Many may have the same deep experience as myself. Using the OpenSSL library to write an encrypted communication process, the code can be easily written, but the entire work has taken several days. In addition to compiling the program successfully (no certificate file can be used, it is compiled successfully, it cannot run, it does not mean it can be used normally, So ......), you also need to generate necessary certificates and private key files so that both parties can successfully verify the other party.
I found n more documents, many of which are vague. I still have no way to read n more English documents (I don't know if they are good for foreign friends, needless to say, it's too clear ?), Inadvertently find yawl (yawl@nsfocus.com) written articles, rare Chinese characters (haha ). It contains the certificate generation part. It is a bit unclear after the Certificate Signing Request (CSR) file is generated. The self-signed certificate generated later can be found in many places. For signature, yawl says mod_ssl has a good script, but I cannot find it at the moment, it is not very troublesome to use the CA command of OpenSSL.
Let's talk about my operating environment: diskless workstation (it is not convenient to use it if you have permissions). The operating directory is OpenSSL/bin (you can't change the environment variable. If you can change it, I don't need to work in this directory). In order to make it easier for me to put OpenSSL under apps. CNF is also copied to this directory. The file names are all used by myself:
1. First, you must generate the private key (key file) of the server ):
OpenSSL genrsa-des3-out server. Key 1024
The system will prompt you to enter the password during the operation. This password is used to encrypt the key file (the des3 parameter refers to the encryption algorithm. Of course, you can also choose other algorithms that you think are safe .), in the future, whenever you need to read this file (through commands or APIs provided by OpenSSL), you need to enter a password. if it is inconvenient, you can also remove the password, but you must take other protection measures!
Command to remove the key file Password:
OpenSSL RSA-in server. Key-out server. Key
2. OpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNF
Generate a Certificate Signing Request (CSR). The generated CSR file is handed over to the CA for signature to form the certificate of the server. A prompt will be displayed on the screen. Follow the instructions to enter the required personal information step by step.
3. Run the same command on the client to generate the key and CSR file:
OpenSSL genrsa-des3-out client. Key 1024
OpenSSL req-New-key client. Key-out client. CSR-config OpenSSL. CNF
4. The CSR file must have a ca signature to form a certificate. You can send this file to Verisign and other places for verification. You have to pay a large amount of money. Why not make a CA by yourself.
OpenSSL req-New-X509-keyout ca. Key-out ca. CRT-config OpenSSL. CNF
5. Use the generated CA certificate to sign the generated server. CSR and client. CSR file:
OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key-config OpenSSL. CNF
OpenSSL ca-in client. CSR-out client. CRT-Cert CA. CRT-Keyfile ca. Key-config OpenSSL. CNF
Now all the files we need are generated.
In addition:
Client files include ca. CRT, client. CRT, and client. Key.
The files used by server include ca. CRT, server. CRT, and server. Key.
The. CRT file and. Key can be merged into one file. I have merged two files into one. pem file (just copy it directly)
Merge the private key secret CER certificate into the p12 format
1) generate the PKCS12 file, but it does not contain the CA certificate:
OpenSSL PKCS12-export-inkey ocspserverkey. pem-In ocspservercert. pem-out ocspserverpkcs12.pfx
2) generate the pcs12 file, including the CA certificate:
OpenSSL PKCS12-export-inkey server. Key-in server. CRT-cafile ca. CRT-chain-out server. pfx
3) Separate the information in pcks12 and write it to the file:
OpenSSL PKCS12-In ocsp1.pfx-out certandkey. pem
4) display PKCS12 information:
OpenSSL PKCS12-In ocsp1.pfx-Info
------------------------------------
Appendix: 1. Convert cert1.pem to. p12 format
OpenSSL PKCS12-export-In cert1.pem-inkey cert1.key-certfile ca. pem-out cert1.p12
2. Convert cert1.pem to. Cer format: you only need to change the extension to. Cer.