Step 1: first create a CA certificate, first create an RSA private key for the CA, # cd/etc/pki/CA # opensslgenrsa-des3-outca.key1024 (because ssl_module in windows does not support encryption keys, use opensslgenrs
Step 1: first create a CA certificate,
First, create an RSA private key for the CA,
# Cd/etc/pki/CA
# Openssl genrsa-des3-out ca. key 1024
(Because ssl_module in windows does not support encryption keys, use openssl genrsa-out ca. key 1024)
The system prompts you to enter PEM pass phrase, that is, the password. remember to enter it.
Generate the ca. key file and change the file attribute to 400.
# Chmod 400 ca. key
You can use the following command to view its content,
# Openssl rsa-noout-text-in ca. key
Use the RSA key of the CA to create a self-signed CA certificate (X.509 structure)
# Openssl req-new-x509-days 3650-key ca. key-out ca. crt
Enter the following information:
Country Name: CN // Country code with two letters
State or Province Name: Guangdong // Province Name
Locality Name: Guangzhou // city Name
Organization Name: // company Name
Organizational Unit Name: // Department Name
Common Name: // your Name
Email Address: // Email Address
Generate the ca. crt file and change the file attribute to 400.
# Chmod 400 ca. crt
You can use the following command to view its content,
# Openssl x509-noout-text-in ca. crt
Step 2: Create a server certificate signing request below,
# Openssl Gen RSA-des3-out server. key 1024
(Use openssl genrsa-out server. key 1024 in windows)
Set pass phrase here.
Generate the server. key file and change the file attribute to 400.
# Chmod 400 server. key
You can use the following command to view its content,
# Openssl rsa-noout-text-inserver. key
Use server. key to generate the CSR for signing the certificate.
# Openssl req-new-key server. key-out server. csr
Enter some information here, which is similar to the content in CA.
For 'Extra 'attributes, no input is required.
"Common Name: Chen Yang Your Name". enter the domain Name or IP address of your server.
You can view the CSR details
# Openssl req-noout-text-inserver. csr
Step 3: You can sign the certificate below
# Openssl ca-config/etc/pki/tls/openssl. cnf-days 3650-cert ca. crt-keyfile ca. key-in server. csr-out server. crt
Note that you need to manually create a CA directory structure
─ ── Etc
└ ── Pki
└-CA
├ ── Newcerts
├─Index.txt
├ ── Serial
Create an empty index.txt file in CA, serial file, and enter 01 in the serial file
Otherwise, an error occurs when you run this command: I am unable to access the./CA/newcerts directory ....
Change the file attribute to 400 and place it in a safe place.
# Chmod 400 server. crt
Step 4: generate a client certificate
Generate customer private key:
# Openssl genrsa-des3-out client. key 1024
Generate customer certificate
# Openssl req-new-key client. key-out client. csr
Visa:
# Openssl ca-config/etc/pki/tls/openssl. cnf-days 3650-cert ca. crt-keyfile ca. key-in client. csr-out client. crt
Convert to pkcs12 format for client installation
# Openssl pkcs12-export-clcerts-in client. crt-inkey client. key-out client. pfx