Build your own certificate issuing service (CA)

Source: Internet
Author: User
Tags openssl x509 pkcs12

Build your own certificate issuing service (CA)

This series of articles is divided into three parts. It mainly introduces how to build your own certificate issuing service, generate certificate requests, and sign the generated certificate request through the self-built CA and finally apply it to the service.

By building your own certificate service, you can sign your own application certificate without buying the signature of the commercial certificate authority, however, the disadvantage of Self-authorization is that the client needs to import your root certificate before you can trust the certificate.

The following describes how to build your own CA on centos.

1. Build related directories and files

# Mkdir/home/cg/myca
# Cd/home/cg/myca/
# Mkdir private certs newcerts conf export csr
# Echo '01'> serial
# Touch index.txt


# Vim/home/cg/myca/conf/caconfig. cnf


Add the following content:
[Ca]
Default_ca = CA_default


[CA_default]
Dir =/home/cg/myca/
Certs = $ dir/certs
Crl_dir = $ dir/crl
Database = $ dir/index.txt
New_certs_dir = $ dir/newcerts
Certificate = $ dir/certs/cacert. pem
Serial = $ dir/serial
# Crl = $ dir/crl. pem
Private_key = $ dir/private/cakey. pem
# RANDFILE = $ dir/private/. rand
X509_extensions = usr_cert
# Crl_extensions = crl_ext
Default_days = 3650
# Default_startdate = YYMMDDHHMMSSZ
# Default_enddate = YYMMDDHHMMSSZ
# Default_crl_days = 30
# Default_crl_hours = 24
Default_md = sha1
Preserve = no
# Msie_hack
Policy = policy_match


[Policy_match]
CountryName = match
StateOrProvinceName = match
LocalityName = match
OrganizationName = match
OrganizationalUnitName = optional
CommonName = supplied
EmailAddress = optional


[Req]
Default_bits = 4096 # Size of keys
Default_keyfile = key. pem # name of generated keys
Distinguished_name = req_distinguished_name
Attributes = req_attributes
X509_extensions = v3_ca
# Input_password
# Output_password
String_mask = nombstr # permitted characters
Req_extensions = v3_req


[Req_distinguished_name]
CountryName = Country Name (2 letter code)
CountryName_default = US
CountryName_min = 2
CountryName_max = 2
StateOrProvinceName = State or Province Name (full name)
StateOrProvinceName_default = New York
LocalityName = Locality Name (city, district)
LocalityName_default = New York
OrganizationName = Organization Name (company)
OrganizationName_default = Code Ghar
OrganizationalUnitName = Organizational Unit Name (department, division)
OrganizationalUnitName_default = IT
CommonName = Common Name (hostname, FQDN, IP, or your name)
CommonName_max = 64
CommonName_default = CGIT
EmailAddress = Email Address
EmailAddress_max = 40
EmailAddress_default = codeghar@example.com


[Req_attributes]
# ChallengePassword = A challenege password
# ChallengePassword_min = 4
# ChallengePassword_max = 20
# UnstructuredName = An optional company name


[Usr_cert]
BasicConstraints = CA: FALSE
SubjectKeyIdentifier = hash
AuthorityKeyIdentifier = keyid, issuer: always
# NsComment = ''openssl Generated Certificate''
# NsCertType = client, email, objsign for ''everything including object signing''
SubjectAltName = email: copy
IssuerAltName = issuer: copy
# NsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
# NsBaseUrl =
# Nsenewalurl =
# Nscapoicyurl =
# NsSslServerName =


[V3_req]
BasicConstraints = CA: FALSE
KeyUsage = nonRepudiation, digitalSignature, keyEncipherment


[V3_ca]
SubjectKeyIdentifier = hash
AuthorityKeyIdentifier = keyid: always, issuer: always
BasicConstraints = CA: TRUE
# KeyUsage = cRLSign, keyCertSign
# NsCertType = sslCA, emailCA
# SubjectAltName = email: copy
# IssuerAltName = issuer: copy
# Obj = DER: 02: 03


[Crl_ext]
# IssuerAltName = issuer: copy
AuthorityKeyIdentifier = keyid: always, issuer: always


2. Generate the root certificate:



Openssl req-new-x509-days 3650-config conf/caconfig. cnf-keyform PEM-keyout private/key. ca. cg. pem-outform PEM-out certs/crt. ca. cg. pem

The key. ca. cg. pem and crt. ca. cg. pem files are stored in the $ dir/private and $ dir/certs directories.


3. Check that the root certificate is correct.


Openssl x509-in certs/crt. ca. cg. pem-inform pem-noout-text


5. Export the root certificate


Export to PKCS12 format, which can be automatically installed by clicking on the windows System


Openssl pkcs12-export-out export/ca. cg. p12-in certs/crt. ca. cg. pem-inkey private/key. ca. cg. pem


To windows, double-click ca. cg. p12 to install the SDK as prompted.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.