* OPENSSL1. install OPENSSL and confirm openssl. cnf File Location $ yuminstallopenssl $ rpm-qa | grepopenssl $ rpm-qlopenssl-* 2. directory settings for storing certificates, temporary files, and private keys $ mkdiretcssl $ mkdiretcsslprivate $
======================================
* OPENSSL
======================================
1. Install OPENSSL and confirm the location of the openssl. cnf file.
- $ yum install openssl
- $ rpm -qa | grep openssl
- $ rpm -ql openssl-*
2. Related directory settings, used to store certificates, temporary files and private keys
- $ mkdir /etc/ssl
- $ mkdir /etc/ssl/private
- $ chmod 700 /etc/ssl/private
- $ mkdir /etc/ssl/crl
- $ mkdir /etc/ssl/newcrt
3. initialize the SSL configuration, transfer the default configuration file to a new location, modify it, and export the environment variables required by OPENSSL.
- $Cp/Usr/share/ssl/openssl. cnf/etc/ssl
- $Ln-S/etc/ssl/openssl. cnf/usr/share/ssl/openssl. cnf
- $ Echo'ExPort OPENSSL_CONF = "/etc/ssl/openssl. cnf "'>> ~ /. Bashrc
- $ Vi/etc/ssl/openssl. cnf
; Modify "dir =/etc/ssl"
4. generate random number
- $ openssl rand -out /etc/ssl/private/.rand 1024
- $ chmod 700 /etc/ssl/private/.rand
5. generate an RSA and CA private key. The CA private key is used to issue a CA root certificate. The CA root certificate must be provided to others for download so that it can use this certificate to other certificates, for example, WEB certificate authentication
- $ openssl genrsa -des3 -out /etc/ssl/private/CA.key 2048
- $ chmod 700 /etc/ssl/private/CA.key 2048
6. Fill in the CA certificate application file (CSR)
- $ openssl req -new -key /etc/ssl/private/CA.key -out /tmp/CA.rc
Some information will pop up later. Enter the information as prompted. After the certificate is generated, a certificate request file is generated. This step is equivalent to entering your information on the Professional Certification Authority webpage, then the server will provide you with a (CSR) file, and then you can use this file to issue a certificate. This file is only an intermediate file that contains the relevant content of your generated certificate.
7. Issue a CA. Because it is a root certificate, you have not issued a higher-level certificate for yourself.
- $ openssl x509 \
- -req -days 7310 \
- -sha1 -extfile /etc/ssl/openssl.conf \
- -extensions v3_ca \
- -signkey /etc/ssl/private/CA.key \
- -in /tmp/CA.rc \
- -out /etc/ssl/certs/CA.crt
Explanation
; Expiration time: 20 Years
; Configuration file/etc/ssl/openssl. conf
; Format: v3_ca Certificate
; Signature key/etc/ssl/private/CA. key
Certificate Application file/tmp/CA. rc
CA certificate/etc/ssl/certs/CA. crt
8. Issue a WEB certificate
; Issue the WEB certificate Private Key
- $ openssl genrsa -out /etc/ssl/private/www.key 2048
- $ chmod 700 /etc/ssl/private/www.key
; Fill in the certificate application file (CSR)
Note that "common name" is FQDN
Do not enter the challenge password; otherwise, you must enter this password each time you start the server.
- $ openssl req \
- -new -key /etc/ssl/private/www.key \
- -out /tmp/www.rc
; Issue WEB certificate
- $ openssl x509 \
- -req -days 3650 -sha1 \
- -extfile /etc/ssl/openssl.cnf \
- -extensions v3_req \
- -CA /etc/ssl/certs/CA.crt \
- -CAkey /etc/ssl/private/CA.key \
- -CAserial /etc/ssl/ca.srl -CAcreateserial \
- -in /tmp/www.rc \
- -out /etc/ssl/certs/www.crt
Explanation
Action: request a certificate. The expiration time is 10 years. The Digest algorithm is sha1.
; Configuration file/etc/ssl/openssl. cnf
Use CA root certificate/etc/ssl/certs/CA. crt for signature
CA private key file: CA. key
; Create and use the CA serial number file ca. srl
The certificate request file is www. rc and the certificate output is www. crt.
---------------
* Tips
---------------
BASE-64 encoded files and BASE64 encoded files are restored. This content may be used during debugging and testing on the SMTP server.
- $ openssl base64 < filename.bin > filename_base64.txt
- $ openssl base64 -d < filename_base64.txt > filename.bin
- $ echo -n "Hello" | openssl base64
Calculation file SHA1 hash, which can be used to verify whether the downloaded file is correct
- $ openssl sha1 filename.bin
Statement: I wrote this article by myself after referring to some of my predecessors. If there are similarities, it is absolutely coincidental. In addition, because I do not know much about the certificate, it is inevitable to make mistakes, if there is a person passing by, please do not hesitate to advise (note: the attachment is the content of this article. You can download it if necessary) |
Click here to download