1. Create a ca directory.
Mkdir ca
2. Create an OpenSSL. CNF File. The content is as follows:
Dir =.
[Req]
Default_bits = 1024 # size of keys
Default_keyfile = key. pem # name of generated keys
Default_md = MD5 # message digest algorithm
String_mask = nombstr # permitted characters
Distinguished_name = req_distinguished_name
Req_extensions = v3_req
[Req_distinguished_name]
# Variable name prompt string
#--------------------------------------------------------
0. organizationname = Organization Name (company)
Organizationalunitname = organizational unit name (department, Division)
Emailaddress = Email Address
Emailaddress_max = 40
Localityname = locality name (city, district)
Stateorprovincename = state or province name (full name)
Countryname = Country name (2 letter code)
Countryname_min = 2
Countryname_max = 2
CommonName = common name (hostname, IP, or your name)
Commonname_max = 64
# Default values for the above, for consistency and less typing.
# Variable name value
#------------------------------------------------------------
0. organizationname_default = EB Company
Localityname_default = Shen Zhen
Stateorprovincename_default = Guan Dong
Countryname_default = Cn
[V3_ca]
Basicconstraints = Ca: True
Subjectkeyidentifier = hash
Authoritykeyidentifier = keyid: Always, issuer: Always
[V3_req]
Basicconstraints = Ca: false
Subjectkeyidentifier = hash
[Ca]
Default_ca = ca_default
[Ca_default]
Serial = $ DIR/serial
Database = $ DIR/index.txt
New_certs_dir = $ DIR/newcerts
Certificate = $ DIR/cacert. pem
Private_key = $ DIR/private/cakey. pem
Default_days = 365
Default_md = MD5
Preserve = No
Email_in_dn = No
Nameopt = default_ca
Certopt = default_ca
Policy = policy_match
[Policy_match]
Countryname = match
Stateorprovincename = match
Organizationname = match
Organizationalunitname = optional
CommonName = supplied
Emailaddress = optional
3.create an empty index.txt File
Touch index.txt
4. Create a file serial. Enter a number in the fileAs the serial number of the issued certificate,
The serial number of the issued certificate starts with the number you entered.
Echo 01> serial
5. Generate a public/private key pair for CA
OpenSSL req-New-X509-extensions v3_ca-keyout private/cakey. pem-out cacert. pem-days 3650-config./OpenSSL. CNF
Will generate
1. Private/cakey. pem CA private key
2. cacert. pem CA Public Key, that is, the CA certificate. Public servers and clients.
6. Generate a certificate requestCertificate Signing Request (CSR ).
OpenSSL req-New-nodes-out Req. pem-config./OpenSSL. CNF
Will generate
1. Key. pem Private Key
2. Req. pem public key used to generate a certificate
7. Generate a certificateUse the "CA private key" to sign Req. pem.
OpenSSL ca-out cert. pem-config./OpenSSL. CNF-infiles Req. pem
Remove readable information
MV cert. pem TMP. pem
OpenSSL X509-in TMP. pem-out cert. pem
Generate
1. cert. pem final user certificate
8. obtain the certificate file.
1. server key file:
Server. Pem (cat key. pem cert. pem> server. pem)
Cacert. pem
2. client certificate file:
Cacert. pem