LINUX-OPENSSL certificate issuing

Source: Internet
Author: User
Tags install openssl openssl sha1 openssl x509 sha1 hash

1. Install OPENSSL and confirm the location of the openssl. cnf file.
$ Yum install openssl
$ Rpm-qa | grep openssl
$ Rpm-ql openssl -*
2. Related directory settings, used to store certificates, temporary files and private keys
$ Mkdir/etc/ssl
$ Mkdir/etc/ssl/private
$ Chmod 700/etc/ssl/private
$ Mkdir/etc/ssl/crl
$ Mkdir/etc/ssl/newcrt
3. initialize the SSL configuration, transfer the default configuration file to a new location, modify it, and export the environment variables required by OPENSSL.
$ Cp/usr/share/ssl/openssl. cnf/etc/ssl
$ Ln-s/etc/ssl/openssl. cnf/usr/share/ssl/openssl. cnf
$ Echo 'export OPENSSL_CONF = "/etc/ssl/openssl. cnf" '> ~ /. Bashrc
$ Vi/etc/ssl/openssl. cnf
; Modify "dir =/etc/ssl"
4. generate random number
$ Openssl rand-out/etc/ssl/private/. rand 1024
$ Chmod 700/etc/ssl/private/. Revert and
5. generate an RSA and CA private key. The CA private key is used to issue a CA root certificate. The CA root certificate must be provided to others for download so that it can use this certificate to other certificates, for example, WEB certificate authentication
$ Openssl genrsa-des3-out/etc/ssl/private/CAS. key 2048
$ Chmod 700/etc/ssl/private/CA. key 2048
6. Fill in the CA certificate application file (CSR)
$ Openssl req-new-key/etc/ssl/private/CA. key-out/tmp/CA. rc
Some information will pop up later. Enter the information as prompted. After the certificate is generated, a certificate request file is generated. This step is equivalent to entering your information on the Professional Certification Authority webpage, then the server will provide you with a (CSR) file, and then you can use this file to issue a certificate. This file is only an intermediate file that contains the relevant content of your generated certificate.
7. Issue a CA. Because it is a root certificate, you have not issued a higher-level certificate for yourself.
$ Openssl x509 \
-Req-days 7310 \
-Sha1-extfile/etc/ssl/openssl. conf \
-Extensions v3_ca \
-Signkey/etc/ssl/private/CA. key \
-In/tmp/CA. rc \
-Out/etc/ssl/certs/CA. crt
; Expiration time: 20 Years
; Configuration file/etc/ssl/openssl. conf
; Format: v3_ca Certificate
; Signature key/etc/ssl/private/CA. key
Certificate Application file/tmp/CA. rc
CA certificate/etc/ssl/certs/CA. crt

8. Issue a WEB certificate
; Issue the WEB certificate Private Key
$ Openssl genrsa-out/etc/ssl/private/www. key 2048
$ Chmod 700/etc/ssl/private/www. key
; Fill in the certificate application file (CSR)
Note that "common name" is FQDN
Do not enter the challenge password; otherwise, you must enter this password each time you start the server.
$ Openssl req \
-New-key/etc/ssl/private/www. key \
-Out/tmp/www. rc
; Issue WEB certificate
$ Openssl x509 \
-Req-days 3650-sha1 \
-Extfile/etc/ssl/openssl. cnf \
-Extensions v3_req \
-CA/etc/ssl/certs/CA. crt \
-CAkey/etc/ssl/private/CA. key \
-CAserial/etc/ssl/ca. srl-CAcreateserial \
-In/tmp/www. rc \
-Out/etc/ssl/certs/www. crt
Action: request a certificate. The expiration time is 10 years. The Digest algorithm is sha1.
; Configuration file/etc/ssl/openssl. cnf
Use CA root certificate/etc/ssl/certs/CA. crt for signature
CA private key file: CA. key
; Create and use the CA serial number file ca. srl
The certificate request file is www. rc and the certificate output is www. crt.
* Tips
BASE-64 encoded files and BASE64 encoded files are restored. This content may be used during debugging and testing on the SMTP server.
$ Openssl base64 <filename. bin> filename_base64.txt
$ Openssl base64-d <filename_base64.txt> filename. bin
$ Echo-n "Hello" | openssl base64
Calculation file SHA1 hash, which can be used to verify whether the downloaded file is correct
$ Openssl sha1 filename. bin
Statement: I wrote this article by myself after referring to some of my predecessors. If there are similarities, it is absolutely coincidental. In addition, because I do not know much about the certificate, it is inevitable to make mistakes, if there is a person passing by, please do not hesitate to advise (note: the attachment is the content of this article. You can download it if necessary)
This article IS from "nothing is serious !" Blog

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.