Use openssl in linux to generate a csrcrchloroform Certificate

Source: Internet
Author: User
Tags openssl rsa

Use openssl in linux to generate a csrcrchloroform Certificate

This article mainly draws on and references the content of the following two addresses, then tests and runs on the machine, and makes the following records.


Create the test directory mkdir/tmp/create_key/ca cd/tmp/create_key/
Certificate file generation:
I. Server Side
1. Generate the server-side private key (key file );
Openssl genrsa-des3-out server. key 1024
The system prompts you to enter the password during the operation. This password is used to encrypt the key file (the des3 parameter is an encryption algorithm, and other security algorithms can be used ), in the future, whenever you need to read this file (through commands or APIs provided by openssl), you need to enter a password. if you do not need a password, remove the password: openssl rsa-in server. key-out server. key

2. Generate the server certificate signature request file (csr file );
Openssl req-new-key server. key-out server. csr
Generate a Certificate Signing Request (CSR), and submit the generated csr file to the CA for signature to form the server Certificate. on the screen, you will be prompted to enter the required personal information (such as Country, province, city, company, etc.) according to the prompts ).

Ii. Client
1. Generate the client private key (key file );
Openssl genrsa-des3-out client. key 1024 2. Generate the client certificate signature request file (csr file );
Openssl req-new-key client. key-out client. csr

Cd/tmp/create_key/ca
3. Generate the CA certificate file
# The server. csr and client. csr files must have a CA signature to form a certificate.
1. First generate the key file of the CA:
Openssl genrsa-des3-out ca. key 1024
2. Generate a CA self-signed certificate:
Openssl req-new-x509-key ca. key-out ca. crt
You can add the certificate expiration time option "-days 365 ".

4. Use the CA certificate for signature
Openssl ca-in .. /server. csr-out .. /server. crt-cert ca. crt-keyfile ca. key openssl ca-in .. /client. csr-out .. /client. crt-cert ca. crt-keyfile ca. the openssl. cnf reports an error, but it does not matter. We use the default/etc/pki/tls/openssl. cnf. However, when using the default function, you must first execute the following two lines: touch/etc/pki/CA/index.txt
Echo 00>/etc/pki/CA/serial

The following error case analysis ################################### ######################### according to the server. csr uses CA. crt ca. key Generation server. crt file openssl ca-in .. /server. csr-out .. /server. crt-cert ca. crt-keyfile ca. key
Using configuration from/etc/pki/tls/openssl. cnf
Enter pass phrase for ca. key:
/Etc/pki/CA/index.txt: No such file or directory
Unable to open '/etc/pki/CA/index.txt'
140423531685704: error: 02001002: system library: fopen: No such file or directory: bss_file.c: 355: fopen ('/etc/pki/CA/index.txt', 'R ')
140423531685704: error: 20074002: BIO routines: FILE_CTRL: system lib: bss_file.c: 357:
[Root @ monitor ca] # touch/etc/pki/CA/index.txt # create the index file because it does not exist
[Root @ monitor ca] # openssl ca-in.../server. csr-out.../server. crt-cert ca. crt-keyfile ca. key
Using configuration from/etc/pki/tls/openssl. cnf
Enter pass phrase for ca. key:
/Etc/pki/CA/serial: No such file or directory
Error while loading serial number
139949960836936: error: 02001002: system library: fopen: No such file or directory: bss_file.c: 355: fopen ('/etc/pki/CA/serial', 'R ')
139949960836936: error: 20074002: BIO routines: FILE_CTRL: system lib: bss_file.c: 357:
[Root @ monitor ca] # echo 00>/etc/pki/CA/serial # create a serial File
[Root @ monitor ca] # openssl ca-in.../server. csr-out.../server. crt-cert ca. crt-keyfile ca. key
Using configuration from/etc/pki/tls/openssl. cnf
Enter pass phrase for ca. key:
Check that the request matches the signature
Signature OK
The organizationName field needed to be the same in
CA certificate (homelink-ca) and the request (homelink) # the error is reported because the CA of the ca is created. when the crt is used and the server that creates the server. # Organization Name (eg, company) [Default Company Ltd]: homelink-ca and # Organization Name (eg, company) [Default Company Ltd] At csr: homelink # no longer configured domain, so it won't work. re-create ca below. crt
[Root @ monitor ca] # openssl req-new-x509-key ca. key-out ca. crt
Enter pass phrase for ca. key:
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: bj
Locality Name (eg, city) [Default City]: bj
Organization Name (eg, company) [Default Company Ltd]: homelink
Organizational Unit Name (eg, section) []: homelink-lft
Common Name (eg, your name or your server's hostname) []: lft
Email Address []:
[Root @ monitor ca] # ls-lrt
Total 8
-Rw-r -- 1 root 963 May 22 ca. key
-Rw-r -- 1 root 944 May 22 ca. crt # re-create ca. crt, re-execute, generate successfully
[Root @ monitor ca] # openssl ca-in.../server. csr-out.../server. crt-cert ca. crt-keyfile ca. key
Using configuration from/etc/pki/tls/openssl. cnf
Enter pass phrase for ca. key:
Check that the request matches the signature
Signature OK
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: May 22 08:16:25 2015 GMT
Not After: May 21 08:16:25 2016 GMT
Subject:
CountryName = CN
StateOrProvinceName = bj
OrganizationName = homelink
OrganizationalUnitName = homelink-lft
CommonName = lft
X509v3 extensions:
X509v3 Basic Constraints:
CA: FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
00: 2C: 34: 0A: 73: 5C: 1A: E6: 39: 48: 28: 6F: 8F: 02: F6: BC: 58: 6F: 25: 55
X509v3 Authority Key Identifier:
Keyid: 83: 70: 9D: 4E: 3F: 39: 01: 3E: 7A: CE: B9: 2B: 0E: 1A: FB: 00: 2A: C3: 11: d9

Certificate is to be certified until May 21 08:16:25 2016 GMT (365 days)
Sign the certificate? [Y/n]: y


1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
[Root @ monitor ca] # ls-lrt
Total 8
-Rw-r -- 1 root 963 May 22 ca. key
-Rw-r -- 1 root 944 May 22 ca. crt
[Root @ monitor ca] # ls-lrt ..
Total 28
-Rw-r -- 1 root 963 May 22 13:51 server. key
-Rw-r -- 1 root 672 May 22 server. csr
-Rw-r -- 1 root 963 May 22 client. key
-Rw-r -- 1 root 672 May 22 client. csr
Drwxr-xr-x 2 root 4096 May 22 ca
-Rw-r -- 1 root 238 May 22 :07 readme.txt
-Rw-r -- 1 root 3036 May 22 server. crt # then generate the client of the client. crt file openssl ca-in .. /client. csr-out .. /client. crt-cert ca. crt-keyfile ca. key

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.