Generate certificates with OpenSSL

First, the overall steps

OpenSSL genrsa-des3-outserver.key 1024//generate Keyopenssl req-new-keyserver.key-out server.csr-config openssl.cnf//generate CSR File OpenSSL req-new-x509-keyoutca.key-out ca.crt-config openssl.cnf//self-generated caopenssl ca-in server.csr-outserver.crt-cer T ca.crt-keyfile ca.key-config openssl.cnf//signature Penssl pkcs12-export-inkeyserver.key-in server.crt-out server.pfx//Synthetic p FX format

Second, prepare

1, first prepare the configuration file openss.cnf(if the first installed OpenSSL);

The openssl.cnf file is installed by default in the/etc/pki/tls directory, and the openssl.cnf file is copied to the current directory.

[Email protected] openssl]# CP/ETC/PKI/TLS/OPENSSL.CNFOPENSSL.CNF

2, create the required directories and files in the current working directory.

[[email protected] openssl]# mkdir/democa[[email protected] openssl]# CD./democa[[email protected] democa]# mkdir Newce RTS Private[[email protected] democa]# chmod g-rwx,o-rwx private[[email protected] democa]# echo "" > Serial[[email P Rotected] democa]# Touch index.txt

3. Modify the openssl.cnf configuration file.

[Email protected] democa]# CD.

[Email protected] openssl]# vim openssl.cnf ... DIR =/home/test/workspace/openssl/democa//change to the current absolute path .....

Three, ready to work well after you can start to generate certificates, the specific steps

1, generate private key file:server.key file or Prvtkey.pem(there is no essential difference between the two, for Linux systems do not look at the suffix name).

[Email protected]]# OpenSSL genrsa-out Server.key 2048

\ \ This way there is no password protection Generatingrsa private key, 2048 bit long modulus ..... ... +++...........+++e is65537 (0x10001), ..............--------------------------[...].

You can also configure password protection first, then remove the password

[Email protected]]# OpenSSL genrsa-des3-out server.key 1024//1024 bit GENERATINGRSA private key, 1024x768 bit long modulus .... ..... ++++++...................++++++e is65537 (0x10001) Enterpass phrase for. ..... ..... ....., ...../////. Server.key://Enter password Verifying-enter pass phrase for Server.key://Confirm password [[email protected]]# OpenSSL rsa-in server.key-o UT server.key//remove password protection enterpass phrase for server.key:writing RSA key

2, generate the certificate request file ( Certificate Signing Request)SERVER.CSR

[[email protected] openssl]# openssl req -new -key server.key-out  server.csr -config openssl.cnfyou areabout to be asked to enter  Information that will be incorporatedinto yourcertificate request. What youare about to enter is what is called a distinguished  name or a dn. There arequite a few fields but you can leave some blankfor  somefields there will be a default value,If youenter  '. ',  The field will be left blank.-----countryname  (2 letter code)  [XX ]:cn state orprovince name  (Full name)  []:beijingLocalityName  (eg,  City)  [Default City]:haidianOrganizationName  (Eg, company)  [default company  ltd]:testorganizationalunit name  (eg, section)  []:CommonName  (eg, your name  or your server ' S hostname)  []:www.test.comemailaddress []:[email protected ] pleaseenter the following  ' Extra '  attributesto besent with your  certificate requestachallenge password []: //here can not fill An optional company  NAME []://You can also require a CA signature to generate a truly used certificate without completing the CSR file. We can build ca[[email protected] openssl]# openssl req -new -x509 -keyoutca.key ourselves.  -out ca.crt -config openssl.cnfGeneratinga 2048 bit RSA private  Key................................+++..................................+++writingnew private key  to  ' ca.key ' enter pempass phrase: //enter password Verifying- enter pem pass  phrase: //Confirm Password-----you areabout to be asked to enter information that will be incorporatedinto yourcertificate  Request. What youare about to enter is what is called a distinguished  name or a dn. There arequite a few fields but you can leave some blankfor  somefields there will be a default value,If youenter  '. ',  The field will be left blank.-----countryname  (2 letter code)  [XX ]:cnstate orprovince name  (Full name)  []:beijingLocalityName  (eg, city)  [Default City]:hdOrganizationName  (Eg, company)  [default company ltd]: testorganizationalunit name  (eg, section)  []:CommonName  (eg, your name  or your server ' S hostname)  []:www.test.comemail address []:[emaIl protected] 

    3, with ca

[[email protected] openssl]# openssl ca -in server.csr -outserver.crt  -cert ca.crt -keyfile ca.key -config openssl.cnfusingconfiguration from  openssl.cnfenterpass phrase for ca.key: //Enter the password for the CA checkthat the request  matches the signaturesignatureokcertificatedetails:         serial number: 2  (0x2)         Validity             not before: jun 28 13:25:03  2015gmt            not after :  Jun 27 13:25:03 2016GMT        Subject:             countryName                = cn             stateorprovincename       = beijing             organizationName           = test            commonname                 =  www.test.com            emailaddress               = [email protected]         X509v3 extensions:             X509v3 Basic Constraints:                 ca:false            netscape comment:                 OpenSSL  generated certificate            x509v3  subject key identifier:                C9:67:D2:3B:4A:55:58:7C:D2:55:BD:DB:77:06:5B:0F:4B:57:02:8A             X509v3 Authority Key Identifier:                 keyid:cf:49:6b:cb:7a:a3:0f:30:a0 :87:cd:04:ce:03:d7:90:6f:5e:3d:ef certificateis to be certified until jun  27 13:25:03 2016 gmt  (365 days) sign thecertificate? [y/n]:y 1 out  of1 certificate requests certified, commit? [y/n]ywrite outdatabase with 1 new  entriesdata base updated

4, generally Windows uses a PFX file certificate (containing key), we can use the command to merge the generated certificate CRT and key into a PFX file.

[email protected] openssl]# OpenSSL pkcs12-export-inkey server.key-in server.crt-out server.pfxenter export Password: File password, you can not enter Verifying-enter Export Password:

5, so far we need the documents are good.

[Email protected] openssl]# lsca.crt ca.key democa openssl.cnf server.crt SERVER.CSR server.key server.pfx

Iv. Supplementary

1, will Microsoft's PFX digital certificate converted to X509 format

Opensslpkcs12-in server.pfx-nodes-out SERVER.PEM # Generate Clear Text all contents opensslrsa-in server.pem-out Server.key # take key file Opensslx 509-in server.pem-out SERVER.CRT # Fetch Certificate

This article is from the "Ding classmate 1990" blog, please be sure to keep this source http://dingtongxue1990.blog.51cto.com/4959501/1668838

Generate certificates with OpenSSL