Generate ca summary using OpenSSL

Recently, to build the strongswan environment, you need to use OpenSSL to create a certificate. It takes a lot of time to summarize it.

I. Environment: ubuntu10.10

All files are generated in the current directory. All used files are in the current directory (except for the force, such as index.txt and serial ).

2. Three Steps

1. Generating a CA certificate to generate a CA certificate. (For details, see Step 3)

Command:

OpenSSL req-X509-Days1460 -Newkey RSA:2048 -Keyout strongswankey. pem-OutStrongswancert. pem
 

Creates a 2048 bit RSA private key strongswankey. PEM and a self-Signed CA certificate strongswancert. pem with a validity of 4 years (1460 days ).

Generate a key and a cert, all of which are PEM files. To generate a file in the binary der format, use other options.

This step is not a problem. For specific options, see readme

2. Generating a host or user certificate generate your own certificate (each person generates his/her own certificate)

Command:

 
OpenSSL req-Newkey RSA:1024 -Keyout hostkey. pem-OutHostreq. pem
 

Generates a 1024 bit RSA private key hostkey. PEM and a certificate request hostreq. pem which has to be signed by the CA.

This step must be the same as the "organization name" entered in step 1. We recommend that you use the same name and email address as the first step (password is not required ).

Generate only one key.

This step is not a problem.

3. Now the certificate request can be signed by the CA with the command encrypt the certificate generated in step 2 with the CA certificate generated in step 1

The certificate generated in the first step is for everyone (the same for everyone), and the certificate generated in the second step is generated separately.

This is a big problem. Read the commands provided by readme first:

OpenSSL ca-In hostreq. pem-days 730-out hostcert. pem-notext

The problem is that every file generated by openssl(such as hostcert.pem;index.txt and serial) and every file (such as hostreq. pem) are in a certain folder by default. It will go to the folders in the current path. But those folders do not exist (they are not created during installation, and you will not be prompted about them. You can only try them one by one and try to vomit blood ...), And it cannot be created by itself, even if sudo is added. Therefore, the simplest method is to specify the file path, and you cannot specify the file path.

The command is as follows: OpenSSL ca - In . / Hostreq. pem - Days 730 - Keyfile. / Strongswankey. pem - Cert. / Strongswancert. pem - Out Hostcert. pem - Outdir. / - Notext

Requirement: in the current directory, a new democafolder is created, and an empty index.txt (must be blank. It should be cleared before each execution; preferably one after RM touch) and one serial file. Put a number in the serial file (preferably 0, it is better to start with 0, for example, 01 ). We recommend that you perform operations on these two files on the terminal, because you may double-click to open or edit OpenSSL several times.

The reason is that the opensslcommand does not specify the options for index.txt and serial paths...

Index.txt is the record database. Serial is the number that reads the file, generates a pem file named after this number, and the number increases by 1 each time.

3. There is enough vomiting blood. Vomit blood .. Vomit blood...