Generate certificate request CSR
This series of articles is divided into three parts. It mainly introduces how to build your own certificate issuing service, generate certificate requests, and sign the generated certificate request through the self-built CA and finally apply it to the service.
Create a csr request, and then use the CA signature to generate the certificate.
mkdir /home/cg/mycertcd /home/cg/mycert/mkdir private conf csrvim /home/cg/mycert/conf/serverconfig.cnf[ ca ]default_ca = CA_default[ CA_default ]dir = /home/cg/mycert/certs = $dir/certscrl_dir = $dir/crldatabase = $dir/index.txtnew_certs_dir = $dir/newcertscertificate = $dir/certs/cacert.pemserial = $dir/serial#crl = $dir/crl.pemprivate_key = $dir/private/cakey.pem#RANDFILE = $dir/private/.randx509_extensions = usr_cert#crl_extensions = crl_extdefault_days = 3650#default_startdate = YYMMDDHHMMSSZ#default_enddate = YYMMDDHHMMSSZ#default_crl_days= 30#default_crl_hours = 24default_md = sha1preserve = no#msie_hackpolicy = policy_match[ policy_match ]countryName = matchstateOrProvinceName = matchlocalityName = matchorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional[ req ]default_bits = 4096 # Size of keysdefault_keyfile = key.pem # name of generated keysdistinguished_name = req_distinguished_nameattributes = req_attributesx509_extensions = v3_ca#input_password#output_passwordstring_mask = nombstr # permitted charactersreq_extensions = v3_req[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_default = UScountryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = New YorklocalityName = Locality Name (city, district)localityName_default = New YorkorganizationName = Organization Name (company)organizationName_default = Code GharorganizationalUnitName = Organizational Unit Name (department, division)organizationalUnitName_default = ITcommonName = Common Name (hostname, FQDN, IP, or your name)commonName_max = 64commonName_default = CGITemailAddress = Email AddressemailAddress_max = 40emailAddress_default = codeghar@example.com[ req_attributes ]#challengePassword = A challenege password#challengePassword_min = 4#challengePassword_max = 20#unstructuredName = An optional company name[ usr_cert ]basicConstraints= CA:FALSEsubjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuer:always#nsComment = ''OpenSSL Generated Certificate''#nsCertType = client, email, objsign for ''everything including object signing''subjectAltName=email:copyissuerAltName=issuer:copy#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem#nsBaseUrl =#nsRenewalUrl =#nsCaPolicyUrl =#nsSslServerName =[ v3_req ]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEncipherment[ v3_ca ]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = CA:TRUE#keyUsage = cRLSign, keyCertSign#nsCertType = sslCA, emailCA#subjectAltName=email:copy#issuerAltName=issuer:copy#obj=DER:02:03[ crl_ext ]#issuerAltName=issuer:copyauthorityKeyIdentifier=keyid:always,issuer:always
Generate csr
Openssl req-new-config conf/serverconfig. cnf-keyform PEM-keyout private/key. csr. server1.pem-outform PEM-out csr/csr. server1.pem-nodes
File key. csr. server1.pem and csr. server1.pem are generated in the directory $ dir/private and $ dir/csr.
Run csr. server1.pem to generate a certificate for the CA.