Step 1. Create key (password protected)
OpenSSL genrsa-out prvtkey. pem1024/2038 (with outPassword Protected)
OpenSSL genrsa-des3-out prvtkey. pem1024/2048 (Password Protected)
The command generates a 1024/2048-bit key.
Step 2. Create certification request
OpenSSL req-New-key prvtkey. pem-out cert. CSR
OpenSSL req-New-nodes-key prvtkey. pem-out cert. CSR
This command will generate a certificate request, of course, with the previous generated key prvtkey. pem File
Here a new file cert. CSR is generated, that is, a certificate request file. You can use this file to apply for a digital certificate from a digital certificate authority (CA. CA will give you a new file cacert. Pem, which is your digital certificate.
Step 3: Send certificate request to Certification Authority (CA)
If you perform the test on your own, the certificate applicant and the issuing authority are both on your own. You can use the following command to generate a certificate:
OpenSSL req-New-X509-key prvtkey. pem-out cacert. pem-days 1095
This command uses the private key. pem generated above to generate a digital certificate cacert. pem
For the cacert. pem generation process, see"Establish your own ca using OpenSSL"
With the privkey. PEM and cacert. pem files, you can use them in your own program, such as a server that implements encrypted communication.
-------------
OpenSSLCreate your ownCA
(1) Prepare the environment
First, you need to prepare a directory for storing the CA file, including the issued certificate and CRL (certificate revoke list ).
Here we select the directory/var/myca.
Then we create two directories under/var/myca. certs is used to save copies of all the certificates issued by our CA, and private is used to save the private key of the CA certificate.
In addition to generating keys, we also need to create three files in our CA system. The first file is used to track the serial number of the last issued certificate. we name it serial and initialize it to 01. The second file is a Sort database used to track issued certificates. We named "index.txt" and the file content is empty.
$ Mkdir/var/myca
$ CD/var/myca
$ Mkdir certs private
$ Chmod g-rwx, o-rwx private
$ Echo "01"> serial
$ Touch index.txt
The third file is the OpenSSL configuration file, which is difficult to create. Example:
$ Touch OpenSSL. CNF
The file content is as follows:
[Ca]
Default_ca = myca
[Myca]
Dir =/var/myca
Certificate = $ DIR/cacert. pem
Database = $ DIR/index.txt
New_certs_dir = $ DIR/certs
Private_key = $ DIR/private/cakey. pem
Serial = $ DIR/serial
Default_crl_days = 7
Default_days = 365
Default_md = MD5
Policy = myca_policy
X509_extensions = certificate_extensions
[Myca_policy]
CommonName = supplied
Stateorprovincename = supplied
Countryname = supplied
Emailaddress = supplied
Organizationname = supplied
Organizationalunitname = optional
[Certificate_extensions]
Basicconstraints = Ca: false
We need to inform the path of the OpenSSL configuration file. There are two ways to achieve this: using the config Command Option and using the environment variable openssl_conf. Here we select the environment variable method.
$ Openssl_conf =/var/myca/OpenSSL. CNF"
$ Export openssl_conf
(2) generate a root certificate (Root Certificate)
We need a certificate to sign the certificate issued by ourselves. This certificate can be obtained from other cas or self-Signed root certificates. Here we generate a self-Signed root certificate.
First, we need to add some information to the configuration file, as shown below. The section name is the same as the command req of the command line tool. We write all the necessary information into the configuration, instead of entering it in the command line. This is the only way to specify the x.509v3 extension and gives us a clear grasp of how to create a root certificate.
[Req]
Default_bit = 2048
Default_keyfile =/var/myca/private/cakey. pem
Default_md = MD5
Prompt = No
Distinguished_name = root_ca_distinguished_name
X509_extensions = root_ca_extensions
[Root_ca_distinguished_name]
CommonName = my test ca
Stateorprovincename = Hz
Countryname = Cn
Emailaddress = [email protected]
Organizationname = Root Certification Authority
[Root_ca_extensions]
Basicconstraints = Ca: True
Everything is ready. We can generate the root certificate. Note that the environment variable openssl_conf is set.
$ OpenSSL req-X509-newkey RSA-out cacert. pem-outform PEM-days 356
Note: "-days 356" controls the validity period to 365 days. The default value is 30 days.
Verify the generated file.
$ OpenSSL X509-In cacert. pem-text-noout
(3) issue a certificate to the customer
Before issuing a certificate to a customer, the customer must provide the basic information of the certificate. We also open a terminal window and use the default OpenSSL configuration file (do not let the previous openssl_conf interfere with us, that configuration is specifically used to generate the root certificate ).
The command is similar to the one used to generate the root certificate. It is req, but some additional information is required. As follows:
$ OpenSSL req-newkey RSA: 1024-keyout testkey. pem-keyform PEM-out testreq. pem-outform PEM
The first password is used to encrypt the private key testkey. pem. The second password is generally ignored by OpenSSL.
Two files are generated: testkey. Pem, private key, testreq. Pem, and request information, including the public key.
Let's see what information testreq. pem has?
$ OpenSSL req-In testreq. pem-text-noout
Now, we can submit testreq. pem to our CA to generate the certificate.
For convenience, we assume that testreq. PEM is in // var/myca/private.
$ OpenSSL ca-In testreq. pem
There are three prompts, one is to ask your CA's private key password, two is to confirm, the output is the certificate issued to the customer.
You can use the batch option to cancel the command prompt. You can use the notext option to cancel the certificate output display.
In addition, you can issue certificates to multiple customers at a time by replacing the in option with the infiles option, but this option must be placed at the end, because any subsequent characters are processed as the file name list.
The generated certificate is stored in the certsdirectory. At the same time, the content of index.txt and serial has changed.