Many may have the same deep experience as myself. Using the OpenSSL library to write an encrypted communication process, the code can be easily written, but the entire work has taken several days. In addition to compiling the program successfully (no certificate file can be used, it is compiled successfully, it cannot run, it does not mean it can be used normally, So ......), you also need to generate necessary certificates and private key files so that both parties can successfully verify the other party.
I found n more documents, many of which are vague. I still have no way to read n more English documents (I don't know if they are good for foreign friends, needless to say, it's too clear ?), Inadvertently find yawl (yawl@nsfocus.com) written articles, rare Chinese characters (haha ). It contains the certificate generation section. When it comes to generating a Certificate Signing Request
(CSR) file, it is a bit unclear. The self-signed certificate generated later can be found in many places. For signature, yawl says mod_ssl has a good script, but I cannot find it at the moment, it is not very troublesome to use the CA command of OpenSSL.
Let's talk about my operating environment: diskless workstation (it is not convenient to use it if you have permissions). The operating directory is OpenSSL/bin (you can't change the environment variable. If you can change it, I don't need to work in this directory). In order to make it easier for me to put OpenSSL under apps. CNF is also copied to this directory. The file names are all used by myself:
1. First, you must generate the private key (key file) of the server ):
OpenSSL genrsa-des3-out server. Key 1024
The system will prompt you to enter the password during the operation. This password is used to encrypt the key file (the des3 parameter refers to the encryption algorithm. Of course, you can also choose other algorithms that you think are safe .), in the future, whenever you need to read this file (through commands or APIs provided by OpenSSL), you need to enter a password. if it is inconvenient, you can also remove the password, but you must take other protection measures!
Command to remove the key file Password:
OpenSSL RSA-in server. Key-out server. Key
2. OpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNF
Generate a Certificate Signing Request (CSR). The generated CSR file is handed over to the CA for signature to form the certificate of the server. A prompt will be displayed on the screen. Follow the instructions to enter the required personal information step by step.
3. Run the same command on the client to generate the key and CSR file:
OpenSSL genrsa-des3-out client. Key 1024
OpenSSL req-New-key client. Key-out client. CSR-config OpenSSL. CNF
4. The CSR file must have a ca signature to form a certificate. You can send this file to Verisign and other places for verification. You have to pay a large amount of money. Why not make a CA by yourself.
1) Create democa, democa/certs, democa/certs, and democa/newcerts in the bin directory.
2) create an empty file index.txt in democa
3) create a text file serial in democa without an extension. The content is a legal hexadecimal number, such as 0000.
4) OpenSSL req-New-X509-keyout ca. Key-out ca. CRT-config OpenSSL. CNF
5. Use the generated CA certificate to sign the generated server. CSR and client. CSR file:
OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key-config OpenSSL. CNF
OpenSSL ca-in client. CSR-out client. CRT-Cert CA. CRT-Keyfile ca. Key-config OpenSSL. CNF
Now all the files we need are generated.
In addition:
Client files include ca. CRT, client. CRT, and client. Key.
The files used by server include ca. CRT, server. CRT, and server. Key.
. CRT files and. key can be merged into a file. I have merged two files into one. PEM file (just copy it) (the new version of OpenSSL has been stored in the democa/newcerts directory)