OpenSSL Certificate Management Process

After sorting out a Windows batch file, 8 steps are required.

Echo off REM reference: http://book.51cto.com/art/201004/192440.htm pushd "E: \ OpenSSL Certificate Management \" Echo. echo 1. creates a random number. rndopenssl rand-out. RND 1000: the meaning of each parameter is as follows: Rand random number command. :-Out output file path. Here, the random number file. RND is output to the current directory.: 1000 indicates the number of pseudo-random numbers. Echo. echo 2. build the root certificate Private Key ca. key. pemopenssl genrsa-aes256-out ca. key. PEM 2048: the meaning of each parameter is as follows: genrsa generates the RSA key command. :-Aes256 uses the AES algorithm (256-bit key) to encrypt the generated private key. Optional algorithms include des, desede, idea, and AES. :-Out output path, which refers to the ca. Key. pem file.: 2048 refers to the number of bits in the RSA key length. The default length is 512 bits. ::: Note: 1) You must specify the root certificate password (pass phrase for CA. key. PEM), set to: 123456: 2) OpenSSL usually uses the PEM (privacy enbanced mail, Privacy Enhancement mail) encoding format to save the private key. Echo. echo 3. generate the root certificate issuing application Ca. csropenssl req-New-key ca. key. PEM-out ca. CSR-subj "/C = Cn/ST = BJ/L = BJ/o = zlex/ou = zlex/CN = * .zlex.org": The meanings of parameters are as follows ::: req generates the certificate issuance application command. :-New indicates a new request. :-Key key. Here is the ca. Key. pem file. :-Out output path. Here is the ca. CSR file. :-Subj specifies the user information. Here, the wildcard domain name "* .zlex.org" is used as the user name. ::: Note: Enter the root certificate password 123456echo. echo 4. issue the root certificate ca. ceropenssl X509-req-days 10000-sha1-extensions v3_ca-signkey ca. key. PEM-in CA. CSR-out ca. CER: the meaning of each parameter is as follows: X509 issues the X.509 Certificate command. :-Req indicates the certificate input request. :-Days indicates the number of valid days. The value is 10000 days. :-Sha1 indicates the certificate Digest algorithm. Here it is the sha1 algorithm. :-Extensions: add extensions according to the OpenSSL configuration file v3_ca. :-Signkey indicates the self-Signed key. Here it is the ca. Key. pem file. :-In indicates the input file. Here it is the ca. CSR file. :-Out indicates the output file. Here it is the ca. Cer file.: Note: 1) enter the root certificate password: 123456: 2) The built root certificate ca. Cer can be used to issue server and customer certificates. Echo. echo 5. root Certificate to ca. p12openssl PKCS12-export-cacerts-inkey ca. key. PEM-in CA. cer-out ca. p12: the meaning of each parameter is as follows: PKCS12 PKCS #12 encoding format CERTIFICATE command. :-Export indicates exporting the certificate. :-Cacerts indicates that only the CA certificate is exported. :-Inkey indicates entering the key. Here is the ca. Key. pem file. :-In indicates the input file. Here it is the ca. Cer file. :-Out indicates the output file. Here it is the ca. p12 file.: Note: 1) You need to enter the root certificate password: 123456: 2) You need to set the export password (export password) to: abcdef: 3) the digital certificate generated by OpenSSL cannot be directly used in the Java language environment and must be converted to the PKCS #12 encoding format. Echo. echo 6. build the server private key server. key. pemopenssl genrsa-aes256-out server. key. PEM 2048: the meaning of each parameter is as follows: genrsa generates the RSA key command. :-Aes256 uses the AES algorithm (256-bit key) to encrypt the generated private key. Optional algorithms include des, desede, idea, and AES. :-Out output path, which refers to the server. Key. pem file.: 2048 refers to the number of bits in the RSA key length. The default length is 512 bits. ::: Note: You must specify the server certificate password (pass phrase for server. key. PEM), set to: 234567echo. echo 7. generate server certificate issuing application server. csropenssl req-New-key server. key. PEM-out server. CSR-subj "/C = Cn/ST = BJ/L = BJ/o = zlex/ou = zlex/CN = www.zlex.org": The meanings of parameters are as follows ::: REQ generates the certificate issuance application command. :-New indicates a new request. :-Key key. Here is the server. Key. pem file. :-Out output path, which is the server. CSR file. :-Subj specifies the user information. Here, the domain name "www.zlex.org" is used as the user name. ::: Note: Enter the server certificate password 234567echo. echo 8. (use the root certificate) issue the server certificate server. ceropenssl X509-req-days 3650-sha1-extensions v3_req-ca. cer-Cakey ca. key. PEM-caserial ca. SRL-cacreateserial-in server. CSR-out server. CER: the meaning of each parameter is as follows: X509 issues the X.509 Certificate command. :-Req indicates the certificate input request. :-Days indicates the number of valid days. The value is 3650 days. :-Sha1 indicates the certificate Digest algorithm. Here it is the sha1 algorithm. :-Extensions: add extensions according to the v3_req option of the OpenSSL configuration file. :-Ca indicates the CA certificate. Here is the ca. Cer file. :-Cakey indicates the CA certificate key, which is the ca. Key. pem file. :-Caserial indicates the CA certificate serial number file, which is the ca. SRL file. :-Cacreateserial indicates creating the CA certificate serial number file. :-In indicates the input file, which is the server. CSR file. :-Out indicates the output file, which is the server. Cer file. :::: Note: Enter the root certificate password 123456pauseecho. popdecho on.