Use OpenSSL to issue a certificate

Source: Internet
Author: User
Tags openssl commands


1.1 Use OpenSSL commands to issue level 2 and level 3 digital certificates
The following uses Linux as an example.

1.1.1 configuration of CA mechanism under OpenSSL in Linux
The CA mechanism configuration in OpenSSL mainly depends on the OpenSSL. CNF file in the root directory. It specifies the main rules for Ca generation, issuance, and revocation of certificates. In addition, the CA commands of OpenSSL must be properly configured with OpenSSL. the CNF file configuration can be correctly run (the CA command does not necessarily depend entirely on OpenSSL. the configuration in the CNF file can run normally. In fact, there is another mechanism in the CA command, you can specify the corresponding configuration information in the command line, but this method is too cumbersome to use, is not recommended ). Therefore, you must first specify a correct configuration file for the OpenSSL ca. The following lists the important fields in the file.


Default_ca = ca_default

This part is very simple and contains only one key value default_ca. Its value is the name of the segment that saves the default configuration of CA. Here it is ca_default. This means that when OpenSSL generates a certificate, it will go to the ca_default field to find the corresponding configuration information.

The OpenSSL command allows multiple CA configurations in a configuration file.


This section contains the CA configuration information, which mainly includes the root directory structure of the specified Ca, and tells OpenSSL to go there to find the file he needs to issue the certificate, and the storage location of the file to be generated.


Dir =/etc/SSL/democa # specifies the root directory of the CA.

Certs = $ DIR/certs # storage directory of the issued certificate

Crl_dir = $ DIR/CRL # directory for storing the Certificate Revocation List

Database = $ DIR/index.txt # database index file, used to store certificate issuing information.

# Unique_subject = No # setting it to 'no' indicates that multiple certificates with the same subject can be created simultaneously.

New_certs_dir = $ DIR/newcerts # Set the default location for storing newly issued certificates

Certificate = $ DIR/cacert. pem # specify the CA certificate

Serial = $ DIR/serial # specify the file to store the current serial number

CRL = $ DIR/CRl. pem # current CRL

Private_key = $ DIR/private/cakey. pem # private key of CA

Randfile = $ DIR/private/. Rand # specifies a seed file used for reading and writing the random key.

When we need to use the req command in the command line to generate a certificate request file, we must provide necessary information for the req command, and provide the same segment as the name in the command line, to configure necessary information.


Req_distinguished_name the key value of this extended region is the information we want to be filled in when using the req command to generate a certificate request file.

1.1.2 generate the CA certificate and user certificate. issuance of level 2 digital certificates
(1) $ sudo OpenSSL req-X509-newkey RSA: 1024-out cacert. pem-outform PEM

This step is used to generate a 1024-bit RSA private key "privkey. PEM, and use it to issue a certificate "cacert. PEM ", this certificate will be used as a CA root certificate in the future (here the user is required to fill in the corresponding information, the first is privkey. PEM encryption password, which is the corresponding information of the CA root certificate ).

(2) $ sudo CP privkey. PEM/etc/pki/democa/private/cakey. pem

Copy the private key privkey. pem of CA to/etc/pki/democa/private and change it to Cakey. pem. The CA will find the cakey. pem file in this directory when issuing the certificate.

(3) $ sudo CP cacert. PEM/etc/pki/democa

Copy cacert. pem to the/etc/pki/democa folder. The CA will find the cacert. pem file in this directory when issuing the certificate.

(4) $ sudo OpenSSL req-newkey RSA: 1024-keyout testkey. pem-keyform PEM-out testreq. pem-outform PEM

Generate a User Key and generate a certificate application for this User Key (here the user is required to enter personal information, first the private key file testkey. PEM encryption password, which is the certificate application file testreq. PEM user information ). This certificate application will be used for information verification when you apply to issue a certificate at the CA center.

(5) $ sudo OpenSSL ca-In testreq. pem-out testres. pem-config OpenSSL. CNF

The CA command is a simulated CA server program that implements the basic functions of the CA server. Here, the information in the certificate application will be verified. If it is correct, the user will be prompted whether to issue the certificate. If you select Yes, CA will apply to issue the certificate testres. pem.

Note: The preceding command may have an error: Variable lookup failed for ca_default: Certificate

7436: Error: 0e06d06c: configuration file routines:

Nconf_get_string: no value: conf_lib.c: 329: Group = ca_default name = Certificate

Solution: in OpenSSL. CNF, it should be name = certificate, but it is written as certificate, case sensitive

The preceding command can also be written as follows:

OpenSSL ca-In testreq. pem-out testres. pem-Cert cacert. pem-Keyfile privkey. pem-config OpenSSL. CNF

The difference between the two commands is that the first uses the Default Root Certificate and private key in the folder, and the second command uses the parameter-cert-Keyfile to specify the root certificate and private key. issuance of Level 3 digital certificates
(1) The generation of the private key and root certificate is the same as that of the secondary digital certificate above. For details, refer to the above.

(2) Issuance of intermediate certificates:

OpenSSL ca-extensions v3_ca-out ca2008.crt-In testreq. pem-config OpenSSL. CNF

Note: The parameter-extensions v3_ca is required for the issuance of intermediate certificates, which is not required for user certificates.

(3) Issuance of Level 3 certificates:

OpenSSL ca-In 3testreq. pem-out 3testres_3.pem-Cert ca2008.crt-Keyfile testkey. pem-config OpenSSL. CNF


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.