Tutorials for generating certificates using the REQ command in Linux under OpenSSL client

Source: Internet
Author: User
Tags modulus openssl openssl x509 openssl client

OpenSSL req is used to generate a certificate request for a third party authority CA to issue and generate the certificate we need. The Req command can also invoke the X509 command for format conversion and display information such as Text,modulus in the certificate file. If you do not have a key pair, the REQ command can unified you to generate key pairs and certificate requests, or you can specify whether to encrypt the private key file.

1. Key, certificate request, Certificate Summary description

In the certificate request issuance process, the client involves the key, the certificate request, the certificate these several concepts, the beginner may confuse the three relations, the net some according to the suffix name to distinguish three, more lets the person confused. We describe the relationship of the three by the process of applying for a certificate. The client (relative to the CA) has three steps in the process of requesting a certificate:

The first step: generate the client's key, that is, the client's public private key pair, and to ensure that the private key only the client owned.
The second step: the client's key and the client's own information (country, organization, domain name, mailbox, etc.) for input, generate the certificate request file. Where the client's public and client information is stored in plaintext in the certificate request file, the client's private key is signed by the client's public key and client information and is not included in the certificate request. The certificate request file is then sent to the CA organization.
The third step: the CA receives the client's certificate request file, first verifies its signature, then approves the client's information, finally the CA organization uses own private key for the certificate request file signature, produces the certificate file, under sends the client. This certificate is the identity card of the client to indicate the identity of the user.
This is the end of the client request certificate process, which involves the certificate issuing authority CA,CA is an institution that is absolutely trusted. If the client certificate is compared to the user ID, then the CA is the organization that issued the identity card, and we use HTTPS as an example to illustrate the usefulness of the certificate.

For data transmission security, more and more Web sites are enabled for HTTPS. In the HTTPS handshake phase, the server first sends its own certificate to the user (browser), the browser looks at the issuing authority in the certificate, and then finds the corresponding CA certificate in the machine's built-in certificate (on the PC or on the phone, with the certificate of the world's most famous CA institution). Then use the built-in certificate public key to verify the authenticity of the server's certificate. If the checksum fails, the browser prompts the server certificate for a problem and asks the user whether to continue.

For example 12306 website, it uses the self-signed certificate, so the browser will prompt the certificate to have the problem, on 12306 website has the prompt downloading installs the root certificate, its user is installs own root certificate to the user machine's built-in certificate, thus the browser does not report the certificate error. But note that it is dangerous to not import a certificate casually on a machine unless you specifically trust an organization.

2, req Instructions

In the previous section we saw the process of requesting a certificate, generating a key pair we already know, then how to generate a certificate request, the REQ directive should be on, we can view the Req man manual as follows:

OpenSSL req [-inform pem| DER] [-outform pem| DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-new] [- Rand file (s)] [-newkey rsa:bits][-newkey alg:file] [-nodes] [-key filename] [-keyform pem| DER] [-keyout filename] [-keygen_engine ID] [-[digest]] [-config filename] [-subj arg] [-multivalue-rdn] [-x509] [-days N] [-set_serial N] [-asn1-kludge] [-no-asn1-kludge] [-NEWHDR] [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-reqopt] [-subject] [-SUBJ Arg] [-batch] [-verbose] [-engine ID]
It was found to have many parameters and complexity, as well as a number of parameters that were not used. But in practical applications we use a limited number of parameters, we are based on the basic functions of req to learn.

There are two basic functions of REQ: Generating certificate requests and generating self-signed certificates. Other features such as check, view request files, and so on, the example simply explained below. The parameter description is as follows

[new/x509]

When using the-new selection, the description is to generate the certificate request, when the X509 option is used, the description is to generate a self-signed certificate.

[Key/newkey/keyout]

Key and Newkey are mutually exclusive, key is to specify an existing key file, and Newkey refers to the generation of certificate requests or self-signed certificates automatically generated keys, and then the generated key name has keyout parameter specified.

When the Newkey option is specified, the following specifies the rsa:bits to generate the RSA key, and the bits are specified by bits. Specifies that the Dsa:file description generates a DSA key, which refers to the parameter file that generates the DSA key (generated by Dsaparam)

[In/out/inform/outform/keyform]

The in option specifies the certificate request file that is used when viewing the content of a certificate request or generating a self-signed certificate

The Out option specifies either a certificate request or a self-signed certificate file name, or a public key file name (used when using the PubKey option), and some other output information.

Inform, Outform, Keyform specifies the file format specified in, out, and key options, and the default is in PEM format.

[Config]

Parameter file, the default is/etc/ssl/openssl.cnf (ubuntu12.04), depending on the different location of the system. The file contains the parameters when the req is generated, and when not specified on the command line, the default value in the file is used.

In addition to the above main parameters, there are many other parameters, not one by one narration, interested readers can view the Req Man Handbook

3, req Instruction use example

(1) Generating a certificate request using an existing private key

Use the original RSA key to generate the certificate request file, enter the principal related information:

The code is as follows:
$ OpenSSL req-new-key rsa.pem-passin pass:123456-out Client.pem
are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can leave some
For some fields there would be a default value,
If you enter '. ', the field would be left blank.
-----
Country Name (2 letter code) [Au]:au
State or province Name (full name) [SOME-STATE]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet widgits Pty LTD]:BJ
Organizational unit Name (eg, section) []:BJ
Common name (e.g. server FQDN or YOUR name) []:BJ
Email Address []:BJ
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:12345
An optional company name []:BJ
......
Generate the certificate request file using the original RSA key, specify the-batch option, and the principal information is read from the configuration file:
The code is as follows:
$ OpenSSL req-new-key rsa.pem-passin pass:123456-out Client.pem-batch

Generate the certificate request file with the original RSA key, specify the-batch option, and the principal information is specified by the command line SUBJ:

The code is as follows:
OpenSSL req-new-key rsa.pem-passin pass:123456-out client.pem-subj/c=au/st=some-state/o=internet

Generates the certificate request file using the original RSA key, specifies the-batch option, the principal information is specified by the command line SUBJ, and the output public key:

The code is as follows:
$ OpenSSL req-new-key rsa.pem-passin pass:123456-out Client.pem-subj/c=au/st=some-state/o=internet-pubkey

You can see the public key and request information:

The code is as follows:
$ cat Client.pem

-----BEGIN Public KEY-----
Mfwwdqyjkozihvcnaqebbqadswawsajbal6e+hk0tasylpk5xb1tlctco8wq7jmm
yq9smy4q1lipg4tdgskdfblb2uxmzzmcp+zbdk9txwtewqv7pvcvy0mcaweaaq==
-----End Public KEY-----
-----BEGIN Certificate REQUEST-----
Miibgdcbwwibada1mqswcqydvqqgewjbvtetmbega1uecawku29tzs1tdgf0zter
Ma8ga1uecgwisw50zxjuzxqwxdanbgkqhkig9w0baqefaanladbiakeavp76gtrm
cxiu+tlchw0sk0i7zbdskwxhd1izlhdwwi+dhn2bkr19sshzrebpmwkn5keot23h
C17cq/s9vy9jqwidaqabockwjwyjkozihvcnaqkomrowgdajbgnvhrmeajaamasg
A1uddwqeawif4danbgkqhkig9w0baqufaanbafbib0ftuwtsofeqdtwir3kxzdhp
Bgly1/nlj71dylfggrr61rkmrxgpf76akurtf+gexwlmfpo6fqlaioyee/c=
-----End Certificate REQUEST-----

(2) Automatically generate the key to generate the certificate request file

Automatically generates a 1024-bit RSA key and generates a certificate request file:

The code is as follows:

$ OpenSSL req-new-newkey rsa:1024-out client.pem-keyout Rsa.pem-batch
Generating a 1024 bit RSA private key
.......................................++++++
...............................++++++
Writing new private key to ' Rsa.pem '
Enter PEM Pass Phrase:
Verifying-enter PEM Pass Phrase:
......
Automatically generates a 1024-bit RSA key and generates a certificate request file that specifies the-nodes file, and the key file is not encrypted:

The code is as follows:
$ OpenSSL req-new-newkey rsa:1024-out client.pem-keyout rsa.pem-batch-nodes
Generating a 1024 bit RSA private key
.. ++++++
.........................++++++
Writing new private key to ' Rsa.pem '
......
Automatically generate 1024-bit DSA key parameters:
The code is as follows:
$ OpenSSL dsaparam-out Dsa.param 1024
Generating DSA parameters, 1024 bit long prime
This could take some time
...+.+.. +.+++++++++++++++++++++++++++++++++++++++++++++++++++*
................+...........+......+.+.............+.+.....+.++++++++++++++++++++++++++++++++++++++++++++++++++ +*
Automatically generates a 1024-bit DSA key, generates a certificate request file, specifies the-nodes file, and the key file is not encrypted:
The code is as follows:
$ OpenSSL req-new-newkey dsa:dsa.param-out client.pem-keyout dsa.pem-batch-nodes
Generating a 1024 bit DSA private key
Writing new private key to ' Dsa.pem '
......

(3) Generate a self-signed certificate

Generate a self-signed certificate, as with the req parameter, just change the req to X509:

The code is as follows:
$ OpenSSL req-x509-newkey rsa:1024-out client.cer-keyout rsa.pem-batch-nodes
Generating a 1024 bit RSA private key
.........++++++
.. ++++++
Writing new private key to ' Rsa.pem '
......
To view the certificate file:
The code is as follows:
$ OpenSSL x509-in Client.cer-noout-text
Certificate:
Data:
Version:3 (0x2)
.....
Signature algorithm:sha1withrsaencryption
5B:D7:F5:FD:18:3A:A9:22:2A:D9:F1:FC:00:3A:CF:23:FF:D1:
82:E5:2D:3F:7E:97:A8:38:32:E6:88:7A:CE:9F:31:CC:EA:60:
06:D1:96:BB:C8:42:EC:EF:26:73:4E:3B:2D:FA:0F:16:C2:25:
30:1B:A5:CA:35:BD:9B:DD:4B:41:D4:8B:95:3A:D4:7C:AA:8D:
0D:2D:E7:F3:95:33:D2:4A:5A:7F:A2:5D:CC:48:60:9F:CA:2D:
77:D9:ED:E9:09:F3:A1:18:96:1D:91:C6:1C:2B:7A:C1:D6:5D:
81:87:25:0d:32:6a:55:d2:89:95:c5:32:44:cc:9d:e7:68:6f:
D8:80

(4) View the content of the certificate request

To generate a certificate request:

The code is as follows:
$ OpenSSL req-new-newkey rsa:1024-out client.req-keyout rsa.pem-batch-nodes
Generating a 1024 bit RSA private key
...............................................................++++++
......................++++++
Writing new private key to ' Rsa.pem '
......
To view the content of a certificate request, subject specify the output body:
The code is as follows:
$ OpenSSL req-in Client.req-noout-text-subject
Certificate Request:
Data:
version:0 (0x0)
Subject:c=au, St=some-state, o=internet widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm:rsaencryption
Public-key: (1024 bit)
Modulus:
...
exponent:65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
Ca:false
X509v3 Key Usage:
Digital Signature, Non repudiation, Key encipherment
Signature algorithm:sha1withrsaencryption
...
Subject=/c=au/st=some-state/o=internet widgits Pty LTD
(5) School Certification Request documents

Specifies the verify instruction, the school validation book request file, which extracts the public key from the request file to verify the signature information when it is operated:

The code is as follows:
$ OpenSSL req-verify-in client.req-noout
Verify OK

4. Summary of steps to generate certificate

Step 1. Create key (password protected)

The code is as follows:
OpenSSL genrsa-out Prvtkey.pem 1024/2038 (with out password protected)

The code is as follows:

OpenSSL genrsa-des3-out Prvtkey.pem 1024/2048 (password protected)

This command generates a 1024/2048-bit key.
Step 2. Create Certification Request

The code is as follows:
OpenSSL Req-new-key prvtkey.pem-out CERT.CSR
OpenSSL Req-new-nodes-key prvtkey.pem-out CERT.CSR

This command will generate a certificate request, of course, with the previously generated key PRVTKEY.PEM file
This will generate a new file CERT.CSR, a certificate request file, where you can take this file to the digital certification authority (CA) to request a digital certificate. The CA will give you a new file Cacert.pem, that's your digital certificate.
Step 3:send certificate request to certification authority (CA)
If you are doing your own testing, the applicant and the issuer of the certificate are themselves. You can use the following command to generate the certificate:

The code is as follows:
OpenSSL Req-new-x509-key prvtkey.pem-out cacert.pem-days 1095

This command will generate a digital certificate using the key generated above Privkey.pem CACERT.PEM

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.