How to generate an SSL certificate through OpenSSL-moonhillcity blog-csdn blog

Source: Internet
Author: User
Tags generate csr openssl x509 generate self signed certificate ssl certificate self signed certificate

1. After OpenSSL is installed, find OpenSSL. CnF in the/usr/lib/SSL directory (for Ubuntu system, use whereis to check the SSL directory) and copy it to the working directory.

2. Create a New democafolder under the Work directory, create the new files index.txt and serial in the folder, and then create a newcerts folder. Add the character 01 to serial.

Mkdir democa

CD democa

Touch./{serial, index.txt}

Add 01: WQ to VI serial

Certificate generation process: (note that the following processes are performed in the working directory, that is,/www/code /)



The SSL Certificate establishes an SSL Secure Channel (secure socketlayer (SSL) between the client browser and the Web server. The SSL security protocol is mainly used to authenticate users and servers; encryption and hiding of transmitted data; ensuring that data is not changed during transmission, that is, data integrity, has become a global standard in this field. As SSL technology has been established in all major browsers and web server programs, you only need to install the server certificate to activate this function ). That is, the SSL protocol can be activated to implement encrypted transmission of data between the client and the server to prevent data information leakage. This ensures the security of the information transmitted by both parties, and the user can verify whether the website he or she accesses is authentic and reliable through the server certificate.
An SSL website is different from a common web site. It uses the "HTTPS" protocol instead of the common "HTTP" protocol. Therefore, its URL (Uniform Resource Locator) format is " ".

What is X509 Certificate Chain?

X509 certificates generally use three types of files: Key, CSR, and CRT.
The key is a private key, in the OpenSSL format, usually the RSA algorithm.
CSR is a certificate request file used to apply for a certificate. When creating a CSR file, you must use your private key to sign the application. You can also set a key.
CRT is the certificate file after CA authentication (the CSR under Windows is actually CRT). The signatory signs the certificate with his own key.


First, you must have a CA root certificate, and then use the CA root certificate to issue the user certificate.
The user applies for a certificate: Generally, the user generates a certificate request with the private key (the certificate request should contain the public key information), and then uses the CA root certificate of the Certificate Server to issue the certificate.
(1) Self-signed certificate (generally used for top-level certificates and Root Certificates): the name of the certificate is the same as that of the certification authority.
(2) Root Certificate: the root certificate is the certificate issued by the CA to itself, and is the starting point of the trust chain. Any server that installs the CA root certificate means that the CA authentication center is trusted.
A digital certificate is a digital certificate issued by a certificate authority (CA) to verify the real identity of the certificate applicant, A digital file formed by using the CA root certificate to sign the applicant's basic information and the applicant's public key (equivalent to the Public Seal of the CA. The digital certificate contains the public key of the entity identified in the certificate (that is, your certificate contains your Public Key), because the certificate matches the public key with a specific individual, and the authenticity of the certificate is guaranteed by the Issuing Authority (that is to say, you can trust that your certificate is true). Therefore, the digital certificate provides a solution to the problem of finding the user's public key and knowing whether it is valid.

OpenSSL contains the following extension files

. Key format: Private Key
. CSR format: Certificate Signing Request (certificate request file), containing public key information, abbreviation of Certificate Signing Request
. CRT format: Certificate file, short for Certificate
. CRL format: Certificate Revocation List, abbreviated as Certificate Revocation List
. Pem format: used for export. The format of the certificate when the certificate is imported. It must begin with a certificate and end with a format.

CA root certificate generation procedure

Generate a CA private key (. Key) --> Generate a CA certificate request (. CSR) --> Self-signed to get the root certificate (. CRT) (CA issued to itself ).

[Plain]View Plain Copy

  1. # Generate CA private key

  2. Open SSL genrsa-out ca. Key 2048

  3. # Generate CSR

  4. OpenSSL req-New-key ca. Key-out ca. CSR

  5. # Generate self signed certificate (CA root certificate)

  6. OpenSSL X509-req-days 365-in CA. CSR-signkey ca. Key-out ca. CRT

In actual software development work, servers often adopt this self-signed method, because after all, it takes time to find a third-party signature organization to pay for it.

How to generate a user certificate

Generate a private key (. Key) --> Generate a certificate request (. CSR) --> sign the certificate with the CA root certificate (. CRT)
Server user certificate:

[HTML]View Plain Copy

  1. # Private Key

  2. $ OpenSSL genrsa-des3-out server. Key 1024

  3. # Generate CSR

  4. $ OpenSSL req-New-key server. Key-out server. CSR

  5. # Generate Certificate

  6. $ OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key

Client user certificate:

[Plain]View Plain Copy

  1. $ OpenSSL Gen RSA-des3-out client. Key 1024

  2. $ OpenSSL req-New-key client. Key-out client. CSR

  3. $ OpenSSL ca-in client. CSR-out client. CRT-Cert CA. CRT-Keyfile ca. Key

Generate a pem certificate:
Certificates in PEM format are sometimes used. You can combine the Certificate file (CRT) and private key file (key) to generate

$ Cat client. CRT client. Key> client. pem

$ Cat server. CRT server. Key> server. pem



Server Certificate: ca. CRT, server. Key, server. CRT, server. pem

Client certificate: ca. CRT, client. Key, client. CRT, client. pem



An error may occur when you execute $ OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key:

Using configuration from/usr/share/SSL/OpenSSL. cfg I am unable to access the./democa/newcerts directory./democa/newcerts: no such file or directory


1) mkdir-P./democa/newcerts
2) touch democa/index.txt
3) touch democa/serial
4) echo 01> democa/serial

How to generate an SSL certificate through OpenSSL-moonhillcity blog-csdn blog

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.