The signing of OpenSSL and public key certificate is inextricably linked

Lead

People's knowledge of any thing is staged, from ignorance to knowing, from ignorant to half-known, from misunderstanding to suspicion, from dizzy to determined thoroughly understand.

Introduced

OpenSSL is a powerful command-line tool that can be used to handle many kinds of technologies related to PKI (public key Infrastructure), such as the key Infrastructure, HTTPS (HTTP, TLS), and so on. This sketchy-style essay article provides fast, OpenSSL-related command consulting, which is necessary for the daily work of it software development technicians.

Here are some examples of OpenSSL: How to generate a private key, a CSR (certificate signing requests), how to generate a certificate (certificate), and how to format the conversion. This is, of course, part of the most common method of OpenSSL ...

How to use this article

• If you are unfamiliar with CSR, certificate signing requests (certificate signing request), please read from the first part of the body
• Except for the first part, this article will be described in the form of a command line file
• Once you are familiar with the basic technical knowledge of these OpenSSL, you can view the body parts you want to see directly from anywhere

What is certificate Signing requests (CSRs)

If you want to obtain a certificate authority (CA)-Certified SSL certificate, you must first generate or hold a certificate singning request (CSR certificate signing I will not repeat the following in Chinese). A CSR consists primarily of public key in a pair of private key keys, and some additional information.

Note: The CSR is made up of public key and some similar company, country, region, city and city information, which also corresponds to a private key, which means that the CSR generation must rely on a pair of public key.

Any time you generate a CSR, you will be prompted and asked to provide some information about the certificate, which is public as your unique DN (distinguised name, distinguished name) as your work card. One of the most important information in this information is Comman Name (CN), which is used to describe very accurately the certificate of the certificate Publisher that the CSR will generate, fully qualified Domain name (FQDN ), popular point explanation: There is an HTTPS server I assume it is a university , there is a CSR I compare it to the Zhang Ziyi ( of the school dean's office, there is a certificate I compare it to the Diploma in Software Engineering , Zhang Ziyi (has the most authoritative information on the school, then it is very clear. Right?

Continue, when using the command line to generate a CSR, there will be the FQDN of the IO interactive input process, of course, you can skip through the input steps to generate a full space information of the CSR.

In addition, there is a FQDN in the comparison of the DN is about to provide your company information, or organizational information, if you are developing an application or product for your boss and is required to use the SSL certificate authentication mechanism, then you can not go all the way to generate CSR, what is the organization information? Give an example:

---country name (2 Letter code) [Au]:usstate or province name (full name) [Some-state]:new Yorklocality name (eg, city) []:brooklynorganization name (eg, company) [Internet widgits Pty ltd]:example Brooklyn compa Nyorganizational Unit name (eg, section) []:technology Divisioncommon name (e.g. server FQDN or YOUR Name) []:examplebrook Lyn.comemail Address []:

If you're not like the next one in the console to answer OpenSSL's CSR generate input interaction, then use the following snippet of code with one stroke:

" /c=us/st=new york/l=brooklyn/o=example Brooklyn company/cn=examplebrooklyn.com "

Now, you should always know what a CSR is, right? If you don't understand, look back.

how to generate a CSR

As mentioned above, the CSR contains a public key, and QFDN, so first you have to have a public key, if not you will generate a, but actually the public key is generated by the private key, you can understand: the public key is exposed to the radish stems and leaves, the private key is buried in the soil radish, to get the public key must have radish ah ⊙﹏⊙

Generate a private key (private key) and corresponding CSR

If you want to use HTTPS (TLS over HTTP) to encrypt your Apache HTTP or nginx Web server, and you want to use Certificate Authority (CA) technology to handle SSL certificate certificates, You can then generate the CSR in the following ways. The CSR generated in this way can be sent to a CA mechanism to request a CA authentication and obtain a ca-signed SSL certificate (CA certified signature file). If your CA mechanism supports SHA-2 add-sha256 this option parameter to the following command line, this parameter entry can be used to sign the CSR that you want to generate with the SHA-2 algorithm.

The following command line generates a 2048-bit private key (Domain.key) and a CSR (DOMAIN.CSR):

OpenSSL req         -newkey RSA:2048 -nodes-keyout domain.key        -out DOMAIN.CSR

Then enter your QFDN information through the console interaction, then until the completion

Note:-newkey rsa:2048 This parameter entry is used to specify that this private key generates a result of 2048-bit and uses the RSA algorithm. -nodes This parameter entry is used to specify that private key does not need to be hardened with a password.

Generate a CSR with an existing private key (private key)

Use the following method to generate a CSR, which domain.key generates a CSR () using an existing private key () domain.csr :

OpenSSL req         -key Domain.key        -new-out DOMAIN.CSR

Answer the console's interaction input until the CSR build is complete.

Note:-key This parameter entry is used to specify the location of a private key that already exists. -outThis indicates the location and name of the CSR file generated

Generate a CSR with an existing certificate and private key

You must be aware that the CSR is generated by the certificate Publisher using the private key +QFDNCSR, the content of the CSR file is composed of the public key +QFDN, and the certificate is issued to the certificate holder by the CSR. Therefore, through a series of algorithms can be used from the certificate to use the private key to calculate the CSR, it is like the school dean withdrew your diploma cut off your certificate and other information to restore back is a CSR, CSR is a certificate shell.

Use the following command to create a new CSR (DOMAIN.CSR), of course, based on the existing certificate (DOMAIN.CRT) and your private key (Domain.key):

OpenSSL x509         - in domain.crt        -signkey domain.key        -x509toreq-out DOMAIN.CSR

The parameter entry-x509toreq is used to indicate that a CSR is generated using a X509 type of certificate format.

Generate an SSL certificate

If you do not want to generate a certificate that requires CA certification, then you have to sign the certificate yourself, ah ah? What do you mean? Say the image point, you are guilty of the school rules are refused to issue a diploma, in order to deceive your parents you yourself to build a fake Zhang Ziyi (, so understand.

A certificate that can be correctly identified by yourself can certainly be your own signature certificate, which is tantamount to creating a fake diploma yourself, of course, you have to first believe that it is a OK certificate, we named for such a certificate self-signed certificate (self-signed certificate). Self-signed certificate can be used to encrypt your data, its effect is the same as the use of ca-signed, but when you put such a certificate encrypted data in the browser or other terminals will generate warning, The most common is in the Chrome browser Force pop-up hint said that the site is not safe what what, because it has not gone through the ca-signed list, if you want to allow other users to browse in two ways, one is to issue the certificate to the user and let the user import the certificate to the browser or other terminal applications, The second is to give the CA authorization certification (individuals and small companies just forget it)

The following section focuses on the details of self-signed certificates

Generate a self-signed certificates (self-signed certificate)

Use the following method to generate a self-signed certificate if you will be ready to use it to encrypt your Apache HTTP or Nginx Web server, and you are sure you do not need to use CA-certified certificate.

The following command is used to generate a 2048-bit private key (Domain.key) and self-signed certificate ( domain.crt ):

OpenSSL req         -newkey RSA:2048 -nodes-keyout domain.key        365-out domain.crt

Answer information about the console CSR until the CSR is generated.

The parameter entry-x509 tells the REQ subcommand to create a self-signed certificate,-days 365 This parameter entry is used to specify that the certificate is valid for 365 days from now, and a temporary CSR file will appear together with the above information, which is normal, of course.

Generates a self-signed certificate (self-signed certificate) with an existing private key

Use the following method to generate a self-signed certificate, if you already have a private key.

Use the following command to domain.key generate a self-signed certificate () based on the private key () domain.crt :

OpenSSL req         -Key Domain.key        -new        365 -out DOMAIN.CRT

Answer information about the console CSR until the CSR is generated.

The parameter entry-x509 tells the REQ subcommand to create a self-signed certificate,-days 365 This parameter entry is used to specify that the certificate is valid for 365 days from now, and-new is used to activate the CSR Information Inquiry interaction

Use existing private keys and CSRS to generate self-signed certificate (self-signed certificate)

The only way to use this is if you have a private ke and a corresponding CSR, and you want to generate a self-signed certificate from them.

The following command line domain.key creates a elf-signed certificate () based on a private key () and the corresponding DOMAIN.CSR domain.crt :

OpenSSL x509         -Signkey domain.key        - in domain.csr        365 -out DOMAIN.CRT

To be continued before the end

---restore content ends---

Lead

People's knowledge of any thing is staged, from ignorance to knowing, from ignorant to half-known, from misunderstanding to suspicion, from dizzy to determined thoroughly understand.

Introduced

OpenSSL is a powerful command-line tool that can be used to handle many kinds of technologies related to PKI (public key Infrastructure), such as the key Infrastructure, HTTPS (HTTP, TLS), and so on. This sketchy-style essay article provides fast, OpenSSL-related command consulting, which is necessary for the daily work of it software development technicians.

Here are some examples of OpenSSL: How to generate a private key, a CSR (certificate signing requests), how to generate a certificate (certificate), and how to format the conversion. This is, of course, part of the most common method of OpenSSL ...

How to use this article

• If you are unfamiliar with CSR, certificate signing requests (certificate signing request), please read from the first part of the body
• Except for the first part, this article will be described in the form of a command line file
• Once you are familiar with the basic technical knowledge of these OpenSSL, you can view the body parts you want to see directly from anywhere

What is certificate Signing requests (CSRs)

If you want to obtain a certificate authority (CA)-Certified SSL certificate, you must first generate or hold a certificate singning request (CSR certificate signing I will not repeat the following in Chinese). A CSR consists primarily of public key in a pair of private key keys, and some additional information.

Note: The CSR is made up of public key and some similar company, country, region, city and city information, which also corresponds to a private key, which means that the CSR generation must rely on a pair of public key.

Any time you generate a CSR, you will be prompted and asked to provide some information about the certificate, which is public as your unique DN (distinguised name, distinguished name) as your work card. One of the most important information in this information is Comman Name (CN), which is used to describe very accurately the certificate of the certificate Publisher that the CSR will generate, fully qualified Domain name (FQDN ), popular point explanation: There is an HTTPS server I assume it is a university , there is a CSR I compare it to the Zhang Ziyi ( of the school dean's office, there is a certificate I compare it to the Diploma in Software Engineering , Zhang Ziyi (has the most authoritative information on the school, then it is very clear. Right?

Continue, when using the command line to generate a CSR, there will be the FQDN of the IO interactive input process, of course, you can skip through the input steps to generate a full space information of the CSR.

In addition, there is a FQDN in the comparison of the DN is about to provide your company information, or organizational information, if you are developing an application or product for your boss and is required to use the SSL certificate authentication mechanism, then you can not go all the way to generate CSR, what is the organization information? Give an example:

---country name (2 Letter code) [Au]:usstate or province name (full name) [Some-state]:new Yorklocality name (eg, city) []:brooklynorganization name (eg, company) [Internet widgits Pty ltd]:example Brooklyn compa Nyorganizational Unit name (eg, section) []:technology Divisioncommon name (e.g. server FQDN or YOUR Name) []:examplebrook Lyn.comemail Address []:

If you're not like the next one in the console to answer OpenSSL's CSR generate input interaction, then use the following snippet of code with one stroke:

" /c=us/st=new york/l=brooklyn/o=example Brooklyn company/cn=examplebrooklyn.com "

Now, you should always know what a CSR is, right? If you don't understand, look back.

how to generate a CSR

As mentioned above, the CSR contains a public key, and QFDN, so first you have to have a public key, if not you will generate a, but actually the public key is generated by the private key, you can understand: the public key is exposed to the radish stems and leaves, the private key is buried in the soil radish, to get the public key must have radish ah ⊙﹏⊙

Generate a private key (private key) and corresponding CSR

If you want to use HTTPS (TLS over HTTP) to encrypt your Apache HTTP or nginx Web server, and you want to use Certificate Authority (CA) technology to handle SSL certificate certificates, You can then generate the CSR in the following ways. The CSR generated in this way can be sent to a CA mechanism to request a CA authentication and obtain a ca-signed SSL certificate (CA certified signature file). If your CA mechanism supports SHA-2 add-sha256 this option parameter to the following command line, this parameter entry can be used to sign the CSR that you want to generate with the SHA-2 algorithm.

The following command line generates a 2048-bit private key (Domain.key) and a CSR (DOMAIN.CSR):

OpenSSL req         -newkey RSA:2048 -nodes-keyout domain.key        -out DOMAIN.CSR

Then enter your QFDN information through the console interaction, then until the completion

Note:-newkey rsa:2048 This parameter entry is used to specify that this private key generates a result of 2048-bit and uses the RSA algorithm. -nodes This parameter entry is used to specify that private key does not need to be hardened with a password.

Generate a CSR with an existing private key (private key)

Use the following method to generate a CSR, which domain.key generates a CSR () using an existing private key () domain.csr :

OpenSSL req         -key Domain.key        -new-out DOMAIN.CSR

Answer the console's interaction input until the CSR build is complete.

Note:-key This parameter entry is used to specify the location of a private key that already exists. -outThis indicates the location and name of the CSR file generated

Generate a CSR with an existing certificate and private key

You must be aware that the CSR is generated by the certificate Publisher using the private key +QFDNCSR, the content of the CSR file is composed of the public key +QFDN, and the certificate is issued to the certificate holder by the CSR. Therefore, through a series of algorithms can be used from the certificate to use the private key to calculate the CSR, it is like the school dean withdrew your diploma cut off your certificate and other information to restore back is a CSR, CSR is a certificate shell.

Use the following command to create a new CSR (DOMAIN.CSR), of course, based on the existing certificate (DOMAIN.CRT) and your private key (Domain.key):

OpenSSL x509         - in domain.crt        -signkey domain.key        -x509toreq-out DOMAIN.CSR

The parameter entry-x509toreq is used to indicate that a CSR is generated using a X509 type of certificate format.

Generate an SSL certificate

If you do not want to generate a certificate that requires CA certification, then you have to sign the certificate yourself, ah ah? What do you mean? Say the image point, you are guilty of the school rules are refused to issue a diploma, in order to deceive your parents you yourself to build a fake Zhang Ziyi (, so understand.

A certificate that can be correctly identified by yourself can certainly be your own signature certificate, which is tantamount to creating a fake diploma yourself, of course, you have to first believe that it is a OK certificate, we named for such a certificate self-signed certificate (self-signed certificate). Self-signed certificate can be used to encrypt your data, its effect is the same as the use of ca-signed, but when you put such a certificate encrypted data in the browser or other terminals will generate warning, The most common is in the Chrome browser Force pop-up hint said that the site is not safe what what, because it has not gone through the ca-signed list, if you want to allow other users to browse in two ways, one is to issue the certificate to the user and let the user import the certificate to the browser or other terminal applications, The second is to give the CA authorization certification (individuals and small companies just forget it)

The following section focuses on the details of self-signed certificates

Generate a self-signed certificates (self-signed certificate)

Use the following method to generate a self-signed certificate if you will be ready to use it to encrypt your Apache HTTP or Nginx Web server, and you are sure you do not need to use CA-certified certificate.

The following command is used to generate a 2048-bit private key (Domain.key) and self-signed certificate ( domain.crt ):

OpenSSL req         -newkey RSA:2048 -nodes-keyout domain.key        365-out domain.crt

Answer information about the console CSR until the CSR is generated.

The parameter entry-x509 tells the REQ subcommand to create a self-signed certificate,-days 365 This parameter entry is used to specify that the certificate is valid for 365 days from now, and a temporary CSR file will appear together with the above information, which is normal, of course.

Generates a self-signed certificate (self-signed certificate) with an existing private key

Use the following method to generate a self-signed certificate, if you already have a private key.

Use the following command to domain.key generate a self-signed certificate () based on the private key () domain.crt :

OpenSSL req         -Key Domain.key        -new        365 -out DOMAIN.CRT

Answer information about the console CSR until the CSR is generated.

The parameter entry-x509 tells the REQ subcommand to create a self-signed certificate,-days 365 This parameter entry is used to specify that the certificate is valid for 365 days from now, and-new is used to activate the CSR Information Inquiry interaction

Use existing private keys and CSRS to generate self-signed certificate (self-signed certificate)

The only way to use this is if you have a private ke and a corresponding CSR, and you want to generate a self-signed certificate from them.

The following command line domain.key creates a elf-signed certificate () based on a private key () and the corresponding DOMAIN.CSR domain.crt :

OpenSSL x509         -Signkey domain.key        - in domain.csr        365 -out DOMAIN.CRT

To be continued before the end

The signing of OpenSSL and public key certificate is inextricably linked