Generate certificates with OpenSSL

Source: Internet
Author: User
Tags generate csr modulus openssl rsa pkcs12 password protection

First, the overall steps

OpenSSL genrsa-des3-outserver.key 1024//generate Keyopenssl req-new-keyserver.key-out server.csr-config openssl.cnf//generate CSR File OpenSSL req-new-x509-keyoutca.key-out ca.crt-config openssl.cnf//self-generated caopenssl ca-in server.csr-outserver.crt-cer T ca.crt-keyfile ca.key-config openssl.cnf//signature Penssl pkcs12-export-inkeyserver.key-in server.crt-out server.pfx//Synthetic p FX format


Second, prepare

1, first prepare the configuration file openss.cnf(if the first installed OpenSSL);

The openssl.cnf file is installed by default in the/etc/pki/tls directory, and the openssl.cnf file is copied to the current directory.

[Email protected] openssl]# CP/ETC/PKI/TLS/OPENSSL.CNFOPENSSL.CNF

2, create the required directories and files in the current working directory.

[[email protected] openssl]# mkdir/democa[[email protected] openssl]# CD./democa[[email protected] democa]# mkdir Newce RTS Private[[email protected] democa]# chmod g-rwx,o-rwx private[[email protected] democa]# echo "" > Serial[[email P Rotected] democa]# Touch index.txt

3. Modify the openssl.cnf configuration file.

[Email protected] democa]# CD.
[Email protected] openssl]# vim openssl.cnf ... DIR =/home/test/workspace/openssl/democa//change to the current absolute path .....

Three, ready to work well after you can start to generate certificates, the specific steps

1, generate private key file:server.key file or Prvtkey.pem(there is no essential difference between the two, for Linux systems do not look at the suffix name).

[Email protected]]# OpenSSL genrsa-out Server.key 2048
\ \ This way there is no password protection Generatingrsa private key, 2048 bit long modulus ..... ... +++...........+++e is65537 (0x10001), ..............--------------------------[...].

You can also configure password protection first, then remove the password

[Email protected]]# OpenSSL genrsa-des3-out server.key 1024//1024 bit GENERATINGRSA private key, 1024x768 bit long modulus .... ..... ++++++...................++++++e is65537 (0x10001) Enterpass phrase for. ..... ..... ....., ...../////. Server.key://Enter password Verifying-enter pass phrase for Server.key://Confirm password [[email protected]]# OpenSSL rsa-in server.key-o UT server.key//remove password protection enterpass phrase for server.key:writing RSA key

2, generate the certificate request file ( Certificate Signing Request)SERVER.CSR

[[email protected] openssl]# openssl req -new -key server.key-out  server.csr -config openssl.cnfyou areabout to be asked to enter  Information that will be incorporatedinto yourcertificate request. What youare about to enter is what is called a distinguished  name or a dn. There arequite a few fields but you can leave some blankfor  somefields there will be a default value,If youenter  '. ',  The field will be left blank.-----countryname  (2 letter code)  [XX ]:cn state orprovince name  (Full name)  []:beijingLocalityName  (eg,  City)  [Default City]:haidianOrganizationName  (Eg, company)  [default company  ltd]:testorganizationalunit name  (eg, section)  []:CommonName  (eg, your name  or your server ' S hostname)  []:www.test.comemailaddress []:[email protected ] pleaseenter the following  ' Extra '  attributesto besent with your  certificate requestachallenge password []: //here can not fill An optional company  NAME []://You can also require a CA signature to generate a truly used certificate without completing the CSR file. We can build ca[[email protected] openssl]# openssl req -new -x509 -keyoutca.key ourselves.  -out ca.crt -config openssl.cnfGeneratinga 2048 bit RSA private  Key................................+++..................................+++writingnew private key  to  ' ca.key ' enter pempass phrase: //enter password Verifying- enter pem pass  phrase: //Confirm Password-----you areabout to be asked to enter information that will be incorporatedinto yourcertificate  Request. What youare about to enter is what is called a distinguished  name or a dn. There arequite a few fields but you can leave some blankfor  somefields there will be a default value,If youenter  '. ',  The field will be left blank.-----countryname  (2 letter code)  [XX ]:cnstate orprovince name  (Full name)  []:beijingLocalityName  (eg, city)  [Default City]:hdOrganizationName  (Eg, company)  [default company ltd]: testorganizationalunit name  (eg, section)  []:CommonName  (eg, your name  or your server ' S hostname)  []:www.test.comemail address []:[emaIl protected] 

    3, with ca

[[email protected] openssl]# openssl ca -in server.csr -outserver.crt  -cert ca.crt -keyfile ca.key -config openssl.cnfusingconfiguration from  openssl.cnfenterpass phrase for ca.key: //Enter the password for the CA checkthat the request  matches the signaturesignatureokcertificatedetails:         serial number: 2  (0x2)         Validity             not before: jun 28 13:25:03  2015gmt            not after :  Jun 27 13:25:03 2016GMT        Subject:             countryName                = cn             stateorprovincename       = beijing             organizationName           = test            commonname                 =  www.test.com            emailaddress               = [email protected]         X509v3 extensions:             X509v3 Basic Constraints:                 ca:false            netscape comment:                 OpenSSL  generated certificate            x509v3  subject key identifier:                C9:67:D2:3B:4A:55:58:7C:D2:55:BD:DB:77:06:5B:0F:4B:57:02:8A             X509v3 Authority Key Identifier:                 keyid:cf:49:6b:cb:7a:a3:0f:30:a0 :87:cd:04:ce:03:d7:90:6f:5e:3d:ef certificateis to be certified until jun  27 13:25:03 2016 gmt  (365 days) sign thecertificate? [y/n]:y 1 out  of1 certificate requests certified, commit? [y/n]ywrite outdatabase with 1 new  entriesdata base updated

4, generally Windows uses a PFX file certificate (containing key), we can use the command to merge the generated certificate CRT and key into a PFX file.

[email protected] openssl]# OpenSSL pkcs12-export-inkey server.key-in server.crt-out server.pfxenter export Password: File password, you can not enter Verifying-enter Export Password:

5, so far we need the documents are good.

[Email protected] openssl]# lsca.crt ca.key democa openssl.cnf server.crt SERVER.CSR server.key server.pfx

Iv. Supplementary

1, will Microsoft's PFX digital certificate converted to X509 format

Opensslpkcs12-in server.pfx-nodes-out SERVER.PEM # Generate Clear Text all contents opensslrsa-in server.pem-out Server.key # take key file Opensslx 509-in server.pem-out SERVER.CRT # Fetch Certificate



This article is from the "Ding classmate 1990" blog, please be sure to keep this source http://dingtongxue1990.blog.51cto.com/4959501/1668838

Generate certificates with OpenSSL

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.