OpenSSL Certificate Management Process

Source: Internet
Author: User
Tags echo 7 pkcs12

After sorting out a Windows batch file, 8 steps are required.

Echo off REM reference: http://book.51cto.com/art/201004/192440.htm pushd "E: \ OpenSSL Certificate Management \" Echo. echo 1. creates a random number. rndopenssl rand-out. RND 1000: the meaning of each parameter is as follows: Rand random number command. :-Out output file path. Here, the random number file. RND is output to the current directory.: 1000 indicates the number of pseudo-random numbers. Echo. echo 2. build the root certificate Private Key ca. key. pemopenssl genrsa-aes256-out ca. key. PEM 2048: the meaning of each parameter is as follows: genrsa generates the RSA key command. :-Aes256 uses the AES algorithm (256-bit key) to encrypt the generated private key. Optional algorithms include des, desede, idea, and AES. :-Out output path, which refers to the ca. Key. pem file.: 2048 refers to the number of bits in the RSA key length. The default length is 512 bits. ::: Note: 1) You must specify the root certificate password (pass phrase for CA. key. PEM), set to: 123456: 2) OpenSSL usually uses the PEM (privacy enbanced mail, Privacy Enhancement mail) encoding format to save the private key. Echo. echo 3. generate the root certificate issuing application Ca. csropenssl req-New-key ca. key. PEM-out ca. CSR-subj "/C = Cn/ST = BJ/L = BJ/o = zlex/ou = zlex/CN = * .zlex.org": The meanings of parameters are as follows ::: req generates the certificate issuance application command. :-New indicates a new request. :-Key key. Here is the ca. Key. pem file. :-Out output path. Here is the ca. CSR file. :-Subj specifies the user information. Here, the wildcard domain name "* .zlex.org" is used as the user name. ::: Note: Enter the root certificate password 123456echo. echo 4. issue the root certificate ca. ceropenssl X509-req-days 10000-sha1-extensions v3_ca-signkey ca. key. PEM-in CA. CSR-out ca. CER: the meaning of each parameter is as follows: X509 issues the X.509 Certificate command. :-Req indicates the certificate input request. :-Days indicates the number of valid days. The value is 10000 days. :-Sha1 indicates the certificate Digest algorithm. Here it is the sha1 algorithm. :-Extensions: add extensions according to the OpenSSL configuration file v3_ca. :-Signkey indicates the self-Signed key. Here it is the ca. Key. pem file. :-In indicates the input file. Here it is the ca. CSR file. :-Out indicates the output file. Here it is the ca. Cer file.: Note: 1) enter the root certificate password: 123456: 2) The built root certificate ca. Cer can be used to issue server and customer certificates. Echo. echo 5. root Certificate to ca. p12openssl PKCS12-export-cacerts-inkey ca. key. PEM-in CA. cer-out ca. p12: the meaning of each parameter is as follows: PKCS12 PKCS #12 encoding format CERTIFICATE command. :-Export indicates exporting the certificate. :-Cacerts indicates that only the CA certificate is exported. :-Inkey indicates entering the key. Here is the ca. Key. pem file. :-In indicates the input file. Here it is the ca. Cer file. :-Out indicates the output file. Here it is the ca. p12 file.: Note: 1) You need to enter the root certificate password: 123456: 2) You need to set the export password (export password) to: abcdef: 3) the digital certificate generated by OpenSSL cannot be directly used in the Java language environment and must be converted to the PKCS #12 encoding format. Echo. echo 6. build the server private key server. key. pemopenssl genrsa-aes256-out server. key. PEM 2048: the meaning of each parameter is as follows: genrsa generates the RSA key command. :-Aes256 uses the AES algorithm (256-bit key) to encrypt the generated private key. Optional algorithms include des, desede, idea, and AES. :-Out output path, which refers to the server. Key. pem file.: 2048 refers to the number of bits in the RSA key length. The default length is 512 bits. ::: Note: You must specify the server certificate password (pass phrase for server. key. PEM), set to: 234567echo. echo 7. generate server certificate issuing application server. csropenssl req-New-key server. key. PEM-out server. CSR-subj "/C = Cn/ST = BJ/L = BJ/o = zlex/ou = zlex/CN = www.zlex.org": The meanings of parameters are as follows ::: REQ generates the certificate issuance application command. :-New indicates a new request. :-Key key. Here is the server. Key. pem file. :-Out output path, which is the server. CSR file. :-Subj specifies the user information. Here, the domain name "www.zlex.org" is used as the user name. ::: Note: Enter the server certificate password 234567echo. echo 8. (use the root certificate) issue the server certificate server. ceropenssl X509-req-days 3650-sha1-extensions v3_req-ca. cer-Cakey ca. key. PEM-caserial ca. SRL-cacreateserial-in server. CSR-out server. CER: the meaning of each parameter is as follows: X509 issues the X.509 Certificate command. :-Req indicates the certificate input request. :-Days indicates the number of valid days. The value is 3650 days. :-Sha1 indicates the certificate Digest algorithm. Here it is the sha1 algorithm. :-Extensions: add extensions according to the v3_req option of the OpenSSL configuration file. :-Ca indicates the CA certificate. Here is the ca. Cer file. :-Cakey indicates the CA certificate key, which is the ca. Key. pem file. :-Caserial indicates the CA certificate serial number file, which is the ca. SRL file. :-Cacreateserial indicates creating the CA certificate serial number file. :-In indicates the input file, which is the server. CSR file. :-Out indicates the output file, which is the server. Cer file. :::: Note: Enter the root certificate password 123456pauseecho. popdecho on.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.