Create a Test Catalog
mkdir/tmp/create_key/cacd/tmp/create_key/
certificate file Generation :
One. Server-side
1. Generate the server-side private key (key file):
OpenSSL genrsa-des3-out Server.key 1024
The runtime prompts for a password, which is used to encrypt the key file (the parameter des3 is an encryption algorithm or other secure algorithm), and every time a password is required to read the file (via the command or API provided by OpenSSL), the password is stripped if no password is removed:
MV Server.key Server.origin.keyopenssl rsa-in server.origin.key-out Server.key
2. Generate server-side certificate signing request file (CSR file):
OpenSSL Req-new-key server.key-out SERVER.CSR
Generate the Certificate Signing Request (CSR), and the generated CSR file is handed to the CA to form the service-side certificate. On the screen, you will be prompted to enter the required personal information (e.g. Country,province,city,company, etc.) in step-by-steps.
Two. Client
1. Generate the Client private key (key file):
OpenSSL genrsa-des3-out Client.key 1024
2. Generate the client certificate signing request file (CSR file):
OpenSSL Req-new-key client.key-out CLIENT.CSR
Three. Generate the CA certificate file
#server. CSR and CLIENT.CSR files must be signed by a CA to form a certificate.
Cd/tmp/create_key/ca
1. First generate the CA's key file:
OpenSSL genrsa-des3-out Ca.key 1024
2. Generate the CA self-signed certificate:
OpenSSL req-new-x509-key ca.key-out ca.crt-days 3650
You can add the certificate Expiration Time option "-days 3650".
Four. Signing with a CA certificate
OpenSSL ca-in. /server.csr-out. /server.crt-cert ca.crt-keyfile Ca.key OpenSSL ca-in. /client.csr-out. /client.crt-cert Ca.crt-keyfile Ca.key
These two execution time because did not specify OPENSSL.CNF will error, but does not matter, we use the default /etc/pki/tls/openssl.cnf to be able.
However, the default is to perform the following two lines first:
Touch/etc/pki/ca/index.txt echo >/etc/pki/ca/serial
Generate CSR CRT CA certificate using OpenSSL under "Go" Linux