http://note.q2zy.com/openssl%E8%87%AA%E5%88%B6%E8%AF%81%E4%B9%A6/
Today Daoteng the next OpenSSL self-made certificate, here to make a record.
I am using the Mac OS, the system comes with OPENSSL,OPENSSL using the default configuration/system/library/openssl/openssl.cnf.
First, because it is the default configuration, the directory structure is established according to the requirements of the default configuration:
123 |
mkdir -p . /demoCA/ {private,newcerts} touch . /demoCA/index .txt echo 01 > . /demoCA/serial |
Where Serail holds the serial number of the next certificate, Index.txt holds the certificate information database.
Then generate the RSA key pair for the CA certificate:
1 |
openssl genrsa -des3 -out . /demoCA/private/cakey .pem 2048 |
Parameter explanation:
Genrsa: The OpenSSL command used to generate the RSA key pair.
-des3: Use the 3-des symmetric cryptographic algorithm encryption key pair, which requires the user to enter a password for encryption during key generation. When you use this key pair in the future, you need to enter the appropriate password. If this option is not added, the key is not encrypted.
-out./democa/private/cakey.pem: Saves the generated key pair to a file./democa/private/cakey.pem.
The number of 2048:rsa modulus indicates the key strength to some extent.
The CA certificate request is then generated:
In order to obtain a CA root certificate, we need to make a certificate request first. The previously generated CA key pair was used to sign the certificate request.
1 |
openssl req -new -days 365 -key . /demoCA/private/cakey .pem -out careq.pem |
Parameter explanation:
Req: the OpenSSL command used to generate the certificate request.
-new: A new certificate request is generated. This parameter will allow OpenSSL to require the user to fill in some corresponding fields during the certificate request generation process.
-days 365: The certificate age is 365 days from the time of generation.
-key./DEMOCA/PRIVATE/CAKEY.PEM: Specifies the key pair file that the./DEMOCA/PRIVATE/CAKEY.PEM uses for the certificate.
-out Careq.pem: Saves the generated certificate request to the file CAREQ.PEM.
Finally, the CA's certificate is signed by signing the CA certificate request:
In real-world applications, users can request certificates by submitting certificate requests to well-known CAs. But here, we need to build a root CA that can only be signed by ourselves to the certificate request.
1 |
openssl ca -selfsign - in careq.pem -out . /demoCA/cacert .pem |
CA: The OpenSSL command used to perform CA-related operations.
-selfsign: A self-signed certificate is issued using a key pair that is signed for a certificate request.
-in CAREQ.PEM: Specifies CAREQ.PEM to request a file for the certificate.
-out./DEMOCA/CACERT.PEM: Specifies the./DEMOCA/CACERT.PEM certificate for the output.
At this point, we have generated a root certificate./DEMOCA/CACERT.PEM and the private key of its corresponding RSA key pair./democa/private/cakey.pem, Next, whether FTPs, HTTPS, or any other place to use the certificate, You can use this certificate directly.
In addition to using the root certificate directly, we can also choose to use the root certificate to issue a new certificate.
The first is the RSA key pair that generates the new certificate:
1 |
openssl genrsa -out newkey.pem 2048 |
There is no use of 3-des encryption here because we need to use their private key to set up an HTTPS server.
Then a new certificate request is generated:
1 |
openssl req -new -days 365 -key newkey.pem -out newreq.pem |
The new certificate request is signed with a previously generated key.
Finally, the new certificate request is signed with a CA to obtain a new certificate:
1 |
openssl ca - in newreq.pem -out newcert.pem |
Note here that because the signature requires the CA's private key, and the CA's private key we use 3-des encryption, we need to enter the CA's private key to do this.
Since then, we have issued a new certificate with our homemade root certificate, in this way, we can continue to use the root certificate issued by the level two certificate and then issue a three-level certificate to complete the management of the certificate.
Finally, write a few commands that may need to be used:
To view a certificate:
1 |
openssl x509 -noout -text - in cert.pem |
To verify the certificate:
1 |
openssl verify -CAfile . /demoCA/cacert .pem hostcert.pem |
Decrypt the encrypted private key (Apache needs the decrypted private key):
1 |
openssl rsa - in encrypted_key.pem -out decrypted_key.pem |
Step to generate a file that contains both the private key and the certificate:
1 |
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem |
Because the private key is already included in this file, you can specify only the certificate file for this file when you use it, instead of specifying the private key file at the same time.
OpenSSL self-made certificate