Windows7 installation of OpenSSL generates electronic certificates

Source: Internet
Author: User
Tags begin rsa private key install openssl modulus

Installation environment: Win7 64-bit, VS2013

Pre-installation: First download to http://www.openssl.org/source/ Download the latest version of openssl-1.0.2.tar.gz, extract to C: \ openssl-1.0.2
http://www.activestate.com/ActivePerl Download ActivePerl, click Install to C drive, and then execute the example.pl under directory C:\Perl64\eg on the command line,
If the results show "Hello from activeperl!", then the Perl installation is successful, you can start to use the relevant Perl commands to install OpenSSL, the preparation is done.
Use administrator privileges to open the VS2013 Command Prompt window, then enter the OpenSSL directory and follow these steps to compile:

Execute "perl Configure vc-win32 no-asm-dopenssl_use_ipv6=0" no-asm means no NASM compilation, dopenssl_use_ipv6=0 disable IPV6, avoid nmake:fatal Error U1077: ' CL ':
Return code ' 0x2 ' error;

Execute nmake-f Ms\ntdll.mak;

Check for Success, execute command: "nmake-f ms\ntdll.mak test". or "> CD Out32dll

When the compilation is complete, the library files, the dynamic link library files, the OpenSSL execution files, and the test program Openssl.exe Libeay32.dll Ssleay32.dll are generated in the \out32dll directory.

Build files [c:/usr/local/ssl, copy Openssl\apps under the OPENSSL.CNF document to the Out32dll directory, you can use OpenSSL.

Generate key pair (public-private key pair)

First you need to generate a pair of RSA key pairs (public-private key pair) that enables the command " openssl -out 私钥档案 genrsa [-des|des3|-idea] 大小 ":

Www.example.com.key -des3 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..............................................................................+++
E is 65537 (0x10001)
Www.example.com.key Don ' t show my passphrase
Www.example.com.key Don ' t show my passphrase

The last parameter in the command indicates the size of the key pair to be generated, and it is recommended to use a 2048-bit security for the current computer's performance. In addition, the resulting key pair will be trides encrypted to enhance the security of the private key as a result of the join option-des3 in the command. You can also use-des or-idea instead of-DES3 to encrypt the private key instead of des or idea. (Of course, the DES encryption algorithm is weak, should never be used) the encrypted private key will be used in the times when the password will be decrypted to use, it will be more secure. If your e-cert is used in a server such as Apache htttd, enter the password once each time you start the server. Many people choose to omit the option-des3 to generate an unencrypted private key (that is, you will not be asked to enter a password, nor will the private key be encrypted):

Www.example.com.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..............................................................................+++
E is 65537 (0x10001)

This command is almost no different from the above, but this time will not ask you to enter a password. This method of course, but every time to enter the password trouble, but if others just copy away with a private key file can be more easily to steal electronic certificates, very dangerous.

Upon completion, the new key is recorded in the Pkcs#1 PEM format in the key file Www.example.com.key (although the key header is RSA private key, which means the RSA private key, but the content contains the corresponding public key 's information):

-----BEGIN RSA PRIVATE KEY-----
Miiepaibaakcaqea5xcy3jvptzucvbqi2tzk9hkq7pvhdqf4x8did9k2z6a5w4uc
/nbywoq80egsetm/hzxj/jipwoooslv2dzx423wtm8xfv9/7nkdie1fwbvoztprn
L1kghy9rvcaknfcluu1xytclrwatrakq4yu8tir7yuvsny0cxsznx7zjszux8aoq
Sbktr3ckhjvedxpggu96tebe146mrufo1lnz42ajvvxf0u5rqntzdrjjxwjgmnq5
1xevb4inkw2zgy/bjdywcuqcgvswh+43eeou/eolpezdp8j2vzjlk/mdcdatedfq
Ayd8t3cg+ysdyj/jlsec17zd0r5kszrwyra26qidaqabaoibaqdfterib6icy4d1
Icraswv3zbb3ajmodarqch9ygrsrb5jdbahzppyho3oljocc/jgbat4w7zb5afe7
Fm+jixylibeqcnjmueuskwny/sto6lqgz4fnynhbd/21ggand3ri1puvwhelbuab
Xmyanl1scmbx8vyc6gr5bj7rdtwz6fiypovobmzv920r3znusci4kwwxz6dzwlp3
Wzfvqozd8ripdp5mwemextdepronepqua0d0ydqg+owanruuhavndu1fvj5vdwqv
K9hghj1pswjesire9pkdmcfrjyldgf36pl61ctogmyhwj7lq9zt3sqxodtxe4hsp
wfhkkby9aogbapbpkuaikdechwte5zkvyqg7w9u6h4ipyowlomfnntp5+arhq5cl
/cjnzied55tgiwgjcjtptg1qodju52kfl0rr4z1ce9drpsmy2z7hepl1pkmerooo
Wr8+frxhakonq3kro0ch5qmkbekwxxfj+zq29o+3emlar69ihpni4lwjaogbao+y
Mrieh43qb985ps23yndfl6fl69beskcniumydc6gfbng9j4hzvrppijjvdvhsqnc
Rhiuo6mvxot9atxayyx6/h00cvou5mxbee4mebpvivqaosw64eakqdsj2hinkg9u
Ltezgpzwlek9edgtmvz7lfeobgrxnsuekxjpfludaogaarkiwhd/t81whkrz0bwi
Ctnoaozimkysrt8f4dyy6n3chlt8/b7kkdec9y2x52npfg+9gcizx92kswc8anew
0197ylqlfbwcug1litaubfwzwr3lw2xsi92qfjmvc+28b8ds/u6eacc8+/sxp+ys
Bbgrhc991nh5n/qyhrfdnaccgybmh1nm1vkf+5ns/2st5qogajco1hvq9ghpipml
5r1/kkkesib5pz1dlvzzpdwzhaey2yhjeoktyhax9+hwncdvrrormwpw+mqbi8l9
33zakj/aozv0bovjzbuxzz9im5cuatdmuswr4zhy4phqa/k+oxq1h4nyxqrp1lxr
Kxajjqkbgqdvlfolgh6sn+i1f4b3/n6pogjiosqd1c1k6nyjd3e8lnl5w/wi0cfp
Sk80zkuwalrgfmpl9k/qyswc0ejaswvqgtcra0v0dvzfz4dhcoyc3shagv3lswzd
vqag4iwwf61wnbvuxbkl6xbiizu1joqb+in+ij3mp4u0y9if3vv+/w==
-----END RSA PRIVATE KEY-----

The above key is not encrypted. The encrypted key will have " Proc-Type: 4,ENCRYPTED "

-----BEGIN RSA PRIVATE KEY-----
proc-type:4,encrypted
dek-info:des-ede3-cbc,b5400d0f10caf72b
Gkxpb1n8m3cqbh3j/l5zzle9gyye+nv9+2fk7jsjzm0w+ek/aeqyne37oagrabrd
1hck0j5boh8xa5hlwxphm48cjblsfmumlvag1ftdtpozxnrblhcnwufwq9qqoa6k
Iy/efrkztx5wfxmidrokupaa1ktxnjpsajo0klo/sqws57btmkb4cwxu21p3crcy
Z1bbuphardunk2q/gj05no0arx0vsckbr/sy9tt/d/vih89zwbakmgvr3+rqlup0
lx9vhkk2s+ut+gvwypzitgrle1txhywe9plj/lzjezsbvm7m4hmnq1yoeoy95jo+
P974utg9merls84wy5t4nenn2lamwcofgotiofnfpvkan4ktew5okvhcwq+/phct
Wdionmztmaexj4xhbtutumvzvjsnhr3zzuz62kqnkwluynhtgckwzyc+5jj5dwmu
Dzyxhqj+qco4utfomkt1hxoyzuwhh6v2kes0naullxujq5d4gzkial3zb/4u83kk
0siqoidd/97s5pnskfsrztf8zzhxrfl8cgqp6iht+ti68m9t1wonsq38nxzdzlwu
Ta6vx78229dos+hiqzwryaypvc541re9zquj49avwcu1oi8jcdvxlbv7cxl/z6jb
J6pl481firicsbw4wxmfnldrlnrxa7nulmwam9dyfene0zmwjamfmntaqatz3bhq
P4rtrg9sdibnvf3hpmpy/crfwfwfe/kiw4yhodrmj6igrb+vwk7es7urafwhclzk
wsvvqnaen/22rlyhvkpn9bmuxquibpmpsp51tnxsy0sbbge1bupoxkig3ebq4w5z
Apvki2aa8gjq5uerv1ob4m3nkyejjeuwo4qv5pyqnalaeiqtckkufa4idhxoealb
Pis5bskmzwsbfrwgyy15w7lnhbhodvhhayw3bgoz0hwodakoaaxgvn1k1fo/tqna
Dctcm1ofduzqvu1cs2n/htxaoptd0xlbwqkuuq7hx2bvbifsjahnyikzxq2ylafv
Mrxpfryth1frzkuyykq6c9m0vkhl0vqbygebuqlk6mmap09uoggjkllg86roavn9
5zglc5twqnlmdqusfdvuogjvfptgdi7afyn9ags2ndgt16pgdnugqwpmzx2tp0pm
iafdi8jkqjwlydsvinfl19qytowm2sawegsgt2fg+khvtqyuubobx+fmkaxckl4r
3op6nfyfghjgitrknthrwdpzxynoyl38s6rv6cma1oq6od1o0w9qf1l4ohp1akty
Imtml39uepvtvg88b/mn8sk3lscfz5b7flnljnrgiyei8rbi9bj+tuee/wfyufqp
jm6u0fwun/rpyxambtfzgpbuk7if9lspvj/36ivyxn5occgtncuk8je8+hxeov7j
Ind+cala/rqhxghrxuqmbjpkhhbmmfph8owttexlrezo+vlxhqaxpuyfm9xamyql
Kbzzupmvi9tkezvd00oh6j1j7tr8fdcvk/ooifqqvz1sbk+jjpeiwplsu/gpnywq
Edrurysrjhocowtym4+bvq6bed4qxeiqjbyv4t3noqywxnzkotj46odacpoa5aaa
-----END RSA PRIVATE KEY-----
Generate Certificate Signing Request (CSR)

After generating the key pair, you will need to have the public key (public key) for all of the people who have the trust plus. So you need to generate this public key for the Certificate Signing Request (CSR) to be signed by a Certificate authority (CA) before it can be used. To generate a CSR, you can use the command " openssl req -new -key 金钥档案 > CSR 档案 ":

OpenSSL Req-new-key www.example.com.key > WWW.EXAMPLE.COM.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [AU]:HK
State or province name (full name) [Some-state]:HKSAR
Locality Name (eg, city) []:Hong Kong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd.
Organizational Unit Name (eg, section) []:Web Team
Common name (e.g. server FQDN or YOUR Name) []:www.example.com
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:abc123
An optional company name []:Example Ltd.

The above command asks for information to generate an electronic certificate and extracts the public key from the key file and generates a CSR. The Common name must be filled in with the full name of the website that will be used for this e-cert (FQDN, qualified Domain name), and it will be a waste of money to fill in the wrong and send the CA.

The resulting CSR will be placed in the WWW.EXAMPLE.COM.CSR:

-----BEGIN CERTIFICATE REQUEST-----
Miicedccaxkcaqawgzsxczajbgnvbaytaknomq4wdaydvqqiewvis1nbujesmbag
A1uebxmjsg9uzyblb25nmruwewydvqqkewxfegftcgxliex0zc4xetapbgnvbast
cfdlyibuzwftmrgwfgydvqqdew93d3cuzxhhbxbszs5jb20xjdaibgkqhkig9w0b
Cqewfxdlym1hc3rlckblegftcgxllmnvbtcbnzanbgkqhkig9w0baqefaaobjqaw
gykcgyeaucc/gxdd1v/5kgmlr6ooqn3bhfsfuaanruzs4/jitgaw7fhkwoyzux04
auqtjeyvtfh6ttx1a0gwiswfkkqxng4jx9loqiecmnjkh/fzbvcze1inhz1mtkph
Pxwv9k6keuf6nulxfu/nswd9ey/vwuqx0pudmjynrvyi29zl1smcaweaaaa0mbug
Csqgsib3dqejbzeiewzhymmxmjmwgwyjkozihvcnaqkcmq4tdev4yw1wbgugthrk
Ljanbgkqhkig9w0baqqfaaobgqaxdevq9kuhhuf+xyhrds04+yhessmg2muc65mq
Whn9iimqzicwlcm5wtzzlamdnsxui8utyh15u0cjdeio8jebht+ddfc3bxc5luav
1tjbieb5gam+ocnjfi3stc77ldwowcqgrbaqtpo3mx84m1gunjggpky/shr3dwfn
drzq2a==
-----END CERTIFICATE REQUEST-----

Simply submit this CSR file to the CA and the CA will sign and generate your e-CERT after verifying your information.

Install OpenSSL under Windows7 to generate an electronic certificate

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.