Install OpenSSL in Ubuntu

Source: Internet
Author: User
Tags install openssl

Install OpenSSL in Ubuntu

I. Brief Introduction to OpenSSL

OpenSSL is a powerful secure socket-layer cryptographic library that includes major cryptographic algorithms, common keys, certificate encapsulation management functions, and SSL protocols, and provides a wide range of applications for testing or other purposes.

SSL is the abbreviation of Secure Sockets Layer (Secure Sockets Layer Protocol). It can provide confidential transmission over the Internet. SSL allows users/server applications to communicate with each other without being eavesdropped by attackers, and always authenticates the server. Users can also be authenticated. The SSL protocol must be built on a reliable transport layer protocol (TCP.

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to generate certificates in Linux

Use OpenSSL to sign multi-domain certificates

Add a custom encryption algorithm to OpenSSL

2. Install the corresponding software package

$ Sudo apt-get install apache2 # install Apache

$ Sudo apt-get install openssl # install openssl

$ Sudo apt-get install libssl-dev # install the openssl Development Library

$ Sudo apt-get install bless # The editor uses the bless hexadecimal Editor, which must be installed in advance.

Iii. Simple interpretation of openssl. cnf

$ Vi/usr/lib/ssl/openssl. cnf
127 [req_distinguished_name]
128 countryName = Country Name (2 letter code) # Country Name, 2 letter code abbreviation
129 countryName_default = CN # CN in China
130 countryName_min = 2
131 countryName_max = 2
133 stateOrProvinceName = State or Province Name (full name) # Name of the State or Province
134 stateOrProvinceName_default = beijing
136 localityName = Locality Name (eg, city) # local city Name
137 localityName_default = beijing
138 0. organizationName = Organization Name (eg, company) # Organization (company) Name
139 0. organizationName_default = beijing www company
145 organizationalUnitName = Organizational Unit Name (eg, section) # Name of an Organizational Unit (Department)
146 organizationalUnitName_default = www
148 commonName = Common Name (e. g. server FQDN or YOUR name) # server Domain Name
149 commonName =
150 commonName_max = 64
152 # emailAddress = Email Address # Email Address
153 emailAddress =
154 emailAddress_max = 64
156 # SET-ex3 = SET extension number 3
158 [req_attributes]
159 # challengePassword = A challenge password # change the password
160 challengePassword =
163 challengePassword_min = 4
164 challengePassword_max = 20

4. Become a digital certificate authority (CA) and generate a certificate for the CA

① Copy the openssl. cnf configuration file to the current directory and create the following subfolders specified in the configuration file

$ Sudo ln/usr/lib/ssl/openssl. cnf.

$ Mkdir demoCA

$ Cd demoCA

$ Mkdir certs crl newcerts

$ Touch index.txt serial special parameters index.txt is empty;

# Serial must be a number in string format (for example, 1111) written into the content)

After these settings, you can now create and publish certificates.

② Generate a self-signed certificate for your CA, which means the CA is trusted and its certificate will be used as the root certificate.

$ Openssl req-new-x509-keyout ca. key-out ca. crt-config openssl. cnf

Note: Remember the password you entered. The command output file is stored in ca. key and ca. crt. The ca. key file includes the private key of the CA, and ca. crt contains the Public key Certificate.

5. Generate a certificate for the customer

Now we are the root CA. You can sign the digital certificate for the customer. The customer is

① Generate public/private key pairs

$ Openssl genrsa-des3-out server. key 1024

Note: You must provide a password to protect your key. The key will be stored in the server. key File.

② Generate a Certificate Signature request. Once the company has a key file, it should generate a Certificate Signature request (CSR ). The CSR will be sent to the CA, And the CA will generate a certificate for the request (usually after confirming that the identity information in the CSR matches ).

$ Openssl req-new-key server. key-out server. csr-config openssl. cnf

Note: Remember your input.

③ Generate a certificate. The CSR file must have a CA signature to form a certificate (in the real world, the CSR file is often sent to a trusted CA signature ). Enter the CA key and use our own CA to generate the certificate:

$ Openssl ca-in server. csr-out server. crt-cert ca. crt-keyfile ca. key-config openssl. cnf

  • 1
  • 2
  • Next Page

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.