Using OpenSSL under Linux for certificate issuance (detailed steps)--Reprint and modification

Original address: Http://www.cnblogs.com/firtree/p/4028354.htmllinux use OpenSSL to achieve certificate issuance (detailed steps)

1, first need to install OpenSSL, an open source implementation of encryption and decryption and certification of professional systems. The Yum installation can be used under CentOS.

2, OpenSSL configuration file is openssl.cnf, we generally use the default configuration is possible. If the certificate has special requirements, you can modify the configuration adaptation requirements. This must place the relevant files under the directory specified by the configuration file.

3, the first need to use OpenSSL to generate the root certificate, the future server-side certificate or client certificate will be issued by him, you can establish multiple root certificates, like a different company

#生成根证书的私钥

OpenSSL Genrsa-out/home/lengshan/ca.key

#利用私钥生成一个根证书的申请, the application format for general certificates is CSR. So the private key and the CSR generally need to be preserved.

OpenSSL REQ-NEW-KEY/HOME/LENGSHAN/CA.KEY-OUT/HOME/LENGSHAN/CA.CSR

#自签名的方式签发我们之前的申请的证书, the generated certificate is CA.CRT

OpenSSL x509-req-days 3650-in/home/lengshan/ca.csr-signkey/home/lengshan/ca.key-out/home/lengshan/ca.crt

#为我们的证书建立第一个序列号, usually with 4 characters, this does not affect the subsequent issuance of certificates and other operations

echo Face >/home/lengshan/serial

#建立ca的证书库, does not affect the subsequent operation, the default configuration file also has the storage place

Touch/home/lengshan/index.txt

#建立证书回收列表保存失效的证书

OpenSSL ca-gencrl-out/home/lengshan/ca.crl-crldays 7

You have completed the operation of the root certificate, and the next step is to issue the certificate.

4. Generate and issue a server authentication certificate, note that the certificate is self-signed and the browser prompts for untrusted

#建立服务器验证证书的私钥

OpenSSL Genrsa-out/home/lengshan/server.key

#生成证书申请文件

OpenSSL Req-new-key /home/lengshan/server . Key-out /home/lengshan/server . CSR

#利用根证书签发服务器身份验证证书

OpenSSL ca-in /home/lengshan/server . Csr-cert/home/lengshan/ca.crt-keyfile/home/lengshan/ca.key-out /home/lengshan/server . CRT

At this point, the server-side authentication certificate has been completed, you can use the certificate and private key to generate a PFX format certificate to Microsoft, the command is as follows:

OpenSSL pkcs12-export-clcerts-in/home/lengshan/server. CRT -inkey/home/lengshan/server. Key -out/ Home/lengshan/server.p12

5. Issue Client Authentication Certificate

#生成私钥

OpenSSL Genrsa-des3-out/home/lengshan/users/1/1.key 1024

#生成证书请求文件

OpenSSL REQ-NEW-KEY/HOME/LENGSHAN/USERS/1/1.KEY-OUT/HOME/LENGSHAN/USERS/1/1.CSR

#签发证书

OpenSSL CA-IN/HOME/LENGSHAN/USERS/1/1.CSR-CERT/HOME/LENGSHAN/CA.CRT-KEYFILE/HOME/LENGSHAN/USERS/1/1.CRT

#生成pfx格式

OpenSSL pkcs12-export-clcerts-in/home/lengshan/users/1/1.crt-inkey/home/lengshan/users/1/1.key-out/home/ Lengshan/users/1/1.p12

Client certificate Completion, note If the client certificate is used on the Web server, the client needs to be authenticated on the Web server using the root certificate, remember!

Note: 1, the difference between the certificate:

2, in the process of the above operation, according to the error prompts to create the appropriate folders and files, moving files to the specified directory

3.

Digital certificate data The difference between CER and PFX

The difference between a CER and a PFX in a digital certificate file

A certificate that exists as a file typically has these types of forms:

　　1. Certificate with private key

Defined by the public key Cryptography Standards #12, the PKCS#12 standard, which contains the form of a certificate in the binary format of the private key and the secret key, with PFX as the certificate file suffix name.

　　2. Binary-encoded certificate

There is no private key in the certificate, DER encodes the certificate file in binary format, and a CER is used as the certificate file suffix name.

　　3.BASE64 encoded Certificate

The certificate does not have a private key, a certificate file in the BASE64 encoded format, and a CER as the certificate file suffix name.

As can be seen from the definition, only a digital certificate in the PFX format is a digital certificate in CER format that contains a private key, only the public key has no private key.

One of the entries in the PFX certificate import process is "flag this key is exportable." This will take you back up or transfer the key later. " Usually unchecked, if selected, someone else will have the opportunity to back up your key. If unchecked, the key is also imported, but cannot be exported again. This guarantees the security of the key.

If this item is not selected during the import process, the "Export private key" item is grayed out and cannot be selected for a certificate backup. Only the public key in the CER format can be exported. If the item is selected on import, the "Export private key" item on export is optional.

If you want to export the private key (PFX), you need to enter a password, this password is to re-encrypt the private key, so that the security of the private key, even if you get a certificate backup (PFX), do not know the encryption of the private key password, but also cannot import the certificate. Conversely, if you just import a certificate that exports a CER format, you are not prompted to enter the password. Because the public key is generally public, it is not encrypted

Using OpenSSL under Linux for certificate issuance (detailed steps)--Reprint and modification