Using OpenSSL to generate certificates under Windows

One: Download

It's 0.9.8.

1:openssl Download, http://www.openssl.org/source/

2: Install the VS2010 and install

3: Download Perl,http://www.activestate.com/activeperl, and install.

II: Install OpenSSL

1: Unzip to system tray C:\openssl-0.9.8v

2. Configure WIN32 Environment

Open cmd command line, enter C:\openssl-0.9.8v directory, execute command

Perl Configure Vc-win32

Pay attention to case sensitivity

3, enter the VC bin directory, configure the VC environment variable

Go to the VS installation path Vc/bin directory and run:

VCVARS32. BAT

Set environment variables.

4. Return to the OpenSSL directory and create the makefile file

Ms\do_ms

This command does not perform assembly-language compilation, such as the report at the end of the error, you can try Ms\do_masm (using assembly language), Ms\do_nasm, MS\DO_NT, etc., these configuration files are written for different system configuration batch processing.

5. Under the OpenSSL directory, perform the compilation

Nmake-f Ms\ntdll.mak

After the final compilation of the dynamic library completes, the output is in the Out32dll directory: including executables, two DLLs and two lib files: Libeay32.dll, Libeay32.lib, Ssleay32.dll, Ssleay32.lib, if using vs/ VC programming just follow the method below, if you need to use the OpenSSL command, you also need to add the C:\openssl-0.9.8v\out32dll path in the system environment variable path, Because Openssl.exe is in this directory, you can use the OpenSSL command directly on the command line after declaring it.

Three: Generate certificate

1 . Add configuration file (OPENSSL.CNF) environment variable: openssl_conf. The configuration file can be copied from the apps directory under the root directory of OpenSSL decompression and then modify the configuration yourself. You can also specify the location of the configuration file in the OpenSSL command with-config.

My configuration file:

#
# Ssleay Example Properties file.
# This was mostly being used for generation of certificate requests.
#

Randfile =. Rnd

####################################################################
[CA]
Default_ca = ca_default # The default CA section

####################################################################
[Ca_default]

dir = C:\\ca # Where Everything is kept
Certs = $dir \\certs # Where The issued certs is kept
Crl_dir = $dir \\CRL # Where The issued CRL is kept
Database = $dir \\index.txt # database index file.
New_certs_dir = $dir \\newcerts # Default place for new certs.

Certificate = $dir \\cacert.pem # the CA certificate
serial = $dir \\serial # The current serial number
CRL = $dir \\crl.pem # The current CRL
Private_key = $dir \\private\\cakey.pem # The private key
Randfile = $dir \\private\\private.rnd # private random number file

X509_extensions = x509v3_extensions # The extentions to add to the CERT
default_days = 365 # How long-certify for
Default_crl_days = # How long before next CRL
DEFAULT_MD = MD5 # which MD to use.
preserve = no # keep passed DN ordering

# A Few difference the specifying how to similar the request should look
# for type CAs, the listed attributes must be the same, and the optional
# and supplied fields is just that:-)
Policy = Policy_match

# for the CA policy
[Policy_match]
CountryName = match
Stateorprovincename = match
OrganizationName = match
Organizationalunitname = Optional
CommonName = Supplied
EmailAddress = Optional

# for the ' anything ' policy
# at the must list all acceptable ' object '
# types.
[Policy_anything]
CountryName = Optional
Stateorprovincename = Optional
Localityname = Optional
OrganizationName = Optional
Organizationalunitname = Optional
CommonName = Supplied
EmailAddress = Optional

####################################################################
[Req]
Default_bits = 1024
Default_keyfile = Privkey.pem
Distinguished_name = Req_distinguished_name
attributes = Req_attributes

[Req_distinguished_name]
CountryName = Country Name (2 letter code)
Countryname_min = 2
Countryname_max = 2

Stateorprovincename = State or province name (full name)

Localityname = Locality Name (eg, city)

0.organizationName = Organization Name (eg, company)

Organizationalunitname = organizational Unit Name (eg, section)

CommonName = Common name (eg, your website ' s domain name)
Commonname_max = 64

EmailAddress = Email Address
Emailaddress_max = 40

[Req_attributes]
Challengepassword = A Challenge Password
Challengepassword_min = 4
Challengepassword_max = 20

[X509v3_extensions]

< finish >

Create a list of directories and files under $dir:

You can now use the OpenSSL command to generate the certificate:

1. First to generate the server-side private key (key file):
OpenSSL genrsa-des3-out server.key 1024x768
The runtime prompts for a password, which is used to encrypt the key file (the parameter des3 is the encryption algorithm, and of course you can choose other algorithms that you think are safe). You will need to enter the password whenever you need to read this file (via the command or API provided by OpenSSL). If it's inconvenient, You can also remove this password, but be sure to take other protective measures!
command to remove the key file password:
OpenSSL rsa-in server.key-out server.key

2.openssl req-new-key server.key-out server.csr-config openssl.cnf
generate the Certificate Signing request (CSR), and the resulting CSR file is handed to the CA to form its own certificate. The screen will prompt you to enter the required personal information in step steps according to its instructions .

3. The same command is generated for the client to generate key and CSR files:
OpenSSL genrsa-des3-out client.key 1024x768
OpenSSL req-new-key client.key-out client.csr-config openssl.cnf

4.CSR files must be signed by a CA to form a certificate. This file can be sent to VeriSign and other places to be verified by it, to pay a large sum of money. Make a CA yourself.
OpenSSL req-new-x509-keyout ca.key-out ca.crt-config openssl.cnf

5. Sign the SERVER.CSR,CLIENT.CSR file that you just generated with the certificate of the generated CA:
Openssl ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-config openssl.cnf
Openssl ca-in client.csr-out client.crt-cert ca.crt-keyfile ca.key-config openssl.cnf

The files used by the client are: Ca.crt,client.crt,client.key
The files used by the server are: Ca.crt,server.crt,server.key
The. crt file and. Key can be combined into a file, and I've synthesized 2 files into a. pem file (just copy the past)

OpenSSL req Command parameters:

OpenSSL req[-inform pem| DER] [-outform pem| DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-new] [- Rand file (s)] [-newkey rsa:bits] [-newkey alg:file] [-nodes] [-key filename] [-keyform pem| DER] [-keyout filename] [-keygen_engine ID] [-[digest]] [-config filename] [-subj arg] [-multivalue-rdn] [-x509] [-days N] [-set_serial N] [-asn1-kludge] [-no-asn1-kludge] [-NEWHDR] [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-reqopt] [-subject] [-SUBJ Arg] [-batch] [-verbose] [-engine ID]