Generate OpenSSL certificate under Linux

Source: Internet
Author: User
Tags openssl rsa pkcs12

SSL security certificates can be generated on their own or through a third-party CA (certification authority) Certification Center payment request.

SSL security certificates include:

1, CA certificate, also called root certificate or intermediate level certificate. For one-way authenticated HTTPS, the CA certificate is optional. The primary purpose is to make the certificate a chain of certificates to achieve the purpose of the browser trusting the certificate. If a CA certificate is used, both the server certificate and the client certificate are signed with the CA certificate. If you do not install a CA certificate, the browser is not considered safe by default.

2, server certificate. Must be selected. Generate the certificate request file CSR through the server private key, and then generate the server certificate by signing the CA certificate.

3, Customer certificate. Optional. If there is a customer certificate, is two-way authentication of HTTPS, otherwise is one-way authentication of HTTPS. The build step is similar to the server certificate.

Several of the above certificates can be generated on their own. Commercially, you typically provide your server or client certificate with a private key and certificate to request a CSR, or to pay a third-party organization to obtain a server certificate and a client certificate that is signed by the CA certificate.

Preparatory work:

Before the operation, it is better to open the openssl.conf file, view its dir path to modify it to Dir =/home/wjoyxt/democa/, otherwise the following steps will prompt the path cannot be found.

1. Manually create a CA directory structure in the current directory/home/wjoyxt:

$ mkdir-p./democa/newcerts

2. Create an empty file:

$ touch Democa/index.txt

3. Create and write to file 01:

$ echo > Democa/seriaL

PKI(Public key Infrastructure) is the "Key Infrastructure" RSA is the RSA public key encryption algorithm ,RSA is currently the most influential public key encryption algorithm , It resists most of the cryptographic attacks known so far and has been recommended by ISO as a public key data Encryption Standard The CSR (Certificate Signing request) is a certificate signing requesting that before the certificate is requested, the CSR is generated on the WEB server and submitted to the CA certification center before the CA can issue you an SSL service Service certificate. It can be argued that a CSR is a certificate that is generated on your server. CA Center also known as CA institution, namely Certificate Authority Center (Certificate Authority), or certificate authority, as a trusted third party in e-commerce, bear The responsibility of public Key's legality test in public key system The CA Center issues a digital certificate for each user who uses the public key, and the role of the digital certificate is to certify that the user listed in the certificate has a legitimate public key listed in the certificate. The digital signature of the CA institution allows an attacker to forge and tamper with the certificate.
The Digital Security certificate is a series of data that flags the identity of the network user, which is used to identify the communication parties in the network communication, that is, to solve the "Who am I" problem on the Internet, Just as in reality each of us has to have a personal identity card or driver's license to indicate our identity or some kind of qualification.

I. First, start building the root certificate
1, generate the CA's private key (key file)
       Span style= "Background-color:rgb (255, 255, 0); >ope nssl genrsa-out ca.key 1024x768

Here 's a little bit of this command: OpenSSL refers to entering the OpenSSL environment,Genrsa is a small application in OpenSSL to generate RSA private key. -des3 means that the resulting private key is encrypted with triple DES . This is an option, and -des-idea are symmetric encryption algorithms, as you choose .-out is the specified output, and if this option is not added, it will be exported to the standard output . 2048 Refers to the length of the private key, the single is bit, the default is OpenSSL genrsa-des3-out ca.key 1024 for private key plus password OpenSSL rsa-in server.key-out ca.key remove password for private key  
2. Fill in the Certificate application form. Omitted
OpenSSL Req-new-key ca.key-out ca.csr-config/etc/pki/tls/openssl.cnf
After you generate the CSR file and give it to the CA to sign the certificate, you will be prompted on the screen to enter the required personal information in step-by
This command will generate a certificate request, of course, using the previously generated key Ca.key file, here will generate a new file CA.CSR, a certificate request file, you can take this file to a digital certification authority (i.e. CA) to request a digital certificate. The CA will give you a new file Ca.crt, that's your digital certificate.

3. Sign the root book by yourself

OpenSSL req-new-x509-days 1000-key ca.key-out ca.crt-config/etc/pki/tls/openssl.cnf If you do the test yourself, then the certificate applicant and the authority are themselves. You can use the command above to generate the certificate. (A very common certificate format)   
Second, make server-side certificate and sign with CA
1. Generate server-side RSA private key
OpenSSL genrsa-out server.key 1024x768

2. Generate server certificate request (CSR)
OpenSSL req-new-key server.key-out server.csr-config/etc/pki/tls/openssl.cnf

      You need to enter country, region, organization, email in turn. Most importantly there is a common name , you can write your name or domain name. If for https request, this must match the domain name, otherwise it will cause browser alert. The generated CSR file is passed to ca signature and forms the service-side's own certificate.

3, sign the SERVER.CSR or CLIENT.CSR file that you just generated with the certificate of the generated CA
      openssl ca-keyfile ca.key  -cert ca.crt -in server.csr-out server.crt  -config/etc/pki/tls/ OPENSSL.CNF

third, make the user's certificate and sign with CA : (Similar to generating server certificate)
It is important to note that:
This certificate is in the form of BASE64, to be turned into PKCS12 to be installed on IE. so we're going to convert it.

OpenSSL pkcs12-export-in client.crt-inkey client.key-out client.pfx
Follow the instructions below:
Enter Pass phrase for Client.key:
Enter Export Password: # set CLIENT.PFX password
Verifying-enter Export Password:

      The files used by  client are: ca.crt,client.crt,client.key,client.pfx
       server files used are: CA.CRT, Server.crt,server.key

Certificate installation and use
Install the certificate that you just generated: Root certificate ca.crt and client certificate CLIENT.CRT (CLIENT.PFX) to the client,  CA.CRT installs to a trusted institution, CLIENT.CRT directly on Windows installation or installation to a personal certificate location, and then uses IP to access HTTP and HTTPS servers. In IE, we generally import the CLIENT.PFX certificate, which prompts you to set the password on import.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.