mit certificates linux

1. First to generate the server-side private key (key file):Command:OpenSSL genrsa-des3-out Server.key 1024The runtime prompts for a password, which is used to encrypt the key file (the parameter des3 is the encryption algorithm, and of course you can choose other algorithms that you think are safe). You need to enter a password whenever you need to read this file (via the command or API provided by OpenSSL)2. Generate CSR and key on the serverCommand:OpenSSL Req-new-key server.key-out server.cs

Author: gnuhpcSource: http://www.cnblogs.com/gnuhpc/ From: http://www.sinoprise.com/read.php? Tid-662-page-e-fpage-1.html (unfortunately this link has not been opened), I basically did not change, just some typographical and finishing.References: http://www.fsf.org/licensing/licenses/There are many open-source protocols today, and there are currently 58 open-source protocols approved by the Open Source Initiative Organization (http://www.opensource.org/licenses/alphabetical ). Common open-source

-signed cerificate. The -days 365 option specifies that the certificate is valid for 365 days. A temporary CSR is generated to gather information to associate with the certificate.After the certificate is generated, copy the contents of Domain.key and DOMAIN.CRT to CERT.PEM with the private key and the certificate section below.3. Adjust the system time to the present time.4. Do you want to see the certificate start and expiration times as you expect?OpenSSL x509-startdate-noout- in Key.pemHow t

I learned how to use OpenSSL in Linux over the past two days. OpenSSL is an open-source encryption tool. In Linux, we can use it to build a CA to issue certificates, encryption tools that can be used within an enterprise. Before introducing OpenSSL, first describe how to implement "Identity Authentication + Data Encryption. For how to implement "Authentication +

-ZXF curl-7.55.1.tar.gz# CD curl-7.55.1#./configure--prefix=/usr/local/curl/--without-nss--with-ssl=/usr/local/ssl/# make# make install#备份原来的curlMV/usr/bin/curl/usr/bin/curl.bak#将安装的curl Create a soft connectionLN-s/usr/local/curl/bin/curl/usr/bin/curl# Curl--version#差不多输出下面的内容#curl 7.55.1 (X86_64-PC-LINUX-GNU) libcurl/7.55.1 openssl/1.0.2k zlib/1.2.7#增加lib搜索目录# vi/etc/ld.so.conf#增加#/usr/local/curl/lib# cat/etc/ld.so.confAlmost like this.#includeLd.so

Create a CA (Certificate authority)There are 2 main storage formats for CAS: X509 and PKCS12X509 is currently the most mainstream CA storage format, in the X509 format of the certificate, the content is mainly stored:Certificate's public key and lifespanThe legal possession of the certificateHow the certificate is usedInformation about the CACheck code for CA signatureBy default, the TCP/IP model and the OSI model do not implement data encryption, and to achieve data encryption requires the use

-out ca.crt-days 3650The generated CA.CRT file is used to sign the following SERVER.CSR file.3. How CSR is generatedOpenSSL Req-new-key server.key-out SERVER.CSRNeed to enter country, region, organization, email in turn. The most important thing is to have a common name that can write your name or domain name. If the request for HTTPS, this must match the domain name, otherwise it will cause browser alerts. The generated CSR file is handed to the CA to form its own certificate after the server i

. Generate the CRT for the CA 1 opensslreq-new-x509-keyserver.key-outca.crt-days3650 The generated CA.CRT file is used to sign the following SERVER.CSR file.3. How CSR is generated 1 opensslreq-new-keyserver.key-outserver.csr Need to enter country, region, organization, email in turn. The most important thing is to have a common name that can write your name or domain name. If the request for HTTPS, this must match the domain name,

X509v3AuthorityKeyIdentifier: keyid:73:e2:de:70:0b:9e:6b:fa:dd:5f:16:d5:0b:38:d2:a5:a0 : 2E:B4:D6NBSP;CERTIFICATENBSP;ISNbsp;tobecertifieduntilsep1023:04:232027gmt (3650 Days) signthecertificate?[y/n]:y1outof1certificaterequests certified,commit?[y/n]yWriteoutdatabasewith1new entriesdatabaseupdated (2) send the certificate to the host B ( centos7 [[emailprotected]ca] #scp certs/test.crt@ 172.17.253.204:/etc/pki/ca/theauthenticityofhost ' 172.17.253.204 (172.17.253.204) ' can ' tbeesta

1. First to generate the server-side private key (key file):OpenSSL genrsa-des3-out Server.key 10242. command to remove the key file password:OpenSSL rsa-in server.key-out Server.key3. Generate a server-side certificateOpenSSL Req-new-key server.key-out server.csr-config/etc/ssl/openssl.cnf4. The same command is generated for the client to generate key and CSR files:OpenSSL genrsa-des3-out Client.key 1024OpenSSL Req-new-key client.key-out client.csr-config/etc/ssl/openssl.cnf5.CSR files must be

: Country,province, City,company, etc.).Second, the client1. The client also makes the same command to generate key and CSR files;1024x768-new-key client.key-out CLIENT.CSRIii. Generating CA certificate filesSERVER.CSR and CLIENT.CSR files must be signed by a CA to form a certificate.1. First generate the CA's key file:OpenSSL genrsa-des3-out Ca.key 10242. Generate the CA self-signed certificate:OpenSSL Req-new-x509-key ca.key-out ca.crtYou can add the certificate Expiration Time option "-days 3

certificate#为了防止报错，需要提前做一些准备工作#touch /etc/pki/CA/index.txt#echo 01 > /etc/pki/CA/serial#openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config ../openssl.cnf#这是会提示以下信息Sign the certificate? [y/n]:y#选择y1 out of 1 certificate requests certified, commit? [y/n]y#选择y8. This time will get ca.crt,ca.key,server.crt,server.csr,server.key.9. Send the Ca.crt,server.crt,server.key to the Apache configuration directory. Mine is/usr/local/apache/conf/ssl/.10. Hey Apache's vhost directo

You can learn from different basics of Linux certificates. nearly 300 IT courses are free of charge-Linux general technology-Linux technology and application information. For more information, see the following. Obtaining a Linux certificate can both learn and help with empl

CertificateX509v3 Subject Key Identifier:00:2c:34:0a:73:5c:1a:e6:39:48:28:6f:8f:02:f6:bc:58:6f:25:55X509v3 Authority Key Identifier:Keyid:83:70:9d:4e:3f:39:01:3e:7a:ce:b9:2b:0e:1a:fb:00:2a:c3:11:d9Certificate is to be certified until-08:16:25 GMT (365 days)Sign the certificate? [Y/n]:y1 out of 1 certificate requests certified, commit? [Y/n]yWrite out database with 1 new entriesData Base Updated[[email protected]ca]# LS-LRTTotal 8-rw-r--r--1 root root 963 may 14:39 Ca.key-rw-r--r--1 root root 94

. The screen will prompt you to enter the required personal information in step-by-steps, such as: Country,province, City,company, etc.).Second, the client1. The client also makes the same command to generate key and CSR files;OpenSSL genrsa-des3-out client.key 1024x768OpenSSL req-new-key client.key-out CLIENT.CSRIii. Generating CA certificate filesSERVER.CSR and CLIENT.CSR files must be signed by a CA to form a certificate.1. First generate the CA's key file:OpenSSL genrsa-des3-out Ca.key 10242

One: Configure private CA commands1. Edit the configuration file/etc/pki/tls/openssl.cnfChange dir to ".. /.. /ca "changed to"/etc/pki/ca "You can change the default country, province, citymkdir certs Newcerts CRLTouch Index.txtTouch serialEcho >serial2. Create a private key (the public key is generated from this)Under the/etc/pki/ca directory(umask 077;openssl genrsa 2048 >private/cakey.pem) or(Umask 077;openssl genrsa-out PRIVATE/CAKEY.PEM 2048)Note: The-out option needs to be followed GenrsaO

Here's how Linux systems generate certificates through the OpenSSL command.First, execute the following command to generate a 4,096-bit key The code is as follows Copy Code OpenSSL genrsa-des3-out hupohost.key 4096 Then he will ask you to enter the password for this key file. Input is not recommended. Because in the future to be used for nginx. Every time reload Nginx