Use OpenSSL to generate a certificate

Source: Internet
Author: User
Tags openssl x509

Use OpenSSL to generate a certificate

Step 1. Create key (password protected)

Openssl genrsa-out prvtkey. pem 1024/2038 (with out password protected)

Openssl genrsa-des3-out prvtkey. pem1024/2048 (password protected)

The command generates a 1024/2048-bit key.

Step 2. Create certification request

Openssl req-new-key prvtkey. pem-out cert. csr

Openssl req-new-nodes-key prvtkey. pem-out cert. csr

This command will generate a certificate request, of course, with the previous generated key prvtkey. pem File
Here a new file cert. csr is generated, that is, a certificate request file. You can use this file to apply for a digital certificate from a digital certificate authority (CA. CA will give you a new file cacert. pem, which is your digital certificate.

Step 3: Send certificate request to Certification Authority (CA)

If you perform the test on your own, the certificate applicant and the issuing authority are both on your own. You can use the following command to generate a certificate:
Openssl req-new-x509-key prvtkey. pem-out cacert. pem-days 1095
This command uses the private key. pem generated above to generate a digital certificate cacert. pem

For the cacert. pem generation process, see "create your own CA through OpenSSL"

With the privkey. pem and cacert. pem files, you can use them in your own program, such as a server that implements encrypted communication.


Establish your own CA using OpenSSL

(1) Prepare the environment

First, you need to prepare a directory for storing the CA file, including the issued Certificate and CRL (Certificate Revoke List ).
Here we select the directory/var/MyCA.

Then we create two directories under/var/MyCA. certs is used to save copies of all the certificates issued by our CA, and private is used to save the private key of the CA certificate.

In addition to generating keys, we also need to create three files in our CA system. The first file is used to track the serial number of the last issued certificate. we name it serial and initialize it to 01. The second file is a Sort database used to track issued certificates. We named "index.txt" and the file content is empty.

$ Mkdir/var/MyCA
$ Cd/var/MyCA
$ Mkdir certs private
$ Chmod g-rwx, o-rwx private
$ Echo "01"> serial
$ Touch index.txt

The third file is the OpenSSL configuration file, which is difficult to create. Example:

$ Touch openssl. cnf

The file content is as follows:

Default_ca = myca

Dir =/var/MyCA
Certificate = $ dir/cacert. pem
Database = $ dir/index.txt
New_certs_dir = $ dir/certs
Private_key = $ dir/private/cakey. pem
Serial = $ dir/serial

Default_crl_days = 7
Default_days = 365
Default_md = md5

Policy = myca_policy
X509_extensions = certificate_extensions

CommonName = supplied
StateOrProvinceName = supplied
CountryName = supplied
EmailAddress = supplied
OrganizationName = supplied
OrganizationalUnitName = optional

BasicConstraints = CA: false

We need to inform the path of the OpenSSL configuration file. There are two ways to achieve this: using the config Command Option and using the environment variable OPENSSL_CONF. Here we select the environment variable method.

$ OPENSSL_CONF =/var/MyCA/openssl. cnf"

(2) generate a Root Certificate (Root Certificate)

We need a certificate to sign the certificate issued by ourselves. This certificate can be obtained from other cas or self-Signed root certificates. Here we generate a self-Signed root certificate.

First, we need to add some information to the configuration file, as shown below. The section name is the same as the command req of the command line tool. We write all the necessary information into the configuration, instead of entering it in the command line. This is the only way to specify the X.509v3 extension and gives us a clear grasp of how to create a root certificate.

Default_bit = 2048
Default_keyfile =/var/MyCA/private/cakey. pem
Default_md = md5
Prompt = no
Distinguished_name = root_ca_distinguished_name
X509_extensions = root_ca_extensions
CommonName = My Test CA
StateOrProvinceName = HZ
CountryName = CN
EmailAddress =
OrganizationName = Root Certification Authority
BasicConstraints = CA: true

Everything is ready. We can generate the root certificate. Note that the environment variable OPENSSL_CONF is set.

$ Openssl req-x509-newkey rsa-out cacert. pem-outform PEM-days 356

Note: "-days 356" controls the validity period to 365 days. The default value is 30 days.

Verify the generated file.

$ Openssl x509-in cacert. pem-text-noout

(3) issue a certificate to the customer

Before issuing a certificate to a customer, the customer must provide the basic information of the certificate. We also open a terminal window and use the default OpenSSL configuration file (do not let the previous OPENSSL_CONF interfere with us, that configuration is specifically used to generate the root certificate ).

The command is similar to the one used to generate the root certificate. It is req, but some additional information is required. As follows:

$ Openssl req-newkey rsa: 1024-keyout testkey. pem-keyform PEM-out testreq. pem-outform PEM

The first password is used to encrypt the private key testkey. pem. The second password is generally ignored by OpenSSL.
Two files are generated: testkey. pem, private key, testreq. pem, and request information, including the public key.

Let's see what information testreq. pem has?

$ Openssl req-in testreq. pem-text-noout

Now, we can submit testreq. pem to our CA to generate the certificate.
For convenience, we assume that testreq. pem is in // var/MyCA/private.

$ Openssl ca-in testreq. pem

There are three prompts, one is to ask your CA's private key password, two is to confirm, the output is the certificate issued to the customer.
You can use the batch option to cancel the command prompt. You can use the notext option to cancel the certificate output display.
In addition, you can issue certificates to multiple customers at a time by replacing the in option with the infiles option, but this option must be placed at the end, because any subsequent characters are processed as the file name list.

The generated certificate is stored in the certsdirectory. At the same time, the content of index.txt and serial has changed.

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to sign multi-domain certificates

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.