CentOSopenssl issuing certificate

Step 1: first create a CA certificate, first create an RSA private key for the CA, # cd/etc/pki/CA # opensslgenrsa-des3-outca.key1024 (because ssl_module in windows does not support encryption keys, use opensslgenrs

Step 1: first create a CA certificate,

First, create an RSA private key for the CA,

# Cd/etc/pki/CA

# Openssl genrsa-des3-out ca. key 1024

(Because ssl_module in windows does not support encryption keys, use openssl genrsa-out ca. key 1024)

The system prompts you to enter PEM pass phrase, that is, the password. remember to enter it.

Generate the ca. key file and change the file attribute to 400.

# Chmod 400 ca. key

You can use the following command to view its content,

# Openssl rsa-noout-text-in ca. key

 

Use the RSA key of the CA to create a self-signed CA certificate (X.509 structure)

# Openssl req-new-x509-days 3650-key ca. key-out ca. crt

Enter the following information:

Country Name: CN // Country code with two letters

State or Province Name: Guangdong // Province Name

Locality Name: Guangzhou // city Name

Organization Name: // company Name

Organizational Unit Name: // Department Name

Common Name: // your Name

Email Address: // Email Address

Generate the ca. crt file and change the file attribute to 400.

# Chmod 400 ca. crt

You can use the following command to view its content,

# Openssl x509-noout-text-in ca. crt

 
Step 2: Create a server certificate signing request below,

# Openssl Gen RSA-des3-out server. key 1024

(Use openssl genrsa-out server. key 1024 in windows)

Set pass phrase here.

Generate the server. key file and change the file attribute to 400.

# Chmod 400 server. key

You can use the following command to view its content,

# Openssl rsa-noout-text-inserver. key

 

Use server. key to generate the CSR for signing the certificate.

# Openssl req-new-key server. key-out server. csr

Enter some information here, which is similar to the content in CA.

For 'Extra 'attributes, no input is required.

"Common Name: Chen Yang Your Name". enter the domain Name or IP address of your server.

You can view the CSR details

# Openssl req-noout-text-inserver. csr

 
Step 3: You can sign the certificate below

# Openssl ca-config/etc/pki/tls/openssl. cnf-days 3650-cert ca. crt-keyfile ca. key-in server. csr-out server. crt

Note that you need to manually create a CA directory structure
─ ── Etc
└ ── Pki

└-CA

├ ── Newcerts

├─Index.txt

├ ── Serial

Create an empty index.txt file in CA, serial file, and enter 01 in the serial file

Otherwise, an error occurs when you run this command: I am unable to access the./CA/newcerts directory ....

 

Change the file attribute to 400 and place it in a safe place.

# Chmod 400 server. crt

Step 4: generate a client certificate

Generate customer private key:
# Openssl genrsa-des3-out client. key 1024

Generate customer certificate
# Openssl req-new-key client. key-out client. csr

Visa:
# Openssl ca-config/etc/pki/tls/openssl. cnf-days 3650-cert ca. crt-keyfile ca. key-in client. csr-out client. crt

Convert to pkcs12 format for client installation
# Openssl pkcs12-export-clcerts-in client. crt-inkey client. key-out client. pfx