The public key and the private key are usually paired. When the public key is used, the corresponding private key exists. Generally, OpenSSL and the Public Key are easily obtained from the private key, therefore, to create a certificate, you must first create a private key.
1. Use OpenSSL to generate a private key
Common generation algorithms include RSA and DSA. The private key generated by RSA can be used for encryption and signature, while the private key generated by DSA can only be used for signature.
1.1). Example of key generation using the RSA Algorithm
OpenSSL genrsa-des3-out privkey. pem 2048
Genrsa: specifies that the generated algorithm uses RSA
-Desc: indicates that the generated key is password-protected, otherwise, other people will require a password each time they send a request)
-Out: The following parameter indicates the input file of the generated key.
2048: indicates the size of the generated key, in bytes (BITs)
1.2) Example of generating a key using the DSA Algorithm
Two steps are required to generate a key based on the DSA algorithm:
1.2.1). The first step is to generate the parameters used to generate the key:
OpenSSL dsaparam-out dsaparam. pem 2048
1.2.2). Generate a key based on the generated parameters:
OpenSSL gendsa-des3-out privkey. pem dsaparam. pem
2. Use OpenSSL to create a certificate application and a self-signed certificate
In step 2, we have already created the private key. In this case, we can use the created private. pem to create the certificate application and self-signed certificate.
2.1) create a Certificate Application
OpenSSL req-New-key privkey. pem-out cert. CSR
Using the above command, a certificate application will be created. Here, we need to enter Country, Organization, name, and other information, but not the number of days in which the certificate is valid, because the valid days of the certificate are given to us by the CA Certification Center, we will then generate this generated cert. CSR (Certificate Signing Request (CSR): Certificate Signature Application) is sent to the CA Certification Center.
After the CA passes the authentication center, it will return the authentication information (usually via email) and then import it.
For information on exporting CSR and importing CA authentication information, see: http://docs.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
2.2) create a self-signed certificate
OpenSSL req-New-X509-key privkey. pem-out cacert. pem-days 1095
If you do not need third-party authorization or create an authorization for testing, we can do this. The following parameter "-days 1095" indicates that the number of authorization days is 1095 days.