Linux OpenSSL generate certificates and self-signed certificates

Source: Internet
Author: User
Tags ldap mkdir openssl openssl rsa

1. First to generate the server-side private key (key file):

The code is as follows Copy Code

OpenSSL genrsa-des3-out Server.key 1024

The runtime prompts for a password, which is used to encrypt the key file (parameter DES3 is the encryption algorithm, of course, you can choose the other algorithm you think is safe). You need to enter a password whenever you need to read this file (the commands or APIs provided by OpenSSL). If it's inconvenient, You can also remove this password, but be sure to take other protective measures!

command to remove key file password:

The code is as follows Copy Code


OpenSSL rsa-in server.key-out Server.key

2.

OpenSSL req-new-key server.key-out server.csr-config openssl.cnf

Generates certificate signing request (CSR), the generated CSR file is signed by the CA and forms the server's own certificate. The screen will be prompted to enter the required personal information step-by-step according to its instructions.

3. The client also makes the same command to generate key and CSR files:

The code is as follows Copy Code

OpenSSL genrsa-des3-out Client.key 1024
OpenSSL req-new-key client.key-out client.csr-config openssl.cnf


4.CSR files must have a CA's signature to form a certificate. This file can be sent to VeriSign and other places by it verification, to pay a lot of money, why not do their own ca.

The code is as follows Copy Code
OpenSSL req-new-x509-keyout ca.key-out ca.crt-config openssl.cnf


5. Sign the SERVER.CSR,CLIENT.CSR file that you just generated with the certificate of the generated CA:

The code is as follows Copy Code
OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-config
OpenSSL ca-in client.csr-out client.crt-cert ca.crt-keyfile ca.key-config


Now all the files we need are generated.

Other:

The files used by the client are: Ca.crt,client.crt,client.key

The files used by server are: Ca.crt,server.crt,server.key

. crt files and. Key can be combined into a file, I have 2 files synthesized a. pem file (direct copy of the past on the line)

The following steps do not have to

The code is as follows Copy Code
[Root@station23 ca]# mkdir./newcerts
[Root@station23 ca]# touch./{serial,index.txt}
[Root@station23 ca]# echo "> serial

If you forget the above operation, the CA will have the following error on the visa, as follows:

The code is as follows Copy Code

[root@station23 test]# OpenSSL ca-in my.csr-out ldap.crt
Using Configuration From/etc/pki/tls/openssl.cnf
I am Unable to access the/etc/pki/ca/newcerts directory
/etc/pki/ca/newcerts:no such file or directory
[Root@station23 test]# Mkdir/etc/pki/ca/newcerts
[root@station23 test]# OpenSSL ca-in my.csr-out ldap.crt
Using Configuration From/etc/pki/tls/openssl.cnf
/etc/pki/ca/index.txt:no such file or directory
Unable to open '/etc/pki/ca/index.txt '
23016:error:02001002:system library:fopen:No such file or Directory:bss_file.c:352:fopen ('/etc/pki/ca/index.txt ', ' R ')
23016:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:354:
[Root@station23 test]# Touch/etc/pki/ca/index.txt
[root@station23 test]# OpenSSL ca-in my.csr-out ldap.crt
Using Configuration From/etc/pki/tls/openssl.cnf
/etc/pki/ca/serial:no such file or directory
Error while loading serial number
23031:error:02001002:system library:fopen:No such file or Directory:bss_file.c:352:fopen ('/etc/pki/ca/serial ', ' R ')
23031:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:354:
[Root@station23 test]# touch/etc/pki/ca/serial
[Root@station23 test]# echo >/etc/pki/ca/serial

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.