Use OpenSSL in RHEL6.3 to generate CA certificates and issue certificate instance resolution

Source: Internet
Author: User
1. Configure OPENSSL [root @ test1/] # rpm-qa | grepopensslopenssl-1.0.0-20.el6_2.5.i686 [root @ test1/] # cd/etc/pki/tls [root @ test1tls] # lscert. pemcertsmiscopen

1. Configure OPENSSL
[Root @ test1/] # rpm-qa | grep openssl
Openssl-1.0.0-20.el6_2.5.i686
[Root @ test1/] # cd/etc/pki/tls
[Root @ test1 tls] # ls
Cert. pem certs misc openssl. cnf private
[Root @ test1 tls] # vim openssl. cnf
######################################## ############################
[CA_default]
 
Dir =/etc/pki/CA # Where everything is kept (CA center Directory)
Certs = $ dir/certs # Where the issued certs are kept (certificate storage directory)
Crl_dir = $ dir/crl # Where the issued crl are kept (directory of the revoked certificate)
Database = $ dir/index.txt # database index file. (certificate index file)
# Unique_subject = no # Set to 'no' to allow creation
# Several ctificates with same subject.
New_certs_dir = $ dir/newcerts # default place for new certs. (certificate Backup Directory signed by the CA)
 
Certificate = $ dir/my-ca.crt # The CA certificate (CA's public key file name)
Serial = $ dir/serial # The current serial number (certificate serial number issued by The CA)
Crlnumber = $ dir/crlnumber # the current crl number (certificate serial number revoked)
# Must be commented out to leave a V1 CRL
Crl = $ dir/my-ca.crl # The current CRL (Certificate Revocation List)
Private_key = $ dir/private/my-ca.key # The private key (CA private key file)
RANDFILE = $ dir/private/. rand # private random number file
 
X509_extensions = usr_cert # The extentions to add to the cert
 
Default_days = 365 # how long to certid for (certificate validity period)
Default_crl_days = 30 # how long before next CRL
Default_md = default # use public key default MD
Preserve = no # keep passed DN ordering
 
[Policy_match] # This section is the certificate-related information option. match specifies the item and requires that the signed certificate must be consistent with the corresponding item of the CA.
CountryName = match
StateOrProvinceName = match
OrganizationName = match
OrganizationalUnitName = optional
CommonName = supplied
EmailAddress = optional
 
#
[Req_distinguished_name]
CountryName = Country Name (2 letter code)
CountryName_default = CN (country code needs to be modified by yourself)
CountryName_min = 2
CountryName_max = 2
 
StateOrProvinceName = State or Province Name (full name)
StateOrProvinceName_default = Hebei (the State or province name must be modified by yourself)
 
LocalityName = Locality Name (eg, city)
LocalityName_default = Beijing (the location name must be modified by yourself)
 
0. organizationName = Organization Name (eg, company)
0. organizationName_default = Tianli Company (the organization or Company name must be modified by yourself)
 

[Root @ test1 tls] # cd ../CA/
[Root @ test1 CA] # ls
Certs crl newcerts private
Note: You need to create these directories if they do not exist.
[Root @ test1 CA] # touch index.txt
[Root @ test1 CA] # echo "00"> serial
[Root @ test1 CA] # ls
Certs crl index.txt newcerts private serial
 
II. Key creation process
Create Private Key
[Root @ test1 CA] # (umask 077; openssl genrsa-out private/my-ca.key-des3 2048)
Generating RSA private key, 2048 bit long modulus
........................................ .................... ++
... + +
E is 65537 (0x10001)
Enter pass phrase for private/my-ca.key:
Verifying-Enter pass phrase for private/my-ca.key:
 
Generate a public key from the private key
[Root @ test1 CA] # openssl req-new-x509-key private/my-ca.key-days 365> my-ca.crt
Enter pass phrase for private/my-ca.key:
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: CN
State or Province Name (full name) []: Hebei
Locality Name (eg, city) [Beijing]: Beijing
Organization Name (eg, company) [Default Company Ltd]: Tianli Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: test1
Email Address []:
[Root @ test1 CA] # ls
Certs crl index.txt my-ca.crt newcerts private serial

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.