document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-25 23:11:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

20150511-1 选题

Browse Source
This commit is contained in:
DeadFire 2015-05-11 16:53:16 +08:00
parent 4d48e67c8a
commit b4beba8cae
3 changed files with 629 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
sources/talk/20150511 Open Source History--Why Did Linux Succeed.md Normal file
View File

@ -0,0 +1,73 @@
Open Source History: Why Did Linux Succeed?
================================================================================
> Why did Linux, the Unix-like operating system kernel started by Linus Torvalds in 1991 that became central to the open source world, succeed where so many similar projects, including GNU HURD and the BSDs, fail?
![](http://thevarguy.com/site-files/thevarguy.com/files/imagecache/medium_img/uploads/2015/05/linux.jpg)
One of the most puzzling questions about the history of free and open source is this: Why did Linux succeed so spectacularly, whereas similar attempts to build a free or open source, Unix-like operating system kernel met with considerably less success? I don't know the answer to that question. But I have rounded up some theories, which I'd like to lay out here.
First, though, let me make clear what I mean when I write that Linux was a great success. I am defining it in opposition primarily to the variety of other Unix-like operating system kernels, some of them open and some not, that proliferated around the time Linux was born. [GNU][1] HURD, the free-as-in-freedom kernel whose development began in [May 1991][2], is one of them. Others include Unices that most people today have never heard of, such as various derivatives of the Unix variant developed at the University of California at Berkeley, BSD; Xenix, Microsoft's take on Unix; academic Unix clones including Minix; and the original Unix developed under the auspices of AT&T, which was vitally important in academic and commercial computing circles during earlier decades, but virtually disappeared from the scene by the 1990s.
#### Related ####
- [Open Source History: Tracing the Origins of Hacker Culture and the Hacker Ethic][3]
- [Unix and Personal Computers: Reinterpreting the Origins of Linux][4]
I'd also like to make clear that I'm writing here about kernels, not complete operating systems. To a great extent, the Linux kernel owes its success to the GNU project as a whole, which produced the crucial tools, including compilers, a debugger and a BASH shell implementation, that are necessary to build a Unix-like operating system. But GNU developers never created a viable version of the the HURD kernel (although they are [still trying][5]). Instead, Linux ended up as the kernel that glued the rest of the GNU pieces together, even though that had never been in the GNU plans.
So it's worth asking why Linux, a kernel launched by Linus Torvalds, an obscure programmer in Finland, in 1991—the same year as HURD—endured and thrived within a niche where so many other Unix-like kernels, many of which enjoyed strong commercial backing and association with the leading Unix hackers of the day, failed to take off. To that end, here are a few theories pertaining to that question that I've come across as I've researched the history of the free and open source software worlds, along with the respective strengths and weaknesses of these various explanations.
### Linux Adopted a Decentralized Development Approach ###
This is the argument that comes out of Eric S. Raymond's essay, "[The Cathedral and the Bazaar][6]," and related works, which make the case that software develops best when a large number of contributors collaborate continuously within a relatively decentralized organizational structure. That was generally true of Linux, in contrast to, for instance, GNU HURD, which took a more centrally directed approach to code development—and, as a result, "had been evidently failing" to build a complete operating system for a decade, in Raymond's view.
To an extent, this explanation makes sense, but it has some significant flaws. For one, Torvalds arguably assumed a more authoritative role in directing Linux code development—deciding which contributions to include and reject—than Raymond and others have wanted to recognize. For another, this reasoning does not explain why GNU succeeded in producing so much software besides a working kernel. If only decentralized development works well in the free/open source software world, then all of GNU's programming efforts should have been a bust—which they most certainly were not.
### Linux is Pragmatic; GNU is Ideological ###
Personally, I find this explanation—which supposes that Linux grew so rapidly because its founder was a pragmatist who initially wrote the kernel just to be able to run a tailored Unix OS on his computer at home, not as part of a crusade to change the world through free software, as the GNU project aimed to do—the most compelling.
Still, it has some weaknesses that make it less than completely satisfying. In particular, while Torvalds himself adopted pragmatic principles, not all members of the community that coalesced around his project, then or today, have done the same. Yet, Linux has succeeded all the same.
Moreover, if pragmatism was the key to Linux's endurance, then why, again, was GNU successful in building so many other tools besides a kernel? If having strong political beliefs about software prevents you from pursuing successful projects, GNU should have been an outright failure, not an endeavor that produced a number of software packages that remain foundational to the IT world today.
Last but not least, many of the other Unix variants of the late 1980s and early 1990s, especially several BSD off-shoots, were the products of pragmatism. Their developers aimed to build Unix variants that could be more freely shared than those restricted by expensive commercial licenses, but they were not deeply ideological about programming or sharing code. Neither was Torvalds, and it is therefore difficult to explain Linux's success, and the failure of other Unix projects, in terms of ideological zeal.
### Operating System Design ###
There are technical differences between Linux and some other Unix variants that are important to keep in mind when considering the success of Linux. Richard Stallman, the founder of the GNU project, pointed to these in explaining, in an email to me, why HURD development had lagged: "It is true that the GNU Hurd is not a practical success. Part of the reason is that its basic design made it somewhat of a research project. (I chose that design thinking it was a shortcut to get a working kernel in a hurry.)"
Linux is also different from other Unix variants in the sense that Torvalds wrote all of the Linux code himself. Having a Unix of his own, free of other people's code, was one of his stated intentions when he [first announced Linux][7] in August 1991. This characteristic sets Linux apart from most of the other Unix variants that existed at that time, which derived their code bases from either AT&T Unix or Berkeley's BSD.
I'm not a computer scientist, so I'm not qualified to decide whether the Linux code was simply superior to that of the other Unices, explaining why Linux succeeded. But that's an argument someone might make—although it does not account for the disparity in culture and personnel between Linux and other Unix kernels, which, to me, seem more important than code in understanding Linux's success.
### The "Community" Put Its Support Behind Linux ###
Stallman also wrote that "mainly the reason" for Linux's success was that "Torvalds made Linux free software, and since then more of the community's effort has gone into Linux than into the Hurd." That's not exactly a complete explanation for Linux's trajectory, since it does not account for why the community of free software developers followed Torvalds instead of HURD or another Unix. But it nonetheless highlights this shift as a large part of how Linux prevailed.
A fuller account of the free software community's decision to endorse Linux would have to explain why developers did so even though, at first, Linux was a very obscure project—much more so, by any measure, than some of the other attempts at the time to create a freer Unix, such as NET BSD and 386/BSD—as well as one whose affinity with the goals of the free software movement was not at first clear. Originally, Torvalds released Linux under a license that simply prevented its commercial use. It was considerably later that he switched to the GNU General Public License, which protects the openness of source code.
So, those are the explanations I've found for Linux's success as an open source operating system kernel—a success which, to be sure, has been measured in some respects (desktop Linux never became what its proponents hoped, for instance). But Linux has also become foundational to the computing world in ways that no other Unix-like OS has. Maybe Apple OS X and iOS, which derive from BSD, come close, but they don't play such a central role as Linux in powering the Internet, among other things.
Have other ideas on why Linux became what it did, or why its counterparts in the Unix world have now almost all sunk into obscurity? (I know: BSD variants still have a following today, and some commercial Unices remain important enough for [Red Hat][8] (RHT) to be [courting their users][9]. But none of these Unix holdouts have conquered everything from Web servers to smartphones in the way Linux has.) I'd be delighted to hear them.
--------------------------------------------------------------------------------
via: http://thevarguy.com/open-source-application-software-companies/050415/open-source-history-why-did-linux-succeed
作者:[hristopher Tozzi][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://thevarguy.com/author/christopher-tozzi
[1]:http://gnu.org/
[2]:http://www.gnu.org/software/hurd/history/hurd-announce
[3]:http://thevarguy.com/open-source-application-software-companies/042915/open-source-history-tracing-origins-hacker-culture-and-ha
[4]:http://thevarguy.com/open-source-application-software-companies/042715/unix-and-personal-computers-reinterpreting-origins-linux
[5]:http://thevarguy.com/open-source-application-software-companies/042015/30-years-hurd-lives-gnu-updates-open-source-
[6]:http://www.catb.org/esr/writings/cathedral-bazaar/cathedral-bazaar/
[7]:https://groups.google.com/forum/#!topic/comp.os.minix/dlNtH7RRrGA[1-25]
[8]:http://www.redhat.com/
[9]:http://thevarguy.com/open-source-application-software-companies/032614/red-hat-grants-certification-award-unix-linux-migration-a

151
sources/tech/20150511 Fix Various Update Errors In Ubuntu 14.04.md Normal file
View File

@ -0,0 +1,151 @@
Fix Various Update Errors In Ubuntu 14.04
================================================================================
![](http://itsfoss.itsfoss.netdna-cdn.com/wp-content/uploads/2014/09/Fix_Ubuntu_Update_Error.jpeg)
Who hasnt come across an error while doing an update in Ubuntu? Update errors are common and plenty in Ubuntu and other Linux distributions based on Ubuntu. These errors occur for various reasons and can be fixed easily. In this article, we shall see various types of frequently occurring update errors in Ubuntu and how to fix them.
### Problem With MergeList ###
When you run update in terminal, you may encounter an error “[problem with MergeList][1]” like below:
> E:Encountered a section with no Package: header,
>
> E:Problem with MergeList /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_precise_universe_binary-i386_Packages,
>
> E:The package lists or status file could not be parsed or opened.
To fix this error, use the following commands:
sudo rm -r /var/lib/apt/lists/*
sudo apt-get clean && sudo apt-get update
### Failed to download repository information -1 ###
There are actually two types of [failed to download repository information errors][2]. If your error read like this:
> W:Failed to fetch bzip2:/var/lib/apt/lists/partial/in.archive.ubuntu.com_ubuntu_dists_oneiric_restricted_binary-i386_Packages Hash Sum mismatch,
>
> W:Failed to fetch bzip2:/var/lib/apt/lists/partial/in.archive.ubuntu.com_ubuntu_dists_oneiric_multiverse_binary-i386_Packages Hash Sum mismatch,
>
> E:Some index files failed to download. They have been ignored, or old ones used instead
Then you can use the following commands to fix it:
sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update
### Failed to download repository information -2 ###
Th other type of failed to download repository information error is because of outdated PPA. Usually, when you run Update Manager and see an error like this:
![](Th other type of failed to download repository information error is because of outdated PPA. Usually, when you run Update Manager and see an error like this:)
You can run sudo apt-get update to see what PPAs are failing. And you can remove it from the sources list. You can follow this screenshot guide to [fix failed to download repository information error][3].
### Failed to download package files error ###
A similar error is [failed to download package files error][4] like this:
![](http://itsfoss.itsfoss.netdna-cdn.com/wp-content/uploads/2014/09/Ubuntu_Update_error.jpeg)
This can be easily fixed by changing the software sources to Main server. Go to Software & Updates and in there changed the download server to Main server:
![](http://itsfoss.itsfoss.netdna-cdn.com/wp-content/uploads/2014/09/Change_server_Ubuntu.jpeg)
### Partial upgrade error ###
Running updates in terminal may throw this [partial upgrade error][5]:
> Not all updates can be installed
>
> Run a partial upgrade, to install as many updates as possible
Run the following command in terminal to fix this error:
sudo apt-get install -f
### error while loading shared libraries ###
This is more of an installation error than update error. If you try to install a program from source code, you may encounter this error:
> error while loading shared libraries:
>
> cannot open shared object file: No such file or directory
This error can be fixed by running the following command in terminal:
sudo /sbin/ldconfig -v
You can find more details on this [error while loading shared libraries][6].
### Could not get lock /var/cache/apt/archives/lock ###
This error happens when another program is using APT. Suppose you are installing some thing in Ubuntu Software Center and trying to run apt in terminal.
> E: Could not get lock /var/cache/apt/archives/lock open (11: Resource temporarily unavailable)
>
> E: Unable to lock directory /var/cache/apt/archives/
Normally, this should be fine if you close all other programs using apt but if the problem persists, use the following command:
sudo rm /var/lib/apt/lists/lock
If the above command doesnt work, try this command:
sudo killall apt-get
More details about this error can be found [here][7].
### GPG error: The following signatures couldnt be verified ###
Adding a PPA may result in the following [GPG error: The following signatures couldnt be verified][8] when you try to run an update in terminal:
> W: GPG error: http://repo.mate-desktop.org saucy InRelease: The following signatures couldnt be verified because the public key is not available: NO_PUBKEY 68980A0EA10B4DE8
All we need to do is to fetch this public key in the system. Get the key number from the message. In the above message, the key is 68980A0EA10B4DE8. This key can be used in the following manner:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 68980A0EA10B4DE8
Once the key has been added, run an update again and it will be fine.
### BADSIG error ###
Another signature related Ubuntu update error is [BADSIG error][9] which looks something like this:
> W: A error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://extras.ubuntu.com precise Release: The following signatures were invalid: BADSIG 16126D3A3E5C1192 Ubuntu Extras Archive Automatic Signing Key
>
> W: GPG error: http://ppa.launchpad.net precise Release:
>
> The following signatures were invalid: BADSIG 4C1CBC1B69B0E2F4 Launchpad PPA for Jonathan French W: Failed to fetch http://extras.ubuntu.com/ubuntu/dists/precise/Release
To fix this BADSIG error, use the following commands in terminal:
sudo apt-get clean
cd /var/lib/apt
sudo mv lists oldlist
sudo mkdir -p lists/partial
sudo apt-get clean
sudo apt-get update
That compiles the list of frequent **Ubuntu update errors** you may encounter. I hope this helps you to get rid of these errors. Have you encountered any other update error in Ubuntu as well? Do mention it in comments and Ill try to do a quick tutorial on it.
--------------------------------------------------------------------------------
via: http://itsfoss.com/fix-update-errors-ubuntu-1404/
作者:[Abhishek][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://itsfoss.com/author/abhishek/
[1]:http://itsfoss.com/how-to-fix-problem-with-mergelist/
[2]:http://itsfoss.com/solve-ubuntu-error-failed-to-download-repository-information-check-your-internet-connection/
[3]:http://itsfoss.com/failed-to-download-repository-information-ubuntu-13-04/
[4]:http://itsfoss.com/fix-failed-download-package-files-error-ubuntu/
[5]:http://itsfoss.com/fix-partial-upgrade-error-elementary-os-luna-quick-tip/
[6]:http://itsfoss.com/solve-open-shared-object-file-quick-tip/
[7]:http://itsfoss.com/fix-ubuntu-install-error/
[8]:http://itsfoss.com/solve-gpg-error-signatures-verified-ubuntu/
[9]:http://itsfoss.com/solve-badsig-error-quick-tip/

405
sources/tech/20150511 OpenSSL command line Root and Intermediate CA including OCSP, CRL and revocation.md Normal file
View File

@ -0,0 +1,405 @@
OpenSSL command line Root and Intermediate CA including OCSP, CRL and revocation
================================================================================
These are quick and dirty notes on generating a certificate authority (CA), intermediate certificate authorities and end certificates using OpenSSL. It includes OCSP, CRL and CA Issuer information and specific issue and expiry dates.
We'll set up our own root CA. We'll use the root CA to generate an example intermediate CA. We'll use the intermediate CA to sign end user certificates.
### Root CA ###
Create and move in to a folder for the root ca:
mkdir ~/SSLCA/root/
cd ~/SSLCA/root/
Generate a 8192-bit long SHA-256 RSA key for our root CA:
openssl genrsa -aes256 -out rootca.key 8192
Example output:
Generating RSA private key, 8192 bit long modulus
.........++
....................................................................................................................++
e is 65537 (0x10001)
If you want to password-protect this key, add the option `-aes256`.
Create the self-signed root CA certificate `ca.crt`; you'll need to provide an identity for your root CA:
openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt
Example output:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:Sparkling CA
Common Name (e.g. server FQDN or YOUR name) []:Sparkling Root CA
Email Address []:
Create a few files where the CA will store it's serials:
touch certindex
echo 1000 > certserial
echo 1000 > crlnumber
Place the CA config file. This file has stubs for CRL and OCSP endpoints.
# vim ca.conf
[ ca ]
default_ca = myca
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/rootca.crt
database = $dir/certindex
private_key = $dir/rootca.key
serial = $dir/certserial
default_days = 730
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[ v3_ca ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[alt_names]
DNS.0 = Sparkling Intermidiate CA 1
DNS.1 = Sparkling CA Intermidiate 1
[crl_section]
URI.0 = http://pki.sparklingca.com/SparklingRoot.crl
URI.1 = http://pki.backup.com/SparklingRoot.crl
[ocsp_section]
caIssuers;URI.0 = http://pki.sparklingca.com/SparklingRoot.crt
caIssuers;URI.1 = http://pki.backup.com/SparklingRoot.crt
OCSP;URI.0 = http://pki.sparklingca.com/ocsp/
OCSP;URI.1 = http://pki.backup.com/ocsp/
If you need to set a specific certificate start / expiry date, add the following to `[myca]`
# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911
### Creating Intermediate 1 CA ###
Generate the intermediate CA's private key:
openssl genrsa -out intermediate1.key 4096
Generate the intermediate1 CA's CSR:
openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr
Example output:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:Sparkling CA
Common Name (e.g. server FQDN or YOUR name) []:Sparkling Intermediate CA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Make sure the subject (CN) of the intermediate is different from the root.
Sign the intermediate1 CSR with the Root CA:
openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt
Example Output:
Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'NL'
stateOrProvinceName :ASN.1 12:'Zuid Holland'
localityName :ASN.1 12:'Rotterdam'
organizationName :ASN.1 12:'Sparkling Network'
organizationalUnitName:ASN.1 12:'Sparkling CA'
commonName :ASN.1 12:'Sparkling Intermediate CA'
Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
Write out database with 1 new entries
Data Base Updated
Generate the CRL (both in PEM and DER):
openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
Generate the CRL after every certificate you sign with the CA.
If you ever need to revoke the this intermediate cert:
openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt
### Configuring the Intermediate CA 1 ###
Create a new folder for this intermediate and move in to it:
mkdir ~/SSLCA/intermediate1/
cd ~/SSLCA/intermediate1/
Copy the Intermediate cert and key from the Root CA:
cp ~/SSLCA/root/intermediate1.key ./
cp ~/SSLCA/root/intermediate1.crt ./
Create the index files:
touch certindex
echo 1000 > certserial
echo 1000 > crlnumber
Create a new `ca.conf` file:
# vim ca.conf
[ ca ]
default_ca = myca
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/intermediate1.crt
database = $dir/certindex
private_key = $dir/intermediate1.key
serial = $dir/certserial
default_days = 365
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 365
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName = @alt_names
authorityInfoAccess = @ocsp_section
[alt_names]
DNS.0 = example.com
DNS.1 = example.org
[crl_section]
URI.0 = http://pki.sparklingca.com/SparklingIntermidiate1.crl
URI.1 = http://pki.backup.com/SparklingIntermidiate1.crl
[ocsp_section]
caIssuers;URI.0 = http://pki.sparklingca.com/SparklingIntermediate1.crt
caIssuers;URI.1 = http://pki.backup.com/SparklingIntermediate1.crt
OCSP;URI.0 = http://pki.sparklingca.com/ocsp/
OCSP;URI.1 = http://pki.backup.com/ocsp/
Change the `[alt_names]` section to whatever you need as Subject Alternative names. Remove it including the `subjectAltName = @alt_names` line if you don't want a Subject Alternative Name.
If you need to set a specific certificate start / expiry date, add the following to `[myca]`
# format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911
Generate an empty CRL (both in PEM and DER):
openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
### Creating end user certificates ###
We use this new intermediate CA to generate an end user certificate. Repeat these steps for every end user certificate you want to sign with this CA.
mkdir enduser-certs
Generate the end user's private key:
openssl genrsa -out enduser-certs/enduser-example.com.key 4096
Generate the end user's CSR:
openssl req -new -sha256 -key enduser-certs/enduser-example.com.key -out enduser-certs/enduser-example.com.csr
Example output:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord Holland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:IT Dept
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Sign the end user's CSR with the Intermediate 1 CA:
openssl ca -batch -config ca.conf -notext -in enduser-certs/enduser-example.com.csr -out enduser-certs/enduser-example.com.crt
Example output:
Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'NL'
stateOrProvinceName :ASN.1 12:'Noord Holland'
localityName :ASN.1 12:'Amsterdam'
organizationName :ASN.1 12:'Example Inc'
organizationalUnitName:ASN.1 12:'IT Dept'
commonName :ASN.1 12:'example.com'
Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
Generate the CRL (both in PEM and DER):
openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
Generate the CRL after every certificate you sign with the CA.
If you ever need to revoke the this end users cert:
openssl ca -config ca.conf -revoke enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt
Example output:
Using configuration from ca.conf
Revoking Certificate 1000.
Data Base Updated
Create the certificate chain file by concatenating the Root and intermediate 1 certificates together.
cat ../root/rootca.crt intermediate1.crt > enduser-certs/enduser-example.com.chain
Send the following files to the end user:
enduser-example.com.crt
enduser-example.com.key
enduser-example.com.chain
You can also let the end user supply their own CSR and just send them the .crt file. Do not delete that from the server, otherwise you cannot revoke it.
### Validating the certificate ###
You can validate the end user certificate against the chain using the following command:
openssl verify -CAfile enduser-certs/enduser-example.com.chain enduser-certs/enduser-example.com.crt
enduser-certs/enduser-example.com.crt: OK
You can also validate it against the CRL. Concatenate the PEM CRL and the chain together first:
cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem > enduser-certs/enduser-example.com.crl.chain
Verify the certificate:
openssl verify -crl_check -CAfile enduser-certs/enduser-example.com.crl.chain enduser-certs/enduser-example.com.crt
Output when not revoked:
enduser-certs/enduser-example.com.crt: OK
Output when revoked:
enduser-certs/enduser-example.com.crt: CN = example.com, ST = Noord Holland, C = NL, O = Example Inc, OU = IT Dept
error 23 at 0 depth lookup:certificate revoked
--------------------------------------------------------------------------------
via: https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html
作者Remy van Elst
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出