATool>CreateServerCert.bat
Please input the server name:server <=输入Apache的server name(这里的输入决定生成的文件名)
No cert\www.eit.name.key found, Generating one
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........................................................++++++
..++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [EIT.NAME]:
Organizational Unit Name (eg, section) [SystemAdmin Team]:
Common Name (eg, www.domain.com) []:www.eit.name <=输入Apache的host name
Email Address []:webmaster@eit.name
E:\CATool>
运行上面的命令后,将在Cert/目录,生成server.key,server.csr (如果你输入的server name=myserver,那么将生成myserver.*)
c. SignServerCert.bat
E:\CATool>SignServerCert.bat
Please input the server name:server <=输入上面的server name
template\ca.db.index
template\ca.db.serial
已复制 2 个文件。
Singing...
Using configuration from template\sign.conf
Loading 'screen' into random state - done
Enter pass phrase for ./cert/ca.key: <=输入root ca的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GuangDong'
localityName :PRINTABLE:'GuangZhou'
organizationName :PRINTABLE:'EIT.NAME'
organizationalUnitName:PRINTABLE:'SystemAdmin Team'
commonName :PRINTABLE:'www.eit.name'
emailAddress :IA5STRING:'webmaster@eit.name'
Certificate is to be certified until Apr 6 15:04:55 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y <=输入Y确认
Write out database with 1 new entries
Data Base Updated
Verfiying...
cert\www.eit.name.crt: OK
E:\CATool>
将在cert/目录,生成server.crt, server.key两个文件,将这两个文件复制到Apache的conf/目录,并如下配置httpd-ssl.conf
SSLCertificateFile "C:/Apache2/conf/server.crt"
SSLCertificateKeyFile "C:/Apache2/conf/server.key"
在DOS命令行窗口,进入到CATool目录,运行以下命令:
a. SelfSignCert.bat
E:\CATool>SelfSignCert.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....++++++
.........++++++
writing new private key to 'cert\selfsign.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [EIT.NAME]:
Organizational Unit Name (eg, section) [SystemAdmin Team]:
Common Name (eg, MD Root CA) []:MY CA
Email Address []:self@eit.name
E:\CATool>
将在cert/目录,生成selfsign.pem文件,将此文件复制到Apache的conf/目录,并如下配置httpd-ssl.conf
SSLCertificateFile "C:/Apache2/conf/selfsign.pem"
#SSLCertificateKeyFile "C:/Apache2/conf/server.key" (注释掉)
在DOS命令行窗口,进入到CATool目录,运行以下命令:
a. CreateServerCert.bat
E:\CATool>CreateServerCert.bat
Please input the server name:server <=输入Apache的server name(这里的输入决定生成的文件名)
No cert\www.eit.name.key found, Generating one
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........................................................++++++
..++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [EIT.NAME]:
Organizational Unit Name (eg, section) [SystemAdmin Team]:
Common Name (eg, www.domain.com) []:www.eit.name <=输入Apache的host name
Email Address []:webmaster@eit.name
E:\CATool>
将在cert/目录下生成的server.csr, server.key文件,将server.csr提交给第三方机构签署,签署后得到server.crt,将server.crt, server.key文件复制到Apache的conf目录。并按如下方式配置:
SSLCertificateFile "C:/Apache2/conf/server.crt"
SSLCertificateKeyFile "C:/Apache2/conf/server.key"
让Apache支持HTTPS,除了需要上面生成的证书和配置外,还需要Apache支持并配置了mod_ssl,详细配置请参考:
http://httpd.apache.org/docs/2.2/ssl/
200804:首次发布,支持自签发CA以及服务器证书的签发;
201404:第二次更新,更新openssl的版本(Win7下运行正常),避免对vc7运行库的依赖,增加客户端证书签发功能.