1. First to generate the server-side private key (key file):
Command:
OpenSSL genrsa-des3-out Server.key 1024
The runtime prompts for a password, which is used to encrypt the key file (the parameter des3 is the encryption algorithm, and of course you can choose other algorithms that you think are safe). You need to enter a password whenever you need to read this file (via the command or API provided by OpenSSL)
2. Generate CSR and key on the server
Command:
OpenSSL Req-new-key server.key-out server.csr-config/etc/pki/tls/openssl.cnf
Generate the Certificate Signing request (CSR), and the resulting CSR file is handed to the CA to form its own certificate. The screen will prompt you to enter the required personal information in step steps according to its instructions.
3. The same command is generated for the client to generate key and CSR files:
Command:
OpenSSL genrsa-des3-out Client.key 1024
OpenSSL Req-new-key client.key-out client.csr-config/etc/pki/tls/openssl.cnf
4.CSR files must be signed by a CA to form a certificate. This file can be sent to VeriSign and other places by it to verify, need to pay fees, here is how to do the CA itself.
Command:
OpenSSL req-new-x509-keyout ca.key-out ca.crt-config/etc/pki/tls/openssl.cnf
5. Sign the SERVER.CSR,CLIENT.CSR file that you just generated with the certificate of the generated CA:
Command:
OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-config/etc/pki/tls/openssl.cnf
OpenSSL ca-in client.csr-out client.crt-cert ca.crt-keyfile ca.key-config/etc/pki/tls/openssl.cnf
OpenSSL in Linux generates certificates and self-signed certificates