1. Install OPENSSL and confirm the location of the openssl. cnf file.
$ Yum install openssl
$ Rpm-qa | grep openssl
$ Rpm-ql openssl -*
2. Related directory settings, used to store certificates, temporary files and private keys
$ Chmod 700/etc/ssl/private
3. initialize the SSL configuration, transfer the default configuration file to a new location, modify it, and export the environment variables required by OPENSSL.
$ Cp/usr/share/ssl/openssl. cnf/etc/ssl
$ Ln-s/etc/ssl/openssl. cnf/usr/share/ssl/openssl. cnf
$ Echo 'export OPENSSL_CONF = "/etc/ssl/openssl. cnf" '> ~ /. Bashrc
$ Vi/etc/ssl/openssl. cnf
; Modify "dir =/etc/ssl"
4. generate random number
$ Openssl rand-out/etc/ssl/private/. rand 1024
$ Chmod 700/etc/ssl/private/. Revert and
5. generate an RSA and CA private key. The CA private key is used to issue a CA root certificate. The CA root certificate must be provided to others for download so that it can use this certificate to other certificates, for example, WEB certificate authentication
$ Openssl genrsa-des3-out/etc/ssl/private/CAS. key 2048
$ Chmod 700/etc/ssl/private/CA. key 2048
6. Fill in the CA certificate application file (CSR)
$ Openssl req-new-key/etc/ssl/private/CA. key-out/tmp/CA. rc
Some information will pop up later. Enter the information as prompted. After the certificate is generated, a certificate request file is generated. This step is equivalent to entering your information on the Professional Certification Authority webpage, then the server will provide you with a (CSR) file, and then you can use this file to issue a certificate. This file is only an intermediate file that contains the relevant content of your generated certificate.
7. Issue a CA. Because it is a root certificate, you have not issued a higher-level certificate for yourself.
$ Openssl x509 \
-Req-days 7310 \
-Sha1-extfile/etc/ssl/openssl. conf \
-Extensions v3_ca \
-Signkey/etc/ssl/private/CA. key \
-In/tmp/CA. rc \
; Expiration time: 20 Years
; Configuration file/etc/ssl/openssl. conf
; Format: v3_ca Certificate
; Signature key/etc/ssl/private/CA. key
Certificate Application file/tmp/CA. rc
CA certificate/etc/ssl/certs/CA. crt
8. Issue a WEB certificate
; Issue the WEB certificate Private Key
$ Openssl genrsa-out/etc/ssl/private/www. key 2048
$ Chmod 700/etc/ssl/private/www. key
; Fill in the certificate application file (CSR)
Note that "common name" is FQDN
Do not enter the challenge password; otherwise, you must enter this password each time you start the server.
$ Openssl req \
-New-key/etc/ssl/private/www. key \
; Issue WEB certificate
$ Openssl x509 \
-Req-days 3650-sha1 \
-Extfile/etc/ssl/openssl. cnf \
-Extensions v3_req \
-CA/etc/ssl/certs/CA. crt \
-CAkey/etc/ssl/private/CA. key \
-CAserial/etc/ssl/ca. srl-CAcreateserial \
-In/tmp/www. rc \
Action: request a certificate. The expiration time is 10 years. The Digest algorithm is sha1.
; Configuration file/etc/ssl/openssl. cnf
Use CA root certificate/etc/ssl/certs/CA. crt for signature
CA private key file: CA. key
; Create and use the CA serial number file ca. srl
The certificate request file is www. rc and the certificate output is www. crt.
BASE-64 encoded files and BASE64 encoded files are restored. This content may be used during debugging and testing on the SMTP server.
$ Openssl base64 <filename. bin> filename_base64.txt
$ Openssl base64-d <filename_base64.txt> filename. bin
$ Echo-n "Hello" | openssl base64
Calculation file SHA1 hash, which can be used to verify whether the downloaded file is correct
$ Openssl sha1 filename. bin
Statement: I wrote this article by myself after referring to some of my predecessors. If there are similarities, it is absolutely coincidental. In addition, because I do not know much about the certificate, it is inevitable to make mistakes, if there is a person passing by, please do not hesitate to advise (note: the attachment is the content of this article. You can download it if necessary)
This article IS from "nothing is serious !" Blog