HTTPS Learning Note Three----OpenSSL generate root CA and issue certificate

Source: Internet
Author: User
Tags begin rsa private key generate csr openssl library openssl rsa openssl version openssl x509 generate self signed certificate self signed certificate

In HTTPS learning note two, the concept of digital certificates has been clarified, composed and how the client validates the server-side certificate during the HTTPS connection process. This chapter describes how to use the OpenSSL library to create a key file, and to generate a root CA and issue a child certificate. Learn the main reference Official document:

I. Introduction of OpenSSL

OpenSSL is currently the most popular SSL cipher library tool that provides a common, robust, and fully functional suite of tools to support the implementation of the SSL/TLS protocol. Official website:, which has 3 main uses: 1, cipher algorithm library (establish RSA, DH, DSA key parameter, calculate message digest, use various cipher encryption/decryption) 2, Key and certificate encapsulation management features (establish a/s certificate, certificate signing request (CSR), and CRLs (certificate recycling list)), 3, SSL Communication API Interface (TLS/SSL client and server testing, processing of/MIME or encrypted mail).

Ii. installing OpenSSL (Linux CentOS7 32-bit)

If you are using a Unix operating system, the library may already exist when the system is installed. Before using it, however, you need to be aware of the version of the current OpenSSL library .      

1.0. 1  -  -

because version 1.0.1 is a very important version of the Feng Shui Ridge. Because 1.0.1 is the first version that supports TLS1.1 and 1.2. Support for new protocols. Operating System selection is also important, such as Ubuntu 12.04 LTS, the client does not support SSL2. Here is an example of installing the CENTOS7 system:

A. Download OpenSSL library file:

B, put the downloaded compressed package in the root directory, unzip, into the extracted files (get openssl-openssl-1.0.0 folder) CD openssl-1.0.0

C, configure OpenSSL before compiling, execute command:./config--prefix=/usr/local/openssl, where (--prefix) parameter is the directory to install, that is, the installed file will appear in this directory.

D, compile OpenSSL, execute command: Make install  

Episode: Installing OpenSSL Error

1, the problem Description: Installation is complete, view version information when the error, missing a library file
[Email protected]/usr/local/openssl/bin]# OpenSSL version        while loading shared 1.1  Object file:no such file or directory
2, the solution : There is no dependence on the installation of Libssl. Write the search path to the OpenSSL library file in the/etc/ file, and use the modified conf to take effect:
echo "/usr/local/lib64" >>/etc/
ldconfig -v

Third, use OpenSSL to generate RSA key pair

before using the private key of OpenSSL to generate the public key, you need to understand the following points:

1. Key algorithm: OpenSSL supports the generation of RSA,DSA,ECDSA key pairs, but RSA is the most commonly used.

2, Key length: RSA 2048 is recognized as a more secure key length.

3, Password (Passphrase): The use of the password on the key is an optional value, but is generally strongly recommended (the official website, many of the actual items are not set password), so every time you use the key file, you need to enter this password to use, enhance its security, But the ease of use that comes with it can also get worse.

using the GENRSA command to generate RSA key (which generates a key file for other DSA algorithms, you can refer directly to the Learning official website tutorial, which is commonly used as an example), 2 steps to complete:

A, generate the private key:

use command: OpenSSL genrsa-aes128-out fd.key 2048. The following input sets a password for this key value, and the password is saved using aes128 encryption.

OpenSSL genrsa-aes128-out fd.key 2048generating RSA private key, 2048 bit long modulus....+++....... ..... ..... ..... ..... ..... ..... ..... ..... .... ..... ..... ..... ...... ..... + +e is 65537 (0x10001) Enter pass. + +/--- Phrase for Fd.key: ****************verifying-enter pass phrase for Fd.key: ****************

This key file is the private key file. You can view the following file contents:

Cat Fd.key-----BEGIN RSA PRIVATE Key-----proc-type:4, encrypteddek-info:aes-128-CBC, 01ec21976a463ce36e9db59ff6af689avermfjzsleaedqwdxx4rnwogjp+y95utnw+bojwrw1+  o1qggqxqxpth3lwduz1ymmkpxmiwlsidvsuuurruzil+v21ej1w9iq71sjopoyzx7dyx5gcawqm9tsb40fhv/[ lines removed ...] 4phgtprenewrffrnyrt7khqwrjhnsw6tttthmhx/ucjdpqdalw/tuylajmwl1jrwi321s5me5ej6pr4fgccnoe7lzk+563d7v5znax+ wo1c+f7ygf+g8loq8emc+6AVV-----END RSA PRIVATE KEY-----       

B. Generate the Public key:

use command: OpenSSL rsa-in fd.key-pubout-out fd-public.key

OpenSSL rsa-in fd.key-pubout-out fd-public. Keyenter Pass phrase for Fd.key: ****************

to view this key file, it is the public key:

Cat fd-public. Key-----BEGIN Public Key-----  miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqeanlccwq9fryjyhm8sfnsypuhjhjzhjdwcs7kbptutf/l6ovoeazcvhi/ m0qaa4qm5bzizgnvv+fnne3sge5pziovehj3c959mnqmpvnedxwfcoilbrnqdisjip0js6mdczyjso1ncqoy3upywvwj70ryr1f+ abarehlts/xs/ptx3vamrljijn6jngficy3zvehlzekxr7oob7tnyzdrjihxbbqpnzeiqlcflfpggjpa0ch8ddovbtesvu7wr/  ecsf8cyyucdewgkzh9dktduhfa9h8tww2mx6uwyehcnf2htw0e8vjtob8oyqxlqxtl7dpfymgrppooovkzzw/P0NQIDAQAB-----END Public KEY-----     

Iii. Obtaining authority to issue certificate steps

to obtain a certificate issued by an authority, a key file (. Key) for the private key is obtained, then the key file of the private key is used to generate the sign req file (. CSR), and the CSR file is sent to the authority, awaiting certification by the authority, and the certificate file (. crt) is returned after successful authentication.  

A: Generate the private key key.

Step A is consistent with the second section using OpenSSL to generate the RSA key pair. Use command: OpenSSL genrsa-aes128-out fd.key 2048

B: Key file for private keys generate sign req file (. CSR)

when generating a CSR file, you need to fill in some information about the person to be signed or the company, such as country name, province name, organization name, hostname, email name, some information can not fill in, use. Identification.

use command:OpenSSL req-new-key fd.key-out FD.CSR. The process is as follows:

$ OpenSSL req-New-key Fd.key- outFd.csrenter Pass Phrase forFd.key: ****************You is about to being asked to enter information that'll be Incorporatedinto your certificate request. what is about-to enter isWhat iscalled a distinguished Name or a DN. There is quite a few fields I can leave some blankfor some fields there would be adefaultvalue,if you enter'.'The field would be a left blank.-----Country Name (2Letter Code) [Au]:gbstate or province name (full name) [Some-State ]:.  Locality name (eg, city) []:londonorganization name (eg, company) [Internet widgits Pty ltd]:feisty Duck ltdorganizational Unit Name (eg, section) []:common name (e.g. server FQDN or YOUR name) []:www.feistyduck.comemail Address []:[email prote Cted]please Enter the following'Extra'Attributesto be sent with your certificate Requesta challenge password []:an optional company name []:

C, the CSR documents to the authority, waiting for authority certification, payment to obtain a certificate.

Iv.. OpenSSL generates root CA and issue certificate

Sometimes, the use of the SSL protocol is the use of their own internal servers, you can not have to find a third-party authoritative CA agency to do the certificate, you can do since the visa book (self-created root CA (non-authoritative)) There are three main steps.

A: Create a working directory of the SSL openssl.cnf to use when using DEFAULT-CA (the first time you must set up).

1. View the OpenSSL configuration file:

OpenSSL version-Aopenssl1.0.1e-fips -Nov .built On:fri Nov -  -: -: atCst .Platform:linux-X86_64options:bn ( -, -) MD2 (int) RC4 (16x,int) des (Idx,cisc, -,int) Idea (int) Blowfish (idx) COMPILER:GCC-fpic-dopenssl_pic-dzlib-dopenssl_threads-d_reentrant-ddso_dlfcn-dhave_dlfcn_h-dkrb5_mit-m64-dl_endian-dtermio -wall-o2-g-pipe-wall-wp,-d_fortify_source=2-fexceptions-fstack-protector--param=ssp-buffer-size=4-m64-mtune=generic-wa,--NOEXECSTACK-DPURIFY-DOPENSSL_IA32_SSE2-DOPENSSL_BN_ASM_MONT-DOPENSSL_BN_ASM_MONT5- Dopenssl_bn_asm_gf2m-dsha1_asm-dsha256_asm-dsha512_asm-dmd5_asm-daes_asm-dvpaes_asm-dbsaes_asm-dwhirlpool_asm-Dghash_asmopenssldir:"/etc/pki/tls"Engines:rdrandDynamic 

2. Locate Openssldir: "/etc/pki/tls" configuration file openssl.cnf

The corresponding folders and files are created according to the [Ca_default] node defaults under the configuration file.

Create folders and files in order by executing the following command under/ETC/PKI/CA:

wherein, Certs: Store issued certificate; Newcerts: A new certificate generated by the CA Directive; Private: holds the private key; CRL: holds the revoked integer Index.txt:penSSL a text database file that defines the issued certificate, which is usually empty at initialization time; serial: the serial number reference file used when the certificate was issued, the serial number of the file is stored in 16 binary format, and the file must be provided with a valid serial number.

When you are done, the current directory is:

[Email protected]/etc/pki/CA] $lltotal -drwxrwxrwx2Root root4096Mar A  One: ,certsdrwxrwxrwx2Root root4096Nov -   .CRL-rwxrwxrwx1Root root0Mar A  One: .index.txtdrwxrwxrwx2Root root4096Nov -   .newcertsdrwxrwxrwx2Root root4096Nov -   . Private-rwxrwxrwx1Root root -Mar A  One: ASerial
Episode: Signing user certificate with self-visa book wrong, file does not exist

1, Problem Description:

OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile Ca.key

Using Configuration From/etc/pki/tls/openssl.cnf

/etc/pki/ca/serial:no such file or directory
Error while loading serial number
139996157081440:error:02001002:system library:fopen:No such file or Directory:bss_file.c:398:fopen ('/etc/pki/ca/ Serial ', ' R ')
139996157081440:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:400:
2, Problem solving:
If you do not set the working directory, the last step in the next third step, the use of the OpenSSL CA command to generate the user's CA certificate error, create openssl.cnf in the use of DEFAULT-CA to use the SSL working directory.

B: Generate the CA root certificate (Root CA certificate).

step: Generate the CA private key (. Key)--Generate CA Certificate request (. CSR)--self-signed to get root certificate (. crt) (CA gives self issued certificate).

# Generate CA private Key--->ca.key

OpenSSL genrsa-out Ca.key 2048

# Generate CSR--->CA.CSR

OpenSSL Req-new-key ca.key-out CA.CSR

# Generate Self signed certificate (CA root certificate)---> CA.CRT

OpenSSL x509-req-days 365-in ca.csr-signkey ca.key-out ca.crt

Episode: command to get CA root certificate directly from key file

Method: After getting the key file, execute the following command:
OpenSSL req-new-x509-days 365-key fd.key-out fd.crt
If you do not want to fill in those registration information, execute the following command:
OpenSSL req-new-x509-days 365-key fd.key-out fd.crt subj "/c=gb/l=london/o=feisty Duck ltd/

C: Sign the user certificate with self-signed root certificate ca.crt.

Step: Generate a private key (. Key)-Generate a certificate request (. CSR)--Sign the certificate (. crt) with the CA root certificate

#  private  key  --->server.key

-out of the1024x768
# Generate CSR   --->SERVER.CSR

-New -key Server.key- out
# Generate certificate    --->
- in SERVER.CSR- out Server.crt-cert ca.crt-keyfile ca.key
  episode: signing with CA root certificate times wrong, the mandatory stateorprovincename field was Missing 
1 sudo openssl ca -in SERVER.CSR-< Span style= "COLOR: #0000ff" >out server.crt-cert ca.crt-keyfile ca.keyusing Configuration from /etc/pki/tls/ Openssl.cnfcheck that the request matches the Signaturesignature okthe mandatory stateorprovincename field was MISSING2 , Reason: OPENSSL.CNF in CA policy has three match, You must fill in the same, or change to optional
3, Workaround: Modify the configuration file, modified to:

# for the CA policy
CountryName = Optional
Stateorprovincename = Optional
OrganizationName = Optional
Organizationalunitname = Optional
CommonName = Supplied
EmailAddress = Optional

D: Simple use of certificates.

Save the SERVER.CRT and Server.key on the server side waiting for the program to load, and save the Ca.key on the client, if the client needs to verify the server-side certificate when it is sent.

HTTPS Learning Note Three----OpenSSL generate root CA and issue certificate

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.