In general, if you can find a certificate that is available, you can use it directly, except that some information about the certificate is incorrect or does not match the host that is deploying the certificate, but this does not affect the use of the browser prompt certificate.
You need to generate certificates manually: You cannot find an available certificate you need to configure bidirectional SSL, but a lack of client certificates requires special customization of the certificate
First, both under Linux and in Cygwin under Windows, you must verify that the OpenSSL package is installed before doing the following.
1. Create the root certificate key file (make your own CA)Root.key:
OpenSSL genrsa-des3-out Root.key
The output reads:
[Lenin@archer ~]$ OpenSSL genrsa-des3-out Root.key
Generating RSA private key, bit long modulus
... ++++++++++++........
.. ++++++++++++
E is 65537 (0x10001)
Enter pass phrase A for root.key:← type a new password
Verifying–enter Pass phrase A for root.key:← retype the password
2. Create the root certificate of the request file ROOT.CSR:
OpenSSL Req-new-key root.key-out ROOT.CSR
The output reads:
[Lenin@archer ~]$ OpenSSL req-new-key root.key-out ROOT.CSR
Enter pass phrase the for root.key:← enter the password you created earlier
you are about to is asked to enter information that would be incorporated
into your certificate request.
What You are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you c An leave some blank
for some fields there'll be is a default value,
If you enter '. ', the field would be left blank.
-–
Country name (2 letter code) [au]:cn← Country Code, China input CN
State or province name (full name) [some-state]:beijing ← The full name of the province, pinyin
locality name (eg, city) []:beijing← full name, pinyin
Organization name (eg, company) [Internet widgits Pty LTD ]:mycompany corp.← Company English name
organizational unit name (eg, section) []:← can not enter
Common name (eg, YOUR name) []:← not at this time Enter
Email address []:admin@mycompany.com← e-mail, free to fill in
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:← can not be entered
An optional company name []:← can not be entered
3. Create a root certificate root.crtfrom the current date for a period of 10 years:
OpenSSL x509-req-days 3650-sha1-extensions v3_ca-signkey root.key-in root.req-out
The output reads:
[Lenin@archer ~]$ OpenSSL x509-req-days 3650-sha1-extensions v3_ca-signkey root.key-in root.csr-out root.crt
Signature OK
Subject=/c=cn/st=beijing/l=beijing/o=mycompany corp./emailaddress=admin@mycompany.com
Getting Private Key
Enter pass phrase for root.key:← Enter the password you created earlier
4. Create a server certificate key Server.key:
OpenSSL genrsa–des3-out Server.key 2048
The output reads:
[Lenin@archer ~]$ OpenSSL genrsa-out server.key 2048
Generating RSA private key, 2048 bit long modulus
... +++
... +++. ....................................
E is 65537 (0x10001)
The runtime prompts for a password, which is used to encrypt the key file (parameter DES3 is the encryption algorithm, of course, you can choose the other algorithm you think is safe). You need to enter a password whenever you need to read this file (the commands or APIs provided by OpenSSL). If it's inconvenient, You can also remove this password, but be sure to take other protective measures!
command to remove key file password:
OpenSSL rsa-in server.key-out Server.key
5. Create a server certificate application file SERVER.CSR:
OpenSSL Req-new-key server.key-out SERVER.CSR
The output reads:
[Lenin@archer ~]$ OpenSSL req-new-key server.key-out server.req
You are about to do are to enter asked T Hat would be incorporated the
into your certificate request.
What You are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you c An leave some blank
for some fields there'll be is a default value,
If you enter '. ', the field would be left blank.
-–
Country name (2 letter code) [au]:cn← Country name, China input CN
State or province name (full name) [some-state]:beijing ← Province name, pinyin
locality name (eg, city) []:beijing← name, pinyin
Organization name (eg, company) [Internet widgits Pty Ltd]:my Company corp.← English name
organizational unit name (eg, section) []:← can not enter
Common name (eg, YOUR Name) []:www.mycomp any.com← server hostname, if incorrect, the browser will report that the certificate is invalid, but does not affect the use of
email address []:admin@mycompany.com← e-mail, can be easily filled in
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:← can not be entered
An optional company name []:← can not be entered
6. Create a server certificate that is valid for a period of two years from the current date server.crt:
OpenSSL x509-req-days 730-sha1-extensions v3_req-ca root.crt-cakey root.key-caserial root.srl-cacreateserial-in s Erver.csr-out SERVER.CRT
The output reads:
[Lenin@archer ~]$ OpenSSL x509-req-days 730-sha1-extensions v3_req-ca root.crt-cakey root.key-cacreateserial-in SE Rver.csr-out SERVER.CRT
Signature OK
Subject=/c=cn/st=beijing/l=beijing/o=mycompany corp./cn=www.mycompany.com/emailaddress=admin@mycompany.com
Getting CA Private Key
Enter pass phrase for root.key:← Enter the password you created earlier
7. Create a client certificate key file Client.key:
OpenSSL genrsa-des3-out Client.key 2048
The output reads:
[Lenin@archer ~]$ OpenSSL genrsa-des3-out client.key 2048
Generating RSA private key, 2048 bit long modulus
.......... ....... ....... ...... ...... ...... ... .......... ....... ....... ...... ...... ..... ... +++
..... ...... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ...... ... ..... ....... ...... ..... ..... ..... ..... ..... ..... ..... ..... ..... ..... ... +++
E is 65537 (0x10001)
Enter pass phrase A for client.key:← type a new password
Verifying–enter Pass phrase A for client.key:← retype the password
8. Create the client certificate application file CLIENT.CSR:
OpenSSL Req-new-key client.key-out CLIENT.CSR
The output reads:
[Lenin@archer ~]$ OpenSSL req-new-key client.key-out CLIENT.CSR
Enter pass phrase for client.key:← Enter the password created in the previous step
You are about to is asked to enter information that would be incorporated
into your certificate request.
What You are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you c An leave some blank
for some fields there'll be is a default value,
If you enter '. ', the field would be left blank.
-–
Country name (2 letter code) [au]:cn← Country name, China input CN
State or province name (full name) [some-state]:beijing ← Province Name, Phonetic
locality name (eg, city) []:beijing← name, pinyin
Organization name (eg, company) [Internet widgits Pty LTD]: MyCompany corp.← Company English name
organizational unit name (eg, section) []:← can not fill
Common name (eg, YOUR name) []:lenin← from Your English name, you can easily fill in the
email address []:admin@mycompany.com← e-mail, you can easily fill in
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:← can not fill
An optional company name []:← can not be filled
9. Create a client certificate that is valid for two years from the current date client.crt:
OpenSSL x509-req-days 730-sha1-extensions v3_req-ca root.crt-cakey root.key-caserial root.srl-cacreateserial-in C Lient.csr-out CLIENT.CRT
The output reads:
[Lenin@archer ~]$ OpenSSL x509-req-days 730-sha1-extensions v3_req-ca Root.crt-cakey root.key-cacreateserial-in cl Ient.csr-out CLIENT.CRT
Signature OK
Subject=/c=cn/st=beijing/l=beijing/o=mycompany corp./cn=www.mycompany.com/emailaddress=admin@mycompany.com
Getting CA Private Key
Enter pass phrase the for root.key:← the password created above
10. Merge the client certificate file client.crt and the client certificate key file Client.key into the client Certificate installation package client.pfx:
OpenSSL pkcs12-export-in Client.crt-inkey client.key-out client.pfx
The output reads:
[Lenin@archer ~]$ OpenSSL pkcs12-export-in client.crt-inkey client.key-out
Enter pass phrase the for client.key:← the password created above
Enter Export password:← Enter a new password to use as the protection password for the client certificate, which you need to enter when the client installs the certificate
Verifying–enter Export password:← Confirm password
11. Save the generated files, where server.crt and server.key are the certificate files needed to configure one-way SSL,CLIENT.CRT is the certificate file to use when configuring bidirectional SSL ,client.pfx is the certificate file that requires client installation when configuring bidirectional SSL
. crt files and. Key can be combined into one file to synthesize 2 files into a. pem file (direct copy of the past is OK)
Reference: http://sinolog.it/?p=1460