CentOS6 use openssl to build a root CA

Source: Internet
Author: User
Tags openssl rsa
I. INTRODUCTION OpenSSL is an open-source encryption tool. in a Linux environment, we can use it to build a CA for certificate issuance. it can be used in an enterprise's internal encryption tool, the following is a powerful OpenSSL tool. in Linux, a CA is built to implement Certificate Management. II. Build 1. First, let's take a look at the CA directory structure [root @ vpn ~] # Tree/etc/pki/C

I. INTRODUCTION

OpenSSL is an open-source encryption tool. in a Linux environment, we can use it to build a CA for certificate issuance. it can be used in an enterprise's internal encryption tool, the following is a powerful OpenSSL tool. in Linux, a CA is built to implement Certificate Management.

II. Construction

1. First, let's take a look at the CA directory structure.

[Root @ vpn ~] # Tree/etc/pki/CA

/Etc/pki/CA

── Certs

├ ── Crl

── Newcerts

── Private

 

2. switch to the/etc/pki/CA/directory and use the openssl command to generate a private key for yourself.

[Root @ vpn ~] # Cd/etc/pki/CA/

[Root @ vpn CA] # (umask 077; openssl genrsa-out private/cakey. pem2048)

Generating RSA private key, 2048 bit long modulus

..............................

........................................ ................. ++

E is 65537 (0x10001)

To view the public key corresponding to the private key, run the following command:

# Openssl rsa-in private/cakey. pem-pubout-text-noout

 

3. CA needs a self-signed certificate, so we use the openssl command to generate a self-signed certificate for it.

[Root @ vpn CA] # openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 3655

Fill in the above information based on your actual situation

 

4. create the relevant directories and files of the CA, specify the start number of the serial number, and create them in the directory where the CA is located.

# Touch index.txt serial crlnumber

# Echo 01> serial

Now, our self-built CA has been set up. Next, we will issue certificates for other applications.

 

III. Signing of certificate application

1. when we apply for a certificate as a client, we should first create our own private key

# (Umask 077; openssl genrsa-out client. key 1024)

 

2. if the client wants to apply for a certificate, it must create an application certificate and pass it to the CA.

# Openssl req-new-key client. key-out client. csr

Csr: Certificate Signing Request (Certificate issuance application)

Finally, you can enter a password to encrypt the certificate application. I will not encrypt it here.

 

3. issue a certificate to the client on the CA side and use the openssl command

# Openssl ca-in client. csr-out client. crt-days 365

The certificate is successfully issued. the above is the issued information.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.