Using OpenSSL to generate CSR CRT CA certificates under Linux

Source: Internet
Author: User
Tags generate csr openssl rsa

This article mainly draws on and references the following 2 address content, then carries on the test and the execution on own machine, and has made the following record.

Ref

Http://blog.chinaunix.net/uid-26760055-id-3128132.htmlhttp://www.111cn.net/sys/linux/61591.htm



Create a Test CatalogMkdir/tmp/create_key/caCD /tmp/create_key/
certificate file generation:
one. Server-side
1. Generate the server-side private key (key file);
OpenSSL genrsa-des3-out server.key 1024x768
The runtime prompts for a password, which is used to encrypt the key file (the parameter des3 is an encryption algorithm or other secure algorithm), and you will need to enter the password every time you need to read the file (via the command or API provided by OpenSSL). If you do not have a password, remove the password: OpenSSL rsa-in server.key-out server.key

2. Generate server-side certificate signing request file (CSR file);
OpenSSL req-new-key server.key-out SERVER.CSR
generate the Certificate Signing request (CSR), and the resulting CSR file is handed to the CA to form its own certificate on the server. The screen will prompt you to enter the required personal information in step-by-steps (for example: country,province , City,company, etc.).

Two. Client
1. Generate The client private key (key file);
OpenSSL genrsa-des3-out client.key 1024x7682. Generate Client certificate signing request file (CSR file);
OpenSSL req-new-key client.key-out CLIENT.CSR

CD /tmp/create_key/ca
three. Generate the CA certificate file
#server. CSR and CLIENT.CSR files must be signed by a CA to form a certificate.
1. First generate the CA's key file:
OpenSSL genrsa-des3-out ca.key 1024x768
2. Generate the CA self-signed certificate:
OpenSSL req-new-x509-key ca.key-out ca.crt
You can add the certificate Expiration Time option "-days 365".

Four. Signing with a CA certificate
OpenSSL ca-in. /server.csr-out. /server.crt-cert ca.crt-keyfile Ca.keyOpenSSL ca-in. /client.csr-out. /client.crt-cert ca.crt-keyfile Ca.keythese two execution time because did not specify OPENSSL.CNF will error, but does not matter, we use the default /etc/pki/tls/openssl.cnf to be able. However, the default is to perform the following two lines first:Touch/etc/pki/ca/index.txt
echo >/etc/pki/ca/serial

There are error case studies below############################################################# generate SERVER.CRT files from the ca.crt Ca.key of the CA according to SERVER.CSROpenSSL ca-in. /server.csr-out. /server.crt-cert ca.crt-keyfile Ca.key
Using Configuration From/etc/pki/tls/openssl.cnf
Enter Pass phrase for Ca.key:
/etc/pki/ca/index.txt:no such file or directory
Unable to open '/etc/pki/ca/index.txt '
140423531685704:error:02001002:system library:fopen:No such file or Directory:bss_file.c:355:fopen ('/etc/pki/ca/ Index.txt ', ' R ')
140423531685704:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:357:
[[email protected]ca]#Touch/etc/pki/ca/index.txt #创建index文件, because there is no
[[email protected]ca]#OpenSSL ca-in. /server.csr-out. /server.crt-cert ca.crt-keyfile Ca.key
Using Configuration From/etc/pki/tls/openssl.cnf
Enter Pass phrase for Ca.key:
/etc/pki/ca/serial:no such file or directory
Error while loading serial number
139949960836936:error:02001002:system library:fopen:No such file or Directory:bss_file.c:355:fopen ('/etc/pki/ca/ Serial ', ' R ')
139949960836936:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:357:
[[email protected]ca]#echo >/etc/pki/ca/serial #创建serial号文件
[[email protected]ca]#OpenSSL ca-in. /server.csr-out. /server.crt-cert ca.crt-keyfile Ca.key
Using Configuration From/etc/pki/tls/openssl.cnf
Enter Pass phrase for Ca.key:
Check that the request matches the signature
Signature OK
The OrganizationName field needed to being the same in the
CA Certificate (HOMELINK-CA) and the request (Homelink)#此处报错是因为创建CA的ca.crt time and SERVER.CSR when creating the server#Organization Name (eg, company) [Default company Ltd]:homelink-ca and #Organization Name (eg, company) [Default company Ltd]:homelink #配置的不再一个域, so no, the following reconstruction Ca.crt
[[email protected]ca]#OpenSSL req-new-x509-key ca.key-out ca.crt
Enter Pass phrase for Ca.key:
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:BJ
Locality Name (eg, city) [Default CITY]:BJ
Organization Name (eg, company) [Default company Ltd]:homelink
Organizational Unit Name (eg, section) []:homelink-lft
Common name (eg, your name or your server ' s hostname) []:lft
Email Address []:
[[email protected]ca]#LS-LRT
Total 8
-rw-r--r--1 root root 963 may 14:39 Ca.key
-rw-r--r--1 root root 944 may 16:16 ca.crt#重新创建ca. CRT after re-execution, build succeeded
[[email protected]ca]#OpenSSL ca-in. /server.csr-out. /server.crt-cert ca.crt-keyfile Ca.key
Using Configuration From/etc/pki/tls/openssl.cnf
Enter Pass phrase for Ca.key:
Check that the request matches the signature
Signature OK
Certificate Details:
Serial number:0 (0x0)
Validity
Not Before:may 08:16:25 GMT
Not After:may 08:16:25 GMT
Subject:
CountryName = CN
Stateorprovincename = BJ
OrganizationName = Homelink
Organizationalunitname = Homelink-lft
CommonName = LfT
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
00:2c:34:0a:73:5c:1a:e6:39:48:28:6f:8f:02:f6:bc:58:6f:25:55
X509v3 Authority Key Identifier:
Keyid:83:70:9d:4e:3f:39:01:3e:7a:ce:b9:2b:0e:1a:fb:00:2a:c3:11:d9

Certificate is to be certified until-08:16:25 GMT (365 days)
Sign the certificate? [Y/n]:y


1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected]ca]# LS-LRT
Total 8
-rw-r--r--1 root root 963 may 14:39 Ca.key
-rw-r--r--1 root root 944 may 16:16 ca.crt
[[email protected]ca]# LS-LRT.
Total 28
-rw-r--r--1 root root 963 may 13:51 Server.key
-rw-r--r--1 root root 672 may 13:52 SERVER.CSR
-rw-r--r--1 root root 963 may 14:36 Client.key
-rw-r--r--1 root root 672 may 14:37 CLIENT.CSR
Drwxr-xr-x 2 root root 4096 may 14:40 CA
-rw-r--r--1 root root 238 may 15:07 Readme.txt
-rw-r--r--1 root root 3036 may 16:16 server.crt#然后生成客户端的client.crt fileOpenSSL ca-in. /client.csr-out. /client.crt-cert ca.crt-keyfile Ca.key

Using OpenSSL to generate CSR CRT CA certificates under Linux

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.