|
Using OpenSSL generated library and command program, the generated command program includes the encryption / decryption algorithm test, openssl program, ca program. With openssl, ca can be used for C / S mode certificate files and CA files.
Steps to generate certificate file:
First, the server
1. Generate the server-side private key (key file);
Openssl genrsa -des3 -out server.key 1024
The password is used to encrypt the key file (parameter des3 is the encryption algorithm, you can also use other security algorithms), later need to read this file (through openssl provided by the command or API) are required to enter If you do not want a password, you can use the following command to remove the password:
Openssl rsa -in server.key -out server.key
2. Generate a server-side certificate signing request file (csr file);
Openssl req -new -key server.key -out server.csr
Generate the Certificate Signing Request (CSR), the generated csr file to the CA signature to form the server's own certificate.There will be a prompt on the screen, follow the prompts step by step to enter the requested personal information (such as: Country, province, city , Company, etc.).
Second, the client
1. The same order for the client to generate key and csr file;
Openssl genrsa -des3 -out client.key 1024
Openssl req -new -key client.key -out client.csr
Third, generate the CA certificate file
The server.csr and client.csr files must have a CA signature to form the certificate.
1. First generate the CA key file:
Openssl genrsa -des3 -out ca.key 1024
2. Generate a CA self-signed certificate:
Openssl req -new -x509 -key ca.key -out ca.crt
You can add a certificate expiration time option "-days 365".
Fourth, the use of CA certificate signature
With the generated CA certificate for the server.csr, client.csr file signature, the use of openssl in the CA.pl file
1. When prompted for an existing certificate file, enter the ca.crt certificate file that was generated above;
Ca.pl -newca
2. Generate the server certificate file
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
3. Generate the client certificate file
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Must ensure that openssl.cnf in the current directory, this file can be found in the apps directory.
Fifth, the possible errors
Error 1:
Error loading the config file 'openssl.cnf'
Solution
Find. -name "openssl.c *"
Cp /usr/local/ssl/openssl.cnf ./
Error 2:
Solution
Touch demoCA / serial
Echo "00"> demoCA / serial
OpenSSL provides FTP + SSL / TLS authentication |
|
|
|