Detailed process of using OpenSSL to generate a certificate

Detailed process of using OpenSSL to generate a certificate

Use OpenSSL to generate a certificate

Download and install OpenSSL, enter/bin/, and execute the command (copy openssl. cnf under the ssl directory to the bin directory)

1. First, you must generate the private key (key file) of the server ):

Openssl genrsa-des3-out server. key 1024

[Root @ airwaySSL openssl] # cd ssl/

[Root @ airwaySSL ssl] # pwd

/Home/openssl/ssl

[Root @ airwaySSL ssl] # ls

Certs man misc openssl. cnf private server. csr server. key

The system will prompt you to enter the password during the operation. This password is used to encrypt the key file (the des3 parameter refers to the encryption algorithm. Of course, you can also choose other algorithms that you think are safe .), in the future, whenever you need to read this file (through commands or APIs provided by openssl), you need to enter a password. if it is inconvenient, you can also remove the password, but you must take other protection measures!

Command to remove the key file Password:

Openssl rsa-in server. key-out server. key

2. openssl req-new-key server. key-out server. csr-config openssl. cnf

[Root @ airwaySSL bin] # openssl req-new-key server. key-out server. csr-config openssl. cnf

Enter pass phrase for server. key: 12345

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]: CN

State or Province Name (full name) [Some-State]: china

Locality Name (eg, city) []: wuhan

Organization Name (eg, company) [Internet Widgits Pty Ltd]: airway

Organizational Unit Name (eg, section) []: airway

Common Name (eg, YOUR name) []: airway

Email Address []:

 

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

 

Generate a Certificate Signing Request (CSR). The generated csr file is handed over to the CA for signature to form the Certificate of the server. A prompt will be displayed on the screen. Follow the instructions to enter the required personal information step by step.

3. Run the same command on the client to generate the key and csr file:

Openssl genrsa-des3-out client. key 1024

 

Generating RSA private key, 1024 bit long modulus

...

... ++

E is 65537 (0x10001)

Enter pass phrase for client. key: 12345

Verifying-Enter pass phrase for client. key: 12345

 

Openssl req-new-key client. key-out client. csr-config openssl. cnf

 

[Root @ airwaySSL bin] # openssl req-new-key client. key-out client. csr-config openssl. cnf

Enter pass phrase for client. key: 12345

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]: cn

State or Province Name (full name) [Some-State]: china

Locality Name (eg, city) []: wuhan

Organization Name (eg, company) [Internet Widgits Pty Ltd]: airway

Organizational Unit Name (eg, section) []: airway

Common Name (eg, YOUR name) []: airway

Email Address []:

 

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

 

4. The CSR file must have a CA signature to form a certificate. You can send this file to verisign and other places for verification. You have to pay a large amount of money. Why not make a CA by yourself.

Openssl req-new-x509-keyout ca. key-out ca. crt-config openssl. cnf

 

[Root @ airwaySSL bin] # openssl req-new-x509-keyout ca. key-out ca. crt-config openssl. cnf

Generating a 1024 bit RSA private key

... ++

...

Writing new private key to 'Ca. key'

Enter PEM pass phrase: 12345

Verifying-Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]: CN

State or Province Name (full name) [Some-State]: china

Locality Name (eg, city) []: wuhan

Organization Name (eg, company) [Internet Widgits Pty Ltd]: airway

Organizational Unit Name (eg, section) []: airway

Common Name (eg, YOUR name) []: airway

Email Address []:

Before proceeding to the following operations, set openssl. open the conf file and check its dir path to change it to dir =/home/openssl/bin/demoCA/. Otherwise, the following steps will prompt that the path cannot be found.

 

Manually create a CA directory structure:
[Weigw @ TEST bin] $ mkdir./demoCA
[Weigw @ TEST bin] $ mkdir demoCA/newcerts
Create an empty file:
[Weigw @ TEST bin] $ vi demoCA/index.txt
Write 01 to the file:
[Weigw @ TEST bin] $ vi demoCA/serial

5. Use the generated CA certificate to sign the generated server. csr and client. csr file:

Openssl ca-in server. csr-out server. crt-cert ca. crt-keyfile ca. key-config openssl. cnf

 

[Root @ airwaySSL bin] # openssl ca-in server. csr-out server. crt-cert ca. crt-keyfile ca. key-config openssl. cnf

Using configuration from openssl. cnf

Enter pass phrase for ca. key:

Check that the request matches the signature

Signature OK

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Feb 26 04:15:02 2009 GMT

Not After: Feb 26 04:15:02 2010 GMT

Subject:

CountryName = CN

StateOrProvinceName = china

OrganizationName = airway

OrganizationalUnitName = airway

CommonName = airway

X509v3 extensions:

X509v3 Basic Constraints:

CA: FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

30: 70: D2: EB: 9B: 73: AE: 7B: 0E: 8E: F6: 94: 33: 7C: 53: 5B: EF: 93: FC: 38

X509v3 Authority Key Identifier:

Keyid: DB: D6: 83: BB: 7F: 28: C2: A9: 40: 6A: D8: 32: FC: 01: E0: 5C: 48: 27: 51: 19

 

Certificate is to be certified until Feb 26 04:15:02 2010 GMT (365 days)

Sign the certificate? [Y/n]: y

 

 

1 out of 1 certificate requests certified, commit? [Y/n] y

Write out database with 1 new entries

Data Base Updated

 

Openssl ca-in client. csr-out client. crt-cert ca. crt-keyfile ca. key-config openssl. cnf

 

[Root @ airwaySSL bin] # openssl ca-in client. csr-out client. crt-cert ca. crt-keyfile ca. key-config openssl. cnf

Using configuration from openssl. cnf

Enter pass phrase for ca. key:

Check that the request matches the signature

Signature OK

The countryName field needed to be the same in

CA certificate (CN) and the request (cn)

Now all the files we need are generated.

In addition:

Client files include ca. crt, client. crt, and client. key.

The files used by server include ca. crt, server. crt, and server. key.

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to sign multi-domain certificates

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: