From: http://blog.chinaunix.net/uid-311680-id-2973653.html
1.1 Use OpenSSL commands to issue level 2 and level 3 digital certificates
The following uses Linux as an example.
1.1.1 configuration of CA mechanism under OpenSSL in Linux
The CA mechanism configuration in OpenSSL mainly depends on the OpenSSL. CNF file in the root directory. It specifies the main rules for Ca generation, issuance, and revocation of certificates. In addition, the CA commands of OpenSSL must be properly configured with OpenSSL. the CNF file configuration can be correctly run (the CA command does not necessarily depend entirely on OpenSSL. the configuration in the CNF file can run normally. In fact, there is another mechanism in the CA command, you can specify the corresponding configuration information in the command line, but this method is too cumbersome to use, is not recommended ). Therefore, you must first specify a correct configuration file for the OpenSSL ca. The following lists the important fields in the file.
[Ca]
Default_ca = ca_default
This part is very simple and contains only one key value default_ca. Its value is the name of the segment that saves the default configuration of CA. Here it is ca_default. This means that when OpenSSL generates a certificate, it will go to the ca_default field to find the corresponding configuration information.
The OpenSSL command allows multiple CA configurations in a configuration file.
[Ca_default]
This section contains the CA configuration information, which mainly includes the root directory structure of the specified Ca, and tells OpenSSL to go there to find the file he needs to issue the certificate, and the storage location of the file to be generated.
[Ca_default]
Dir =/etc/SSL/democa # specifies the root directory of the CA.
Certs = $ DIR/certs # storage directory of the issued certificate
Crl_dir = $ DIR/CRL # directory for storing the Certificate Revocation List
Database = $ DIR/index.txt # database index file, used to store certificate issuing information.
# Unique_subject = No # setting it to 'no' indicates that multiple certificates with the same subject can be created simultaneously.
New_certs_dir = $ DIR/newcerts # Set the default location for storing newly issued certificates
Certificate = $ DIR/cacert. pem # specify the CA certificate
Serial = $ DIR/serial # specify the file to store the current serial number
CRL = $ DIR/CRl. pem # current CRL
Private_key = $ DIR/private/cakey. pem # private key of CA
Randfile = $ DIR/private/. Rand # specifies a seed file used for reading and writing the random key.
When we need to use the req command in the command line to generate a certificate request file, we must provide necessary information for the req command, and provide the same segment as the name in the command line, to configure necessary information.
[Req_distinguished_name]
Req_distinguished_name the key value of this extended region is the information we want to be filled in when using the req command to generate a certificate request file.
1.1.2 generate the CA certificate and user certificate. 1.1.2.1 issuance of level 2 digital certificates
(1) $ sudo OpenSSL req-X509-newkey RSA: 1024-out cacert. pem-outform PEM
This step is used to generate a 1024-bit RSA private key "privkey. PEM, and use it to issue a certificate "cacert. PEM ", this certificate will be used as a CA root certificate in the future (here the user is required to fill in the corresponding information, the first is privkey. PEM encryption password, which is the corresponding information of the CA root certificate ).
(2) $ sudo CP privkey. PEM/etc/pki/democa/private/cakey. pem
Copy the private key privkey. pem of CA to/etc/pki/democa/private and change it to Cakey. pem. The CA will find the cakey. pem file in this directory when issuing the certificate.
(3) $ sudo CP cacert. PEM/etc/pki/democa
Copy cacert. pem to the/etc/pki/democa folder. The CA will find the cacert. pem file in this directory when issuing the certificate.
(4) $ sudo OpenSSL req-newkey RSA: 1024-keyout testkey. pem-keyform PEM-out testreq. pem-outform PEM
Generate a User Key and generate a certificate application for this User Key (here the user is required to enter personal information, first the private key file testkey. PEM encryption password, which is the certificate application file testreq. PEM user information ). This certificate application will be used for information verification when you apply to issue a certificate at the CA center.
(5) $ sudo OpenSSL ca-In testreq. pem-out testres. pem-config OpenSSL. CNF
The CA command is a simulated CA server program that implements the basic functions of the CA server. Here, the information in the certificate application will be verified. If it is correct, the user will be prompted whether to issue the certificate. If you select Yes, CA will apply to issue the certificate testres. pem.
Note: The preceding command may have an error: Variable lookup failed for ca_default: Certificate
7436: Error: 0e06d06c: configuration file routines:
Nconf_get_string: no value: conf_lib.c: 329: Group = ca_default name = Certificate
Solution: in OpenSSL. CNF, it should be name = certificate, but it is written as certificate, case sensitive
The preceding command can also be written as follows:
OpenSSL ca-In testreq. pem-out testres. pem-Cert cacert. pem-Keyfile privkey. pem-config OpenSSL. CNF
The difference between the two commands is that the first uses the Default Root Certificate and private key in the folder, and the second command uses the parameter-cert-Keyfile to specify the root certificate and private key.
1.1.2.2 issuance of Level 3 digital certificates
(1) The generation of the private key and root certificate is the same as that of the secondary digital certificate above. For details, refer to the above.
(2) Issuance of intermediate certificates:
OpenSSL ca-extensions v3_ca-out ca2008.crt-In testreq. pem-config OpenSSL. CNF
Note: The parameter-extensions v3_ca is required for the issuance of intermediate certificates, which is not required for user certificates.
(3) Issuance of Level 3 certificates:
OpenSSL ca-In 3testreq. pem-out 3testres_3.pem-Cert ca2008.crt-Keyfile testkey. pem-config OpenSSL. CNF