Read about openssl verify certificate chain, The latest news, videos, and discussion topics about openssl verify certificate chain from alibabacloud.com
. pem-outform PEM-days 356
Note: "-days 356" controls the validity period to 365 days. The default value is 30 days.
Verify the generated file.
$ Openssl x509-in cacert. pem-text-noout
(3) issue a certificate to the customer
Before issuing a certificate to a customer, the customer must provide the basic information of
From: http://blog.csdn.net/aking21alinjuju/article/details/7654097
I. Generate a CA certificate
Currently, the CA of a third-party authority is not used for authentication and serves as the CA.
Prerequisites: Download www.openssl.org from the OpenSSL official website to install OpenSSL [Windows and Linux are different]
Start generating certificates and keys
If no
storage certificate chain, this level, the superior, to the root level are stored in a file). The private key cannot be stored, and both Windows and Tomcat support this format. pkcs#12/pfx Format
The PKCS#12 or PFX format is the storage server certificate, intermediate certificate, and private key in encrypted binary
" controls the validity period to 365 days. The default value is 30 days.
Verify the generated file.
$ OpenSSL X509-In cacert. pem-text-noout
(3) issue a certificate to the customer
Before issuing a certificate to a customer, the customer must provide the basic information of the c
certificate request, which is only used for Import
P7bDisplay the certificate chain in a tree(CertificateChain)And a single certificate, excluding the private key.
1. caCertificate
Use OpenSSL Create CA Certificate RSA
I. Create an OpenSSL Certificate:
1. Create the directory./democa/./democa/newcerts/and create the file./democa/index.txt./democa/serial.
2. Run echo 01>./democa/serial.
3. Create your own CA certificate
$ OpenSSL req-New-X509-keyout ca. Key-out ca. CRT
4. Generate the private key (key file) and CSR file of the server.
need to be named Cakey.pem in the/etc/pki/ca/private directory because they are in the/etc/pki/tls/openssl configuration file The path and name of the CA key pair and certificate are default , and if you do not store by default, remember to modify the configuration file650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ")
Certificate file generation
Many may have the same deep experience as myself. Using the OpenSSL library to write an encrypted communication process, the code can be easily written, but the entire work has taken several days. Except for compiling the program successfully (no certificate file can be used, it is compiled successfully and cannot run, it does not mea
Many may have the same deep experience as myself. Using the OpenSSL library to write an encrypted communication process, the code can be easily written, but the entire work has taken several days. In addition to compiling the program successfully (no certificate file can be used, it is compiled successfully, it cannot run, it does not mean it can be used normally, So ......), you also need to generate neces
-windows/downloads/detail?name=openssl-0.9.8k_X64.zipcan=2q=Step 2. Enter S_client-showcerts-connect www.googleapis.com:443 in this window You will see a form similar to the followingStep 3. Copy all of the characters in the cmd window into a temporary file by right-clicking, selecting "Select All" (select All) and clicking the mouse,This will automatically copy the selected content to the sticker board.Step 4. Save the contents of the above steps to
Turn from: wanderingHttp://blog.csdn.net/darkstar21cn/archive/2005/06/11/392492.aspx
Many may have the same deep experience as myself. Using the OpenSSL library to write an encrypted communication process, the code can be easily written, but the entire work has taken several days. In addition to compiling the program successfully (no certificate file can be used, it is compiled successfully, it cannot run,
Certificate Signature requestOpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNFJust write the primary domain name "common name ".
4. view the request fileOpenSSL req-text-noout-in server. CSRYou can see the following content:Certificate request:Data:Version: 0 (0x0)Subject: c = us, St = Texas, L = Fort Worth, O = my company, ou = my department, Cn = server. ExampleSubject Public Key info:
information (), it indicates that the certificate is normal:
CONNECTED (00000003) Depth=1/c=us/o=entrust,Inc./ou=www.entrust.net/rpa is incorporated by Reference/ou= (c) 2009Entrust, Inc./cn=entrust certification authority-l1c VerifyError:num=20:unable to get local issuer certificate Verify return:0-certificate
private key is specified (private key)Generate CSR based on existing CRT files and private keysOpenSSL x509 -in domain.crt -signkey domain.key -x509toreq-out DOMAIN.CSR-x509toreq using X509 certificates to generate CSRStep two: Generate an SSL certificateGenerate a private key and a self-signed certificate:OpenSSL req -newkey rsa:2048-nodes-keyout domain.key -x509-days 365-out domain.crt-days 365 365 days validityTo generate a self-signed
, and so on), when it encounters the root certificate, it is found in the list of trusted certificates as a trusted anchor, then validation passes. For example, in the keychain you can see that the certificate that a brokerage company applies to is not in the list of trusted certificates in the system.The following is a brief description of the contents of the digital c
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.