Windows7 installation of OpenSSL generates electronic certificates

Installation environment: Win7 64-bit, VS2013

Pre-installation: First download to http://www.openssl.org/source/ Download the latest version of openssl-1.0.2.tar.gz, extract to C: \ openssl-1.0.2

http://www.activestate.com/ActivePerl Download ActivePerl, click Install to C drive, and then execute the example.pl under directory C:\Perl64\eg on the command line,
If the results show "Hello from activeperl!", then the Perl installation is successful, you can start to use the relevant Perl commands to install OpenSSL, the preparation is done.

Use administrator privileges to open the VS2013 Command Prompt window, then enter the OpenSSL directory and follow these steps to compile:

Execute "perl Configure vc-win32 no-asm-dopenssl_use_ipv6=0" no-asm means no NASM compilation, dopenssl_use_ipv6=0 disable IPV6, avoid nmake:fatal Error U1077: ' CL ':
Return code ' 0x2 ' error;

Execute nmake-f Ms\ntdll.mak;

Check for Success, execute command: "nmake-f ms\ntdll.mak test". or "> CD Out32dll

When the compilation is complete, the library files, the dynamic link library files, the OpenSSL execution files, and the test program Openssl.exe Libeay32.dll Ssleay32.dll are generated in the \out32dll directory.

Build files [c:/usr/local/ssl, copy Openssl\apps under the OPENSSL.CNF document to the Out32dll directory, you can use OpenSSL.

Generate key pair (public-private key pair)

First you need to generate a pair of RSA key pairs (public-private key pair) that enables the command " openssl -out 私钥档案 genrsa [-des|des3|-idea] 大小 ":

Www.example.com.key -des3 2048

Generating RSA private key, 2048 bit long modulus

........................+++

..............................................................................+++

E is 65537 (0x10001)

Www.example.com.key Don ' t show my passphrase

Www.example.com.key Don ' t show my passphrase

The last parameter in the command indicates the size of the key pair to be generated, and it is recommended to use a 2048-bit security for the current computer's performance. In addition, the resulting key pair will be trides encrypted to enhance the security of the private key as a result of the join option-des3 in the command. You can also use-des or-idea instead of-DES3 to encrypt the private key instead of des or idea. (Of course, the DES encryption algorithm is weak, should never be used) the encrypted private key will be used in the times when the password will be decrypted to use, it will be more secure. If your e-cert is used in a server such as Apache htttd, enter the password once each time you start the server. Many people choose to omit the option-des3 to generate an unencrypted private key (that is, you will not be asked to enter a password, nor will the private key be encrypted):

Www.example.com.key 2048

Generating RSA private key, 2048 bit long modulus

........................+++

..............................................................................+++

E is 65537 (0x10001)

This command is almost no different from the above, but this time will not ask you to enter a password. This method of course, but every time to enter the password trouble, but if others just copy away with a private key file can be more easily to steal electronic certificates, very dangerous.

Upon completion, the new key is recorded in the Pkcs#1 PEM format in the key file Www.example.com.key (although the key header is RSA private key, which means the RSA private key, but the content contains the corresponding public key 's information):

-----BEGIN RSA PRIVATE KEY-----

Miiepaibaakcaqea5xcy3jvptzucvbqi2tzk9hkq7pvhdqf4x8did9k2z6a5w4uc

/nbywoq80egsetm/hzxj/jipwoooslv2dzx423wtm8xfv9/7nkdie1fwbvoztprn

L1kghy9rvcaknfcluu1xytclrwatrakq4yu8tir7yuvsny0cxsznx7zjszux8aoq

Sbktr3ckhjvedxpggu96tebe146mrufo1lnz42ajvvxf0u5rqntzdrjjxwjgmnq5

1xevb4inkw2zgy/bjdywcuqcgvswh+43eeou/eolpezdp8j2vzjlk/mdcdatedfq

Ayd8t3cg+ysdyj/jlsec17zd0r5kszrwyra26qidaqabaoibaqdfterib6icy4d1

Icraswv3zbb3ajmodarqch9ygrsrb5jdbahzppyho3oljocc/jgbat4w7zb5afe7

Fm+jixylibeqcnjmueuskwny/sto6lqgz4fnynhbd/21ggand3ri1puvwhelbuab

Xmyanl1scmbx8vyc6gr5bj7rdtwz6fiypovobmzv920r3znusci4kwwxz6dzwlp3

Wzfvqozd8ripdp5mwemextdepronepqua0d0ydqg+owanruuhavndu1fvj5vdwqv

K9hghj1pswjesire9pkdmcfrjyldgf36pl61ctogmyhwj7lq9zt3sqxodtxe4hsp

wfhkkby9aogbapbpkuaikdechwte5zkvyqg7w9u6h4ipyowlomfnntp5+arhq5cl

/cjnzied55tgiwgjcjtptg1qodju52kfl0rr4z1ce9drpsmy2z7hepl1pkmerooo

Wr8+frxhakonq3kro0ch5qmkbekwxxfj+zq29o+3emlar69ihpni4lwjaogbao+y

Mrieh43qb985ps23yndfl6fl69beskcniumydc6gfbng9j4hzvrppijjvdvhsqnc

Rhiuo6mvxot9atxayyx6/h00cvou5mxbee4mebpvivqaosw64eakqdsj2hinkg9u

Ltezgpzwlek9edgtmvz7lfeobgrxnsuekxjpfludaogaarkiwhd/t81whkrz0bwi

Ctnoaozimkysrt8f4dyy6n3chlt8/b7kkdec9y2x52npfg+9gcizx92kswc8anew

0197ylqlfbwcug1litaubfwzwr3lw2xsi92qfjmvc+28b8ds/u6eacc8+/sxp+ys

Bbgrhc991nh5n/qyhrfdnaccgybmh1nm1vkf+5ns/2st5qogajco1hvq9ghpipml

5r1/kkkesib5pz1dlvzzpdwzhaey2yhjeoktyhax9+hwncdvrrormwpw+mqbi8l9

33zakj/aozv0bovjzbuxzz9im5cuatdmuswr4zhy4phqa/k+oxq1h4nyxqrp1lxr

Kxajjqkbgqdvlfolgh6sn+i1f4b3/n6pogjiosqd1c1k6nyjd3e8lnl5w/wi0cfp

Sk80zkuwalrgfmpl9k/qyswc0ejaswvqgtcra0v0dvzfz4dhcoyc3shagv3lswzd

vqag4iwwf61wnbvuxbkl6xbiizu1joqb+in+ij3mp4u0y9if3vv+/w==

-----END RSA PRIVATE KEY-----

The above key is not encrypted. The encrypted key will have " Proc-Type: 4,ENCRYPTED "

-----BEGIN RSA PRIVATE KEY-----

proc-type:4,encrypted

dek-info:des-ede3-cbc,b5400d0f10caf72b

Gkxpb1n8m3cqbh3j/l5zzle9gyye+nv9+2fk7jsjzm0w+ek/aeqyne37oagrabrd

1hck0j5boh8xa5hlwxphm48cjblsfmumlvag1ftdtpozxnrblhcnwufwq9qqoa6k

Iy/efrkztx5wfxmidrokupaa1ktxnjpsajo0klo/sqws57btmkb4cwxu21p3crcy

Z1bbuphardunk2q/gj05no0arx0vsckbr/sy9tt/d/vih89zwbakmgvr3+rqlup0

lx9vhkk2s+ut+gvwypzitgrle1txhywe9plj/lzjezsbvm7m4hmnq1yoeoy95jo+

P974utg9merls84wy5t4nenn2lamwcofgotiofnfpvkan4ktew5okvhcwq+/phct

Wdionmztmaexj4xhbtutumvzvjsnhr3zzuz62kqnkwluynhtgckwzyc+5jj5dwmu

Dzyxhqj+qco4utfomkt1hxoyzuwhh6v2kes0naullxujq5d4gzkial3zb/4u83kk

0siqoidd/97s5pnskfsrztf8zzhxrfl8cgqp6iht+ti68m9t1wonsq38nxzdzlwu

Ta6vx78229dos+hiqzwryaypvc541re9zquj49avwcu1oi8jcdvxlbv7cxl/z6jb

J6pl481firicsbw4wxmfnldrlnrxa7nulmwam9dyfene0zmwjamfmntaqatz3bhq

P4rtrg9sdibnvf3hpmpy/crfwfwfe/kiw4yhodrmj6igrb+vwk7es7urafwhclzk

wsvvqnaen/22rlyhvkpn9bmuxquibpmpsp51tnxsy0sbbge1bupoxkig3ebq4w5z

Apvki2aa8gjq5uerv1ob4m3nkyejjeuwo4qv5pyqnalaeiqtckkufa4idhxoealb

Pis5bskmzwsbfrwgyy15w7lnhbhodvhhayw3bgoz0hwodakoaaxgvn1k1fo/tqna

Dctcm1ofduzqvu1cs2n/htxaoptd0xlbwqkuuq7hx2bvbifsjahnyikzxq2ylafv

Mrxpfryth1frzkuyykq6c9m0vkhl0vqbygebuqlk6mmap09uoggjkllg86roavn9

5zglc5twqnlmdqusfdvuogjvfptgdi7afyn9ags2ndgt16pgdnugqwpmzx2tp0pm

iafdi8jkqjwlydsvinfl19qytowm2sawegsgt2fg+khvtqyuubobx+fmkaxckl4r

3op6nfyfghjgitrknthrwdpzxynoyl38s6rv6cma1oq6od1o0w9qf1l4ohp1akty

Imtml39uepvtvg88b/mn8sk3lscfz5b7flnljnrgiyei8rbi9bj+tuee/wfyufqp

jm6u0fwun/rpyxambtfzgpbuk7if9lspvj/36ivyxn5occgtncuk8je8+hxeov7j

Ind+cala/rqhxghrxuqmbjpkhhbmmfph8owttexlrezo+vlxhqaxpuyfm9xamyql

Kbzzupmvi9tkezvd00oh6j1j7tr8fdcvk/ooifqqvz1sbk+jjpeiwplsu/gpnywq

Edrurysrjhocowtym4+bvq6bed4qxeiqjbyv4t3noqywxnzkotj46odacpoa5aaa

-----END RSA PRIVATE KEY-----

Generate Certificate Signing Request (CSR)

After generating the key pair, you will need to have the public key (public key) for all of the people who have the trust plus. So you need to generate this public key for the Certificate Signing Request (CSR) to be signed by a Certificate authority (CA) before it can be used. To generate a CSR, you can use the command " openssl req -new -key 金钥档案 > CSR 档案 ":

OpenSSL Req-new-key www.example.com.key > WWW.EXAMPLE.COM.CSR

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [AU]:HK

State or province name (full name) [Some-state]:HKSAR

Locality Name (eg, city) []:Hong Kong

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd.

Organizational Unit Name (eg, section) []:Web Team

Common name (e.g. server FQDN or YOUR Name) []:www.example.com

Email Address []:[email protected]

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:abc123

An optional company name []:Example Ltd.

The above command asks for information to generate an electronic certificate and extracts the public key from the key file and generates a CSR. The Common name must be filled in with the full name of the website that will be used for this e-cert (FQDN, qualified Domain name), and it will be a waste of money to fill in the wrong and send the CA.

The resulting CSR will be placed in the WWW.EXAMPLE.COM.CSR:

-----BEGIN CERTIFICATE REQUEST-----

Miicedccaxkcaqawgzsxczajbgnvbaytaknomq4wdaydvqqiewvis1nbujesmbag

A1uebxmjsg9uzyblb25nmruwewydvqqkewxfegftcgxliex0zc4xetapbgnvbast

cfdlyibuzwftmrgwfgydvqqdew93d3cuzxhhbxbszs5jb20xjdaibgkqhkig9w0b

Cqewfxdlym1hc3rlckblegftcgxllmnvbtcbnzanbgkqhkig9w0baqefaaobjqaw

gykcgyeaucc/gxdd1v/5kgmlr6ooqn3bhfsfuaanruzs4/jitgaw7fhkwoyzux04

auqtjeyvtfh6ttx1a0gwiswfkkqxng4jx9loqiecmnjkh/fzbvcze1inhz1mtkph

Pxwv9k6keuf6nulxfu/nswd9ey/vwuqx0pudmjynrvyi29zl1smcaweaaaa0mbug

Csqgsib3dqejbzeiewzhymmxmjmwgwyjkozihvcnaqkcmq4tdev4yw1wbgugthrk

Ljanbgkqhkig9w0baqqfaaobgqaxdevq9kuhhuf+xyhrds04+yhessmg2muc65mq

Whn9iimqzicwlcm5wtzzlamdnsxui8utyh15u0cjdeio8jebht+ddfc3bxc5luav

1tjbieb5gam+ocnjfi3stc77ldwowcqgrbaqtpo3mx84m1gunjggpky/shr3dwfn

drzq2a==

-----END CERTIFICATE REQUEST-----

Simply submit this CSR file to the CA and the CA will sign and generate your e-CERT after verifying your information.

Install OpenSSL under Windows7 to generate an electronic certificate