CentOS openssl certificate issuing example

Source: Internet
Author: User
Tags chmod openssl openssl rsa openssl x509 pkcs12 centos


Step 1: first create a CA certificate,
First, create an RSA private key for the CA,
# Cd/etc/pki/CA
# Openssl genrsa-des3-out ca. key 1024
(Because ssl_module in windows does not support encryption keys, use openssl genrsa-out ca. key 1024)
The system prompts you to enter PEM pass phrase, that is, the password. Remember to enter it.
Generate the ca. key file and change the file attribute to 400.
# Chmod 400 ca. key
You can use the following command to view its content,
# Openssl rsa-noout-text-in ca. key
 
Use the RSA key of the CA to create a self-signed CA certificate (X.509 structure)
# Openssl req-new-x509-days 3650-key ca. key-out ca. crt
Enter the following information:
Country Name: CN // Country code with two letters
State or Province Name: Guangdong // Province Name
Locality Name: Guangzhou // city Name
Organization Name: // company Name
Organizational Unit Name: // Department Name
Common Name: // your Name
Email Address: // Email Address
Generate the ca. crt file and change the file attribute to 400.
# Chmod 400 ca. crt
You can use the following command to view its content,
# Openssl x509-noout-text-in ca. crt
 
Step 2: Create a server certificate signing request below,
# Openssl Gen RSA-des3-out server. key 1024
(Use openssl genrsa-out server. key 1024 in windows)
Set pass phrase here.
Generate the server. key file and change the file attribute to 400.
# Chmod 400 server. key
You can use the following command to view its content,
# Openssl rsa-noout-text-inserver. key
 
Use server. key to generate the CSR for signing the certificate.
# Openssl req-new-key server. key-out server. csr
Enter some information here, which is similar to the content in CA.
For 'Extra 'attributes, no input is required.
"Common Name: Chen Yang Your Name". Enter the domain Name or IP address of your server.
You can view the CSR details
# Openssl req-noout-text-inserver. csr
 
Step 3: You can sign the certificate below
# Openssl ca-config/etc/pki/tls/openssl. cnf-days 3650-cert ca. crt-keyfile ca. key-in server. csr-out server. crt
Note that you need to manually create a CA directory structure
─ ── Etc
└ ── Pki
└-CA
├ ── Newcerts
├─Index.txt
├ ── Serial
Create an empty index.txt file in CA, serial file, and enter 01 in the serial file
Otherwise, an error occurs when you run this command: I am unable to access the./CA/newcerts directory ....
 
Change the file attribute to 400 and place it in a safe place.
# Chmod 400 server. crt

Step 4: generate a client certificate
Generate customer private key:
# Openssl genrsa-des3-out client. key 1024
Generate customer certificate
# Openssl req-new-key client. key-out client. csr
Visa:
# Openssl ca-config/etc/pki/tls/openssl. cnf-days 3650-cert ca. crt-keyfile ca. key-in client. csr-out client. crt
Convert to pkcs12 format for client installation
# Openssl pkcs12-export-clcerts-in client. crt-inkey client. key-out client. pfx

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.