Use OpenSSL to generate certificates in Windows and Linux

Source: Internet
Author: User

To generate a certificate in OpenSSL, follow these steps:
1. generate an RSA private key file and generate a certificate application for this private key file.
First, you must enter a password to encrypt the RSA private key file and ask the user to confirm the password. Then, the user is required to enter the user's information for the certificate application file, such as the country, region, city, and name of the user (the remaining information is optional, these are related to ca policies ). Here, you must enter the information truthfully. This information will be used for information verification and compared with the CA root certificate to check whether the content matches.
2. Use the CA command to review and issue the certificate application in the CA.
First, the certificate information will be verified. After the verification is completed, the certificate information will be displayed and asked the Administrator to confirm. Once confirmed by the Administrator, the certificate will be issued. The issued certificate will be saved in the CA's newcert directory, and the file name will be named by the certificate serial number.
The following is a detailed example of certificate generation.
Use OpenSSL to generate certificates in Linux
1. First, we need to create a basic ca directory structure.
Create the newcerts, cert, private, and CRL directories under the CA directory specified in the OpenSSL. CNF file. (The CA root directory specified here is/etc/SSL/democa)
$ Sudo mkdir certs
$ Sudo mkdir private
$ Sudo mkdir CRL
$ Sudo mkdir newcerts
Create an empty file index.txt in the directory specified in the openssl.cnf file.
$ Sudo VI index.txt save directly
The serial file is created under the CA directory specified in the OpenSSL. CNF file, and the value 01 is written to the file using vi.
$ Sudo VI serial and write the value "01", then save and exit.

You can also use the ca. pl script to automatically create the required directory.

Copy the ca. pl file under the apps directory to the directory where you want to place the CA directory structure, and run Perl ca. pl-newca.

2. configuration of CA mechanism under OpenSSL in Linux
The CA mechanism configuration in OpenSSL mainly depends on the OpenSSL. CNF file in the root directory. It specifies the main rules for Ca generation, issuance, and revocation of certificates. In addition, the CA commands of OpenSSL must be properly configured with OpenSSL. the CNF file configuration can be correctly run (the CA command does not necessarily depend entirely on OpenSSL. the configuration in the CNF file can run normally. In fact, there is another mechanism in the CA command, you can specify the corresponding configuration information in the command line, but this method is too cumbersome to use, is not recommended ). Therefore, you must first specify a correct configuration file for the OpenSSL ca. The following lists the important fields in the file.
[Ca]
Default_ca = ca_default
This part is very simple and contains only one key value default_ca. Its value is the name of the segment that saves the default configuration of CA. Here it is ca_default. This means that when OpenSSL generates a certificate, it will go to the ca_default field to find the corresponding configuration information.
The OpenSSL command allows multiple CA configurations in a configuration file.
[Ca_default]
This section contains the CA configuration information, which mainly includes the root directory structure of the specified Ca, and tells OpenSSL to go there to find the file he needs to issue the certificate, and the storage location of the file to be generated.
[Ca_default]
Dir =/etc/SSL/democa # specifies the root directory of the CA.
Certs = $ DIR/certs # storage directory of the issued certificate
Crl_dir = $ DIR/CRL # directory for storing the Certificate Revocation List
Database = $ DIR/index.txt # database index file, used to store certificate issuing information.
# Unique_subject = No # setting it to 'no' indicates that multiple certificates with the same subject can be created simultaneously.
New_certs_dir = $ DIR/newcerts # Set the default location for storing newly issued certificates
Certificate = $ DIR/cacert. pem # specify the CA certificate
Serial = $ DIR/serial # specify the file to store the current serial number
CRL = $ DIR/CRl. pem # current CRL
Private_key = $ DIR/private/cakey. pem # private key of CA
Randfile = $ DIR/private/. Rand # specifies a seed file used for reading and writing the random key.
When we need to use the req command in the command line to generate a certificate request file, we must provide necessary information for the req command, and provide the same segment as the name in the command line, to configure necessary information.
[Req_distinguished_name]
Req_distinguished_name the key value of this extended region is the information we want to be filled in when using the req command to generate a certificate request file.
3. Generate the CA certificate and user certificate.
(1) $ sudo OpenSSL req-X509-newkey RSA: 1024-out cacert. pem-outform PEM
This step is used to generate a 1024-bit RSA private key "privkey. PEM, and use it to issue a certificate "cacert. PEM ", this certificate will be used as a CA root certificate in the future (here the user is required to fill in the corresponding information, the first is privkey. PEM encryption password, which is the corresponding information of the CA root certificate ).
(2) $ sudo CP privkey. PEM/etc/SSL/democa/private/cakey. pem
Copy the private key privkey. pem of CA to/etc/SSL/democa/private and change it to Cakey. pem. The CA will find the cakey. pem file in this directory when issuing the certificate.
(3) $ sudo CP cacert. PEM/etc/SSL/democa
Copy cacert. pem to the/etc/SSL/democa folder. The CA will find the cacert. pem file in this directory when issuing the certificate.
(4) $ sudo OpenSSL req-newkey RSA: 1024-keyout testkey. pem-keyform PEM-out testreq. pem-outform PEM
Generate a User Key and generate a certificate application for this User Key (here the user is required to enter personal information, first the private key file testkey. PEM encryption password, which is the certificate application file testreq. PEM user information ). This certificate application will be used for information verification when you apply to issue a certificate at the CA center.
(5) $ sudo OpenSSL ca-In testreq. pem-out testres. pem-config OpenSSL. CNF
The CA command is a simulated CA server program that implements the basic functions of the CA server. Here, the information in the certificate application will be verified. If it is correct, the user will be prompted whether to issue the certificate. If you select Yes, CA will apply to issue the certificate testres. pem.
(6) $ sudo cat testkey. pem testres. pem> test. pem
Combine the key file testkey. PEM and the certificate file testres. pem issued by CA into test. pem. This certificate file will be used during the omniorb authentication process (the part of the Certificate file that can be read by users can be deleted, and this part will not be used during the authentication process ).
(Cacert. PEM is the CA certificate file, and testkey. PEM is the user's private key. Privkey. PEM is the private key of the CA certificate, and testreq. PEM is the certificate request file. Testres. PEM is a certificate applied.
Combine the key file testkey. PEM and the issued certificate file testres. pem into test. pem .)
Use OpenSSL to generate certificates in Windows
1. First, we need to create a basic ca directory structure.
Create the newcerts, cert, private, and CRL directories under the CA directory specified in the OpenSSL. CNF file.
Create an empty file index.txt in the directory specified in the openssl.cnf file.
The serial file is created under the CA directory specified in the OpenSSL. CNF file, and the value 01 is written to the file using vi.
You can also use the ca. pl script to automatically create the required directory.
Copy the ca. pl file under the apps directory to the directory where you want to place the CA directory structure, and run Perl ca. pl-newca.

2. Set the OpenSSL environment variable:
Add C: & #92; openssl-0.9.8e/out32dll under system variable path
Set the environment variable openssl_conf = C: & #92; openssl-0.9.8e & #92; apps & #92; OpenSSL. CNF

3. Modify the OpenSSL installation directory/apps/OpenSSL. CNF file under the OpenSSL installation directory (note that the file type in Windows is "quick dialing". I don't know what's going on)
Make the following changes:
[Ca_default]
Dir = C: & #92; & #92; openssl-0.9.8e & #92; & #92; apps & #92; & #92; democa # where everything is kept
Certs = $ dir & #92; & #92; certs # Where the issued certs are kept
Crl_dir = $ dir & #92; & #92; CRL # Where the issued CRL are kept
Database = nvidir&%92;&%92;index.txt # database index file.
# Unique_subject = No # Set to 'no' to allow creation
# Several ctificates with same subject.
New_certs_dir = $ dir & #92; & #92; newcerts # default place for new certs.
Certificate = $ dir & #92; & #92; cacert. pem # the CA certificate
Serial = $ dir & #92; & #92; serial # The current serial number
Crlnumber = $ dir & #92; & #92; crlnumber # The current CRL number
# Must be commented out to leave a V1 CRL
CRL = $ dir & #92; & #92; CRL. pem # The current CRL
Private_key = $ dir & #92; & #92; Private & #92; & #92; cakey. pem # the Private Key
Randfile = $ dir & #92; & #92; Private & #92; & #92;. Rand # private random number File
X509_extensions = usr_cert # The Extentions to add to the CERT

4. Generate the CA certificate and user certificate.
(1) OpenSSL req-X509-newkey RSA: 1024-out cacert. pem-outform PEM
This step is used to generate a 1024-bit RSA private key "privkey. PEM, and use it to issue a certificate "cacert. PEM ", this certificate will be used as a CA root certificate in the future (here the user is required to fill in the corresponding information, the first is privkey. PEM encryption password, which is the corresponding information of the CA root certificate ).
(2) copy the private key privkey. pem of CA to/democa/private and change it to Cakey. pem. The CA will find the cakey. pem file in this directory when issuing the certificate.
(3) Copy cacert. pem to the democa folder. The CA will find the cacert. pem file in this directory when issuing the certificate.
(4) OpenSSL req-newkey RSA: 1024-keyout testkey. pem-keyform PEM-out testreq. pem-outform PEM
Generate a User Key and generate a certificate application for this User Key (here the user is required to enter personal information, first the private key file testkey. PEM encryption password, which is the certificate application file testreq. PEM user information ). This certificate application will be used for information verification when you apply to issue a certificate at the CA center.
(5) OpenSSL ca-In testreq. pem-out testres. pem
The CA command is a simulated CA server program that implements the basic functions of the CA server. Here, the information in the certificate application will be verified. If it is correct, the user will be prompted whether to issue the certificate. If you select Yes, CA will apply to issue the certificate testres. pem.
(6) Cat testkey. pem testres. pem> test. pem
Combine the key file testkey. PEM and the certificate file testres. pem issued by CA into test. pem. This certificate file will be used during the omniorb authentication process (the part of the Certificate file that can be read by users can be deleted, and this part will not be used during the authentication process ).
(Cacert. PEM is the CA certificate file, and testkey. PEM is the user's private key. Privkey. PEM is the private key of the CA certificate, and testreq. PEM is the certificate request file. Testres. PEM is a certificate applied.
Combine the key file testkey. PEM and the issued certificate file testres. pem into test. pem. This file will be used in Omni .)

Note: You can specify some default options for certificate generation in the configuration file.
For example, the start time and end time can be written in the configuration file:
Default_startdate = 010000000z # Not before: Jan 1 00:00:00 2001 GMT
Default_enddate = 15010000000z # Not after: Jan 1 00:00:00 2015 GMT
The time format is yymmddhhmmssz.

Appendix: Ca command usage
OpenSSL Ca [-verbose] [-config filename] [-name section] [-gencrl]
[-Revoke file] [-crldays days] [-crlhours hours] [-crlexts section]
[-Startdate date] [-enddate date] [-days Arg] [-MD Arg] [-policy Arg]
[-Keyfile Arg] [-key Arg] [-passin Arg] [-cert file] [-in file]
[-Out file] [-notext] [-outdir dir] [-infiles] [-spkac file]
[-Ss_cert file] [-preservedn] [-Batch] [-msie_hack] [-extensions section]
It seems that the CA command is very complicated, but it is actually very simple to use. There are not many parameters needed here. The following lists the parameters for reference.
-Config filename
Specifies the name of the configuration file to be used.
-Verbose
Display more information than usual.
-Name Section
Specifies that the configuration file contains the default ca configuration fields.
-In filename
Specifies the name of the request file to be issued by the ca. A certificate is generated here.
-Ss_cert filename
Specifies the name of the Self-issued certificate to be issued by the CA.
-Spkac filename
Specify a file name that contains the public key information issued by Netscape and challenge information.
-Infiles
If this option is used, it must be placed at the end of the command line. Each parameter specified by this option is considered to be a file containing the certificate application, then, a certificate is issued for each certificate request.
-Out filename
Specifies the file name of the file to be written into the certificate information. The default file name is written in stdout. If the gencrl option is used before, the specified file information will be written to the Certificate Revocation List.
-Outdir directory
Specifies the folder to be written to the certificate. The file name of each written file consists of a two-digit hexadecimal serial number and A. pem extension.
-Cert filename
Specifies the file that contains the CA certificate.
-Keyfile filename
Specifies the file containing the private key of the CA.
-Key Password
Specifies the password used to decrypt the CA private key file. This option is not recommended and should be replaced by-passin password.
-Passin Password
Specifies the password or password used to decrypt the CA private key file.
-Notext
Generated files that should be excluded from the output file.
-Startdate date
Specifies the certificate issuance time or certificate validity period.
-Enddate date
The certificate expiration time is specified.
-Days number
Specifies the number of days for a valid certificate to be issued.
-MD Digest
Specifies the information digest algorithm to be used.
-Policy Section
Specifies the part in the configuration file that will be used to specify the policy configuration.
-Msie_hack
If you need to use a very old version "certenr3" in the IE certificate registration control, use this option.
-Extensions Section
Specify the part of the configuration file that will be used to specify the configuration of the extensions segment.
-Gencrl
To generate a Certificate Revocation List.
-Crldays number
Specifies the date on which the certificate revocation list is refreshed (the number of days between which the next Certificate Revocation List is generated ).
-Crlhours number
Specifies the hour when the certificate revocation list is refreshed (the hour at which the next Certificate Revocation List is generated ).
-Revoke filename
Specifies a file containing the certificate to be revoked.
-Crlexts Section
Specifies the configuration of the crlexts segment in the configuration file.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.