OpenSSL-Generate certificates with OpenSSL

Step 1. Create Key

This command generates a 1024/2048 -bit key that contains the private key and the public key.

OpenSSL genrsa-out Prvtkey.pem 1024/2038 (with out password protected)

OpenSSL genrsa-des3-out prvtkey.pem 1024/2048 (password protected)

Step 2. Create Certification Request

OpenSSL Req-new-key prvtkey.pem-out CERT.CSR

OpenSSL Req-new-nodes-key prvtkey.pem-out CERT.CSR

This command generates a certificate request and, of course, uses the previously generated key PRVTKEY.PEM file
This will generate a new file CERT.CSR, a certificate request file, you can take this file to a digital certification authority (that is, CA) to request a digital certificate. The CA will give you a new file Cacert.pem, that's your digital certificate.

OpenSSL rsa-in prvtkey.pem-pubout-out Pubkey.key

This command extracts the public key from the Prvtkey.pem file.

Step 3:send certificate request to certification authority (CA)

If you do the test yourself, then the certificate applicant and the authority are themselves. You can use the following command to generate the certificate:
OpenSSL Req-new-x509-key prvtkey.pem-out cacert.pem-days 1095
This command generates a digital certificate with the key PRIVKEY.PEM generated above CACERT.PEM

CACERT.PEM build process See "OpenSSL Build your own CA"

With Privkey.pem and Cacert.pem files can be used in their own programs, such as a server to encrypt communications

-------------
OpenSSL Build Your own CA

(1) Environment Preparation

First, you need to prepare a directory to place the CA files, including the issued certificates and CRLs (Certificate Revoke List).
Here we choose Directory/var/myca.

Then we set up two directories under/var/myca, certs used to save a copy of all certificates issued by our CA; private key to save the CA certificate.

In addition to generating a key, three files are created in our CA system. The first file is used to track the serial number of the last issued certificate, and we name it serial, which is initialized to a. The second file is a sort database that is used to track certificates that have been issued. We name it index.txt and thecontents of the file are empty.

$ mkdir/var/myca
$ cd/var/myca
$ mkdir certs Private
$ chmod g-rwx,o-rwx Private
$ echo "Serial" >
$ Touch Index.txt

The third file is the OpenSSL configuration file, which is a tricky point to create. Examples are as follows:

$ Touch OPENSSL.CNF

The contents of the file are as follows:

[CA]
Default_ca = Myca

[Myca]
DIR =/var/myca
Certificate = $dir/cacert.pem
Database = $dir/index.txt
New_certs_dir = $dir/certs
Private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days= 7
Default_days = 365
DEFAULT_MD = MD5

Policy = Myca_policy
X509_extensions = Certificate_extensions

[Myca_policy]
CommonName = Supplied
Stateorprovincename = Supplied
CountryName = Supplied
EmailAddress = Supplied
Organizationname= supplied
Organizationalunitname = Optional

[Certificate_extensions]
basicconstraints= Ca:false

We need to tell the path to the OpenSSL configuration file, there are two ways to accomplish this: through the config command option, through the environment variable openssl_conf. Here we choose the way the environment variables are.

$ OPENSSL_CONF=/VAR/MYCA/OPENSSL.CNF "
$ Export openssl_conf

(2) generate root certificate (root Certificate)

We need a certificate to sign the certificate that we issued, which can be obtained from another CA , or a self-signed root certificate. Here we generate a self-signed root certificate.

First we need to add some information to the config file, as shown below, and the section name and command line tool command req . We write all the necessary information into the configuration, not the command line input, which is the only way to specify the X.509v3 extension, and also gives us a clear grasp of how to create the root certificate.

[Req]
Default_bits = 2048
Default_keyfile =/var/myca/private/cakey.pem
DEFAULT_MD = MD5
prompt = No
Distinguished_name = Root_ca_distinguished_name
X509_extensions = Root_ca_extensions
[Root_ca_distinguished_name]
CommonName = My Test CA
Stateorprovincename = HZ
CountryName = CN
EmailAddress = [email protected]
OrganizationName = Root Certification Authority
[Root_ca_extensions]
Basicconstraints = Ca:true

Everything is ready, we can generate the root certificate. Note Set the environment variable openssl_conf.

$ OpenSSL req-x509-newkey rsa-out cacert.pem-outform pem-days 356

Note: the "-days 356" Control is valid for 365 days, and the default is days.

Verify the files that we generated.

$ OpenSSL x509-in cacert.pem-text-noout

(3) issuing certificates to customers

Customers are required to provide basic information about the certificate before issuing the certificate to the customer. We also open a terminal window, using the default OpenSSL profile ( don't let the previous openssl_conf interfere with us, that configuration is specifically used to generate the root certificate).

The command is similar to the one we generated for the root certificate, which is req, but we need to provide some additional information. as follows:

$ OpenSSL req-newkey rsa:1024-keyout testkey.pem-keyform pem-out testreq.pem-outform PEM

There are two prompts to password, the first password is used to encrypt the private key Testkey.pem, the second password is generally ignored by OpenSSL .
Results generated two files: Testkey.pem, private key; Testreq.pem, request information, including the public key.

What information do we have to look at Testreq.pem ?

$ OpenSSL req-in testreq.pem-text-noout

Now, we can submit the Testreq.pem to our CA to generate the certificate.
For the sake of convenience, we assume that Testreq.pem is in//var/myca/private/ .

$ OpenSSL ca-in Testreq.pem

There are three prompts, one is to ask you CA 's private key password, two times is confirmed, the output is the certificate issued to the customer.
You can cancel the command prompt through the batch option, and you can cancel the output display of the certificate through the Notext option.
In addition, you can issue certificates to multiple customers at once by replacing the in option with the infiles option , but this option must be placed last, since any subsequent characters are processed as a list of file names.

The generated certificate is placed in the Certs directory while the contents of both Index.txt and serial have changed.

Transferred from: http://www.cnblogs.com/AloneSword/p/3809002.html

OpenSSL-Generate certificates with OpenSSL