First, the overall steps
OpenSSL genrsa-des3-outserver.key 1024//generate Keyopenssl req-new-keyserver.key-out server.csr-config openssl.cnf//generate CSR File OpenSSL req-new-x509-keyoutca.key-out ca.crt-config openssl.cnf//self-generated caopenssl ca-in server.csr-outserver.crt-cer T ca.crt-keyfile ca.key-config openssl.cnf//signature Penssl pkcs12-export-inkeyserver.key-in server.crt-out server.pfx//Synthetic p FX format
Second, prepare
1, first prepare the configuration file openss.cnf(if the first installed OpenSSL);
The openssl.cnf file is installed by default in the/etc/pki/tls directory, and the openssl.cnf file is copied to the current directory.
[Email protected] openssl]# CP/ETC/PKI/TLS/OPENSSL.CNFOPENSSL.CNF
2, create the required directories and files in the current working directory.
[[email protected] openssl]# mkdir/democa[[email protected] openssl]# CD./democa[[email protected] democa]# mkdir Newce RTS Private[[email protected] democa]# chmod g-rwx,o-rwx private[[email protected] democa]# echo "" > Serial[[email P Rotected] democa]# Touch index.txt
3. Modify the openssl.cnf configuration file.
[Email protected] democa]# CD.
[Email protected] openssl]# vim openssl.cnf ... DIR =/home/test/workspace/openssl/democa//change to the current absolute path .....
Three, ready to work well after you can start to generate certificates, the specific steps
1, generate private key file:server.key file or Prvtkey.pem(there is no essential difference between the two, for Linux systems do not look at the suffix name).
[Email protected]]# OpenSSL genrsa-out Server.key 2048
\ \ This way there is no password protection Generatingrsa private key, 2048 bit long modulus ..... ... +++...........+++e is65537 (0x10001), ..............--------------------------[...].
You can also configure password protection first, then remove the password
[Email protected]]# OpenSSL genrsa-des3-out server.key 1024//1024 bit GENERATINGRSA private key, 1024x768 bit long modulus .... ..... ++++++...................++++++e is65537 (0x10001) Enterpass phrase for. ..... ..... ....., ...../////. Server.key://Enter password Verifying-enter pass phrase for Server.key://Confirm password [[email protected]]# OpenSSL rsa-in server.key-o UT server.key//remove password protection enterpass phrase for server.key:writing RSA key
2, generate the certificate request file ( Certificate Signing Request)SERVER.CSR
[[email protected] openssl]# openssl req -new -key server.key-out server.csr -config openssl.cnfyou areabout to be asked to enter Information that will be incorporatedinto yourcertificate request. What youare about to enter is what is called a distinguished name or a dn. There arequite a few fields but you can leave some blankfor somefields there will be a default value,If youenter '. ', The field will be left blank.-----countryname (2 letter code) [XX ]:cn state orprovince name (Full name) []:beijingLocalityName (eg, City) [Default City]:haidianOrganizationName (Eg, company) [default company ltd]:testorganizationalunit name (eg, section) []:CommonName (eg, your name or your server ' S hostname) []:www.test.comemailaddress []:[email protected ] pleaseenter the following ' Extra ' attributesto besent with your certificate requestachallenge password []: //here can not fill An optional company  NAME []://You can also require a CA signature to generate a truly used certificate without completing the CSR file. We can build ca[[email protected] openssl]# openssl req -new -x509 -keyoutca.key ourselves. -out ca.crt -config openssl.cnfGeneratinga 2048 bit RSA private Key................................+++..................................+++writingnew private key to ' ca.key ' enter pempass phrase: //enter password Verifying- enter pem pass phrase: //Confirm Password-----you areabout to be asked to enter information that will be incorporatedinto yourcertificate Request. What youare about to enter is what is called a distinguished name or a dn. There arequite a few fields but you can leave some blankfor somefields there will be a default value,If youenter '. ', The field will be left blank.-----countryname (2 letter code) [XX ]:cnstate orprovince name (Full name) []:beijingLocalityName (eg, city) [Default City]:hdOrganizationName (Eg, company) [default company ltd]: testorganizationalunit name (eg, section) []:CommonName (eg, your name or your server ' S hostname) []:www.test.comemail address []:[emaIl protected]
3, with ca
[[email protected] openssl]# openssl ca -in server.csr -outserver.crt -cert ca.crt -keyfile ca.key -config openssl.cnfusingconfiguration from openssl.cnfenterpass phrase for ca.key: //Enter the password for the CA checkthat the request matches the signaturesignatureokcertificatedetails: serial number: 2 (0x2) Validity not before: jun 28 13:25:03 2015gmt not after : Jun 27 13:25:03 2016GMT Subject: countryName = cn stateorprovincename = beijing organizationName = test commonname = www.test.com emailaddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: ca:false netscape comment: OpenSSL generated certificate x509v3 subject key identifier: C9:67:D2:3B:4A:55:58:7C:D2:55:BD:DB:77:06:5B:0F:4B:57:02:8A X509v3 Authority Key Identifier: keyid:cf:49:6b:cb:7a:a3:0f:30:a0 :87:cd:04:ce:03:d7:90:6f:5e:3d:ef certificateis to be certified until jun 27 13:25:03 2016 gmt (365 days) sign thecertificate? [y/n]:y 1 out of1 certificate requests certified, commit? [y/n]ywrite outdatabase with 1 new entriesdata base updated
4, generally Windows uses a PFX file certificate (containing key), we can use the command to merge the generated certificate CRT and key into a PFX file.
[email protected] openssl]# OpenSSL pkcs12-export-inkey server.key-in server.crt-out server.pfxenter export Password: File password, you can not enter Verifying-enter Export Password:
5, so far we need the documents are good.
[Email protected] openssl]# lsca.crt ca.key democa openssl.cnf server.crt SERVER.CSR server.key server.pfx
Iv. Supplementary
1, will Microsoft's PFX digital certificate converted to X509 format
Opensslpkcs12-in server.pfx-nodes-out SERVER.PEM # Generate Clear Text all contents opensslrsa-in server.pem-out Server.key # take key file Opensslx 509-in server.pem-out SERVER.CRT # Fetch Certificate
This article is from the "Ding classmate 1990" blog, please be sure to keep this source http://dingtongxue1990.blog.51cto.com/4959501/1668838
Generate certificates with OpenSSL