1. First to generate the server-side private key (key file):
The code is as follows |
Copy Code |
OpenSSL genrsa-des3-out Server.key 1024 |
The runtime prompts for a password, which is used to encrypt the key file (parameter DES3 is the encryption algorithm, of course, you can choose the other algorithm you think is safe). You need to enter a password whenever you need to read this file (the commands or APIs provided by OpenSSL). If it's inconvenient, You can also remove this password, but be sure to take other protective measures!
command to remove key file password:
The code is as follows |
Copy Code |
OpenSSL rsa-in server.key-out Server.key
2. OpenSSL req-new-key server.key-out server.csr-config openssl.cnf |
Generates certificate signing request (CSR), the generated CSR file is signed by the CA and forms the server's own certificate. The screen will be prompted to enter the required personal information step-by-step according to its instructions.
3. The client also makes the same command to generate key and CSR files:
The code is as follows |
Copy Code |
OpenSSL genrsa-des3-out Client.key 1024 OpenSSL req-new-key client.key-out client.csr-config openssl.cnf |
4.CSR files must have a CA's signature to form a certificate. This file can be sent to VeriSign and other places by it verification, to pay a lot of money, why not do their own ca.
The code is as follows |
Copy Code |
OpenSSL req-new-x509-keyout ca.key-out ca.crt-config openssl.cnf |
5. Sign the SERVER.CSR,CLIENT.CSR file that you just generated with the certificate of the generated CA:
The code is as follows |
Copy Code |
OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-config OpenSSL ca-in client.csr-out client.crt-cert ca.crt-keyfile ca.key-config |
Now all the files we need are generated.
Other:
The files used by the client are: Ca.crt,client.crt,client.key
The files used by server are: Ca.crt,server.crt,server.key
. crt files and. Key can be combined into a file, I have 2 files synthesized a. pem file (direct copy of the past on the line)
The following steps do not have to
The code is as follows |
Copy Code |
[Root@station23 ca]# mkdir./newcerts [Root@station23 ca]# touch./{serial,index.txt} [Root@station23 ca]# echo "> serial
|
If you forget the above operation, the CA will have the following error on the visa, as follows:
The code is as follows |
Copy Code |
[root@station23 test]# OpenSSL ca-in my.csr-out ldap.crt Using Configuration From/etc/pki/tls/openssl.cnf I am Unable to access the/etc/pki/ca/newcerts directory /etc/pki/ca/newcerts:no such file or directory [Root@station23 test]# Mkdir/etc/pki/ca/newcerts [root@station23 test]# OpenSSL ca-in my.csr-out ldap.crt Using Configuration From/etc/pki/tls/openssl.cnf /etc/pki/ca/index.txt:no such file or directory Unable to open '/etc/pki/ca/index.txt ' 23016:error:02001002:system library:fopen:No such file or Directory:bss_file.c:352:fopen ('/etc/pki/ca/index.txt ', ' R ') 23016:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:354: [Root@station23 test]# Touch/etc/pki/ca/index.txt [root@station23 test]# OpenSSL ca-in my.csr-out ldap.crt Using Configuration From/etc/pki/tls/openssl.cnf /etc/pki/ca/serial:no such file or directory Error while loading serial number 23031:error:02001002:system library:fopen:No such file or Directory:bss_file.c:352:fopen ('/etc/pki/ca/serial ', ' R ') 23031:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:354: [Root@station23 test]# touch/etc/pki/ca/serial [Root@station23 test]# echo >/etc/pki/ca/serial |