Use OpenSSL to generate certificates and configure HTTPS

1. Key, certificate request, Certificate Summary description

During the certificate request issuance process, the client involves the concepts of keys, certificate requests, certificates. We describe the relationship of the three in the process of applying for a certificate. Clients (as opposed to CAS) have roughly three steps to apply for a certificate:

The first step: generate the client's key, the client's public private key pair, and ensure that the private key is owned only by the client. The second step: the client's key and the client's own information (country, institution, domain name, mailbox, etc.) as input, generate a certificate request file. Where the client's public key and client information is in clear text in the certificate request file, and the role of the client private key is to sign the client's public key and client information, itself is not included in the certificate request. The certificate request file is then sent to the CA institution. The third step: after the CA agency receives the client's certificate request file, first verifies its signature, then approves the client's information, finally the CA authority uses its private key to request the file signature for the certificate, generates the certificate file, and sends it to the client. This certificate is the client's ID to indicate the identity of the user.

2. Installing OpenSSL

OpenSSL installation is available in two ways, one of which is compiled and installed: https://bbs.csdn.net/topics/392193545?page=1

A direct download installation package installation (select the corresponding operating system version, the file of the Big one): https://www.sslzhengshu.com/article/post-367.html

After installation, you can set environment variables, or do not set environment variables, the advantage of setting environment variables is: In any location through the CMD Command Line window can execute the OpenSSL command, without setting environment variables need to enter the OpenSSL installation directory for command line operation

3. Generate certificate

First enter cmd into the installation directory of OpenSSL (to configure the environment variable can omit this step)

Steps to build a user certificate:generate the private key (. Key)-Generate a certificate request (. CSR) and sign the certificate (. crt) with the CA root certificate

1. Create a folder

Create a new Democa directory in the OpenSSL installation directory, and then create a new Newcerts directory within the Democa directory

and create a new empty Index.text file within the Democa folder

Build a serial file and write 01.

2. Generating the root certificate

#生成私钥openssl Genrsa-des3-out Root.key 1024

Enter the command, enter will prompt for a password, I set the password is 123456, and as long as the prompt to enter the password, the default is 123456, and you can see the OpenSSL installation directory is more than one Root.key file

and self-signed -new -x509-key root.key-out root.crt-config C:\OpenSSL-Win64\bin\openssl.cfg

Next, you will be prompted to enter a password, you can also enter a default password, and then let's enter some basic information

But only the red box part of the information is the most important, the other can be ignored, after filling out, found in the OpenSSL directory and a root.crt file

2. Service-Side certificate generation

-des3-out Server.key 1024

You will also be prompted to enter your password

-New -key server.key-out SERVER.CSR

Prompt to enter a password, prompt completion, and let you fill in a lot of information, with the generation of ROOT.CSR is the same, it is important to note that the information here needs to be filled with the information generated ROOT.CSR to be consistent

This time, we look at the installation directory of OpenSSL, found two more files, a server.key a SERVER.CSR,

But why is this SERVER.CSR different from ROOT.CSR's icon? (not only because of the inconsistency of suffix names), mainly because ROOT.CRT is signed (self-signed), and SERVER.CSR is not signed

The next thing to do is let ROOT.CRT and Root.key to the SERVER.CSR signature (in fact, this process is the simulation, the CA agency signed "the Charge")

3. Use ROOT.CRT and Root.key to sign the SERVER.CSR

- in server.csr-out server.crt-cert root.crt-keyfile Root.key                                                            

Use OpenSSL to generate certificates and configure HTTPS