1. openssl genrsa -out key.pem 1024
2. openssl req -new -key key.pem -config /etc/ssl/openssl.cnf -out request.pem
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.test.com
Organizational Unit Name (eg, section) []:test.cn
Common Name (eg, YOUR name) []:zhangsan
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test2011
An optional company name []:test_company
3. openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
4. openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt
======================================================================
mutual ca authentication steps (main certification and key creating procedure)
1. Creating the CA Key and Certificate
The general process for creating a certificate includes:
1.1 Creating a private key
openssl genrsa -out CA.key 1024
1.2 Creating a certificate request
openssl req -new -key CA.key -out CA.csr -config ..\openssl.cnf
Enter pass phrase for Server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yuvad
Organizational Unit Name (eg, section) []:yuvadbj
Common Name (eg, YOUR name) []:yuv
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:hello
An optional company name []:yuvad.cn
1.3 Creating and signing a certificate from the certificate request
openssl x509 -req -days 3650 -in CA.csr -out CA.crt -signkey CA.key
2. Verifying the CA certificate contents (option)
At this point we have our self-signed CA certificate and our CA key, which will be
used to sign the web server and client certificates that we create. To verify the
certificate contents, use the following command:
openssl x509 -in CA.crt -text
3. Creating a Web Server Certificate
3.1 The procedure for creating a web server certificate is
similar to that for creating the CA certificate except
that the web server certificate will be signed using
the CA key rather than self-signing with a web
server-specific key.
Command:
openssl genrsa -aes128 -out server.key 1024
and input pass phrase when prompt
3.2 Next, create the web server certificate request for the private key.
When prompted for the pass phrase for the keys, enter the pass
phrase that you used for the private key.
Command:
openssl req -new -key Server.key -out Server.csr -config ..\openssl.cnf
Enter pass phrase for Server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yuvad
Organizational Unit Name (eg, section) []:yuvadbj
Common Name (eg, YOUR name) []:yuv
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:hello
An optional company name []:yuvad.cn
3.3 Then, sign the web server certificate with the CA key
Command:
openssl ca -days 3650 -in Server.csr -cert CA.crt -keyfile CA.key -out Server.crt -config ..\openssl.cnf
notes:
at first, modify conf/openssl.cnf file, set dir = ../DemoCA, because above command is run in conf/ssl
additionally, DemoCA directory should be created in conf directory
and certs, crl, newcerts directory need be created in DemoCA
file index.txt and serial should be create in DemoCA and 01 is writed into serial file.
Using configuration from ..\openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 30 07:26:14 2011 GMT
Not After : Dec 27 07:26:14 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = yuvad
organizationalUnitName = yuvadbj
commonName = yuv
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F8:7E:C4:9B:2E:8E:B4:DB:48:97:00:97:66:9A:D9:10:93:2A:B8:2B
X509v3 Authority Key Identifier:
DirName:/C=CN/ST=Beijing/L=Beijing/O=yuvad/OU=yuvadbj/CN=yuv/ema
[email protected]
serial:B4:EE:50:3B:C9:D1:7A:9C
Certificate is to be certified until Dec 27 07:26:14 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
3.4 To verify the web server certificate contents, use the following command (optional)
openssl x509 -in Server.crt -text