The previous section describes the directory structure of OpenSSL, which is described in this section for the production of SSL certificates.
After installing OpenSSL, it is recommended to add the bin directory to the system environment variable for later operation.
Create a new directory with SSL dedicated to making certificates.
Create a certificate directory
We use the default configuration openssl.cfg, then we need to establish the directory Democa required in the configuration, using the script ca.pl
Ca.pl-newca
Copy the serial file from the OpenSSL installation directory to the Democa directory.
We do not use the root certificate provided by Democa, make our own root certificate, create the root certificate of the key file Pmroot.key
PS: Key must be entered
OpenSSL genrsa-des3-out Pmroot.key
Create a request file for the root certificate PMROOT.CSR
OpenSSL Req-new-key pmroot.key-out PMROOT.CSR
Create a 10-year root certificate pmroot.crt
OpenSSL x509-req-days 3650-sha1-extensions v3_ca-signkey pmroot.key-in pmroot.csr-out pmroot.crt
Generate server-side key file Pmserver.key
OpenSSL genrsa-des3-out Pmserver.key
Generate server-side certificate request file PMSERVER.CSR
OpenSSL Req-new-key pmserver.key-out PMSERVER.CSR
If you need a client certificate, install the above certificate operation to generate Pmclient.key and PMCLIENT.CSR respectively.
The resulting CSR file must be signed by the CA to form a certificate, signed with the CA certificate that was previously generated for the PMSERVER.CSR,PMCLIENT.CSR file:
OpenSSL ca-days 3650-in pmserver.csr-out pmserver.crt-cert pmroot.crt-keyfile Pmroot.key
OpenSSL ca-days 3650-in pmclient.csr-out pmclient.crt-cert pmroot.crt-keyfile Pmroot.key
So all the files we need are generated.
Another: The files used by the client are: Pmroot.crt,pmclient.crt,pmclient.key
The files used by the server are: Pmroot.crt,pmserver.crt,pmserver.key
CRT files and key files can be combined into a PFX file.
Merge command:OpenSSL pkcs12-export-in pmserver.crt-inkey pmserver.key-out pmserver.pfx
Making an SSL certificate