In general, if you can find an available certificate, you can use it directly, but the browser will prompt that the certificate is invalid because some information of the certificate is incorrect or does not match the host where the certificate is deployed, but this does not affect the use.

The certificates that need to be generated manually are:

No available certificates were found.

Two-way SSL needs to be configured, but the client certificate is missing

Certificates need to be specially customized.

First of all, regardless of Cygwin under Linux or Windows, you must confirm that OpenSSL software package has been installed before performing the following operations.

1. Create a root certificate key file (create your own CA)root.key:

openssl genrsa -des3 -out root.key

The output content is:

[Lenin @ archer ~]$ OpenSSL gen RSA-des 3-out root . key

Generate RSA private key, 5 12 bit long modulus.

……………..++++++++++++

..++++++++++++

E is 65537 (0× 1000 1).

Enter the password of root.key: ← Enter a new password.

Verify–Enter the passphrase for root. Key: ← Enter the password again.

2. Create the application file root.csr for the root certificate:

OpenSSL req-new-key root . key-out root . CSR

The output content is:

[Lenin @ archer ~]$ OpenSSL req-new-key root . key-out root . CSR

Enter the password of root.key: ← Enter the password created before.

You will be asked to enter the information to be merged.

To your certificate application.

What you are about to enter is the so-called distinguished name or DN.

There are quite a few fields, but you can leave some blanks.

For some fields, there will be a default value.

If you enter ".",the field will be left blank.

—–

Country name (2-letter code) [au]: CN ← country code; enter cn for China.

State or province name (full name) [a-state]: full name of Beijing province, pinyin.

Place name (such as city) []: the full name of Beijing/city, pinyin.

Name of organization (such as company) [Internet widgits pty ltd]: English name of my company, Corp

Name of organizational unit (e.g. department) []: ← Not required.

Common name (such as your name) []: ← Don't enter it at this time.

E-mail address []:admin@mycompany.com/email address, you can fill it in at will.

Please enter the following Extra attributes.

Send it with your certificate request.

Challenge Password []: ← can be left blank.

Optional company name []: ← You can leave it blank.

3. Create the root certificate root.crt within ten years from the current date:

OpenSSL x509-req-days 3650-sha 1-extensions v3 _ ca-sign key root . key-in root . req-out root . CRT

The output content is:

[Lenin @ archer ~]$ OpenSSL x509-req-days 3650-sha 1-extensions v3 _ ca-sign key root . key-in root . CSR-out root . CRT

No problem signing.

subject =/C = CN/ST = BeiJing/L = BeiJing/O = my company Corp./emailAddress=admin@mycompany.com

Get private key

Enter the password of root.key: ← Enter the password created before.

4. Create the server certificate key server.key:

OpenSSL gen RSA–des 3-out server . key 2048

The output content is:

[Lenin @ archer ~]$ OpenSSL gen RSA-out server . key 2048

Generate RSA private key, 2048-bit long modulus.

….+++

…………………………………………..+++

E is 65537 (0× 1000 1).

At runtime, you will be prompted to enter a password, which is used to encrypt the key file (parameter des3 refers to the encryption algorithm, of course, you can also choose other algorithms that you think are safe). In the future, whenever you need to read this file, you need to enter a password (through commands or APIs provided by openssl). If it is inconvenient, you can also remove this password, but you must take other protective measures!

The command to delete the password from the key file:

OpenSSL RSA-in server . key-out server . key

5. Create the application file server.csr for the server certificate:

OpenSSL req- new key server

The output content is:

[Lenin @ archer ~]$ OpenSSL req-new-key server . key-out server . req

You will be asked to enter the information to be merged.

To your certificate application.

What you are about to enter is the so-called distinguished name or DN.

There are quite a few fields, but you can leave some blanks.

For some fields, there will be a default value.

If you enter ".",the field will be left blank.

—–

Country name (2-letter code) [au]: CN ← Country name, enter cn in China.

State or province name (full name) [a-state]: Beijing/province name, pinyin.

Name of place (such as city) []: Beijing ← city name, pinyin.

Name of organization (such as company) [Internet widgits pty ltd]: English name of my company, Corp

Name of organizational unit (e.g. department) []: ← Not required.

Common name (such as your name) []:www.mycompany.com← server host name. If it is not filled in correctly, the browser will report that the certificate is invalid, but it will not affect the use.

You can fill in the email address of []:admin@mycompany.com/e-mail, at will.

Please enter the following Extra attributes.

Send it with your certificate request.

Challenge Password []: ← can be left blank.

Optional company name []: ← You can leave it blank.

6. Create a server certificate server.crt that is valid for two years from the current date:

OpenSSL x509-req-days 730-sha 1-extensions v3 _ req-CA root . CRT-CAkey root . key-CAserial root . SRL-cacreate serial-in server . CSR-out server . CRT

The output content is:

[Lenin @ archer ~]$ OpenSSL x509-req-days 730-sha 1-extensions v3 _ req-CA root . CRT-CAkey root . key-cacreate serial-in server . CSR-out server . CRT

No problem signing.

subject =/C = CN/ST = BeiJing/L = BeiJing/O = my company Corp./CN=www.mycompany.com/emailAddress=admin@mycompany.com

Get CA private key

Enter the password of root.key: ← Enter the password created before.

7. Create the client certificate key file client.key:

OpenSSL gen RSA-des 3-out client . key 2048

The output content is:

[Lenin @ archer ~]$ OpenSSL gen RSA-des 3-out client . key 2048

Generate RSA private key, 2048-bit long modulus.

……………………………………………………………………………..+++

……………………………………………………………………………………………………….+++

E is 65537 (0× 1000 1).

Enter the password of client.key: ← Enter a new password.

Authentication–Enter the pass phrase of the client. Key: ← Enter the password again.

8. Create the application file client.csr for the client certificate:

Openssl req -new -key client.key-out client.csr

The output content is:

[Lenin @ archer ~]$ OpenSSL req-new-key client . key-out client . CSR

Enter the password of client.key: ← Enter the password created in the previous step.

You will be asked to enter the information to be merged.

To your certificate application.

What you are about to enter is the so-called distinguished name or DN.

There are quite a few fields, but you can leave some blanks.

For some fields, there will be a default value.

If you enter ".",the field will be left blank.

—–

Country name (2-letter code) [au]: CN ← Country name, enter cn in China.

State or province name (full name) [a state]: the name of Beijing province, pinyin.

Name of place (such as city) []: Beijing ← city name, pinyin.

Name of organization (such as company) [Internet widgits pty ltd]: English name of my company, Corp

Organizational unit name (for example, part) []: ← Not required.

Common name (such as your name) []: Lenin ← Your English name, you can fill it in at will.

E-mail address []:admin@mycompany.com/email address, you can fill it in at will.

Please enter the following Extra attributes.

Send it with your certificate request.

Challenge Password []: ← can be left blank.

Optional company name []: ← You can leave it blank.

9. Create a client certificate client.crt that is valid for two years from the current date:

OpenSSL x509-req-days 730-sha 1-extensions v3 _ req-CA root . CRT-CAkey root . key-CAserial root . SRL-cacreate serial-in client . CSR-out client . CRT

The output content is:

[Lenin @ archer ~]$ OpenSSL x509-req-days 730-sha 1-extensions v3 _ req-CA root . CRT-CAkey root . key-cacreate serial-in client . CSR-out client . CRT

No problem signing.

subject =/C = CN/ST = BeiJing/L = BeiJing/O = my company Corp./CN=www.mycompany.com/emailAddress=admin@mycompany.com

Get CA private key

Enter the password of root.key: ← Enter the password created above.

10. Merge the client certificate file client.crt and the client certificate key file client.key into the client certificate installation package client.pfx:

OpenSSL pkcs 12-export-in client . CRT-in key client . key-out client . pfx

The output content is:

[Lenin @ archer ~]$ OpenSSL pkcs 12-export-in client . CRT-in key client . key-out client . pfx

Enter the password of client.key: ← Enter the password created above.

Enter export password: ← Enter a new password as the protection password of the client certificate, which is needed when the client installs the certificate.

Authentication–Enter the export password: ← Confirm the password.

1 1. Save the generated file for future use, where server.crt and server.key are the certificate files to be used when configuring one-way SSL, client.crt is the certificate file to be used when configuring two-way SSL, and client.pfx is the certificate file to be installed by the client when configuring two-way SSL.

Yes. Crt files and. Key can be merged into one file, and two files can be merged into one. pem file (just copy directly).

Reference:/s/blog _ 4fd50c390101891c.html.

X509 certificates generally use three types of documents, key, csr and crt.

Key is the openssl lattice of private key, usually rsa algorithm.

Csr is a certificate request file used to apply for a certificate. When making a csr file, you must sign the application with your own private key, or you can set a key.

Crt is the certificate text after CA authentication (in windows, it is actually crt), and the signer signs the certificate for you with his own key.

Generation of 1.key

OpenSSL genrsa-des 3-out server . key 2048

This is to generate rsa private key, des3 algorithm, openssl format, 2048-bit strength. Server.key is the key file name. In order to generate such a key, a password of at least four digits is required. You can generate a key without a password in the following ways:

opensslrsa-in server . key-out server . key

Server.key is a version without a password.

2. Generate crt of CA

opensslreq-new-x509-key server . key-out ca . CRT-days 3650

The generated ca.crt file is used to sign the following server.csr file.

3.3. Generation method of CSR

opensslreq-new-key server . key-out server . CSR

You need to enter country, region, organization and email. The most important thing is? There is a common name, you can write your own name or domain name. If you apply for https, this must match the domain name, otherwise it will trigger a browser alarm. The generated csr file is handed over to CA for signature to form the server's own certificate.

4.crt generation method

The CSR file must be signed by CA before a certificate can be formed. You can send this file to verisign and other places for verification. It costs a lot of money, so why not make your own CA?

OpenSSL x509-req-days 3650-in server . CSR-CA CA . CRT-CAkey server . key-cacreate serial-out server . CRT

After entering the key of the key, the certificate generation is completed. The -CA option indicates the csr certificate to be signed, the -CAkey option indicates the key to be signed, the -CAserial indicates the serial number file, and the -cacheteserial indicates that it is automatically generated when the file does not exist.

Finally, the private key: server.key and the self-certified SSL certificate: server.crt are generated.

Certificate merge:

cat server . key server . CRT & gt； server.pem