Generate OpenSSL certificates in Linux environment

1. Environment: CentOS7, Openssl1.1.1k.

2. Concept:

Root certificate: It is the basis for generating server certificates and client certificates. It can also be called a self-signed certificate, i.e. a CA certificate.

Server certificate: issued by the root certificate and configured on the server.

Client certificate: issued by the root certificate and configured on the client. It can also be configured on a web server and installed on a browser.

Symmetric encryption: A file is encrypted with a password, and then the same password is used to decrypt it.

Asymmetric encryption: one password is used for encryption and another set of passwords is used for decryption. This includes the following two situations:

When used to encrypt data: public key encryption, private key decryption

When used for file signing: private key signature, public key signature verification

3. Steps:

1. View the openssl configuration file openssl.cnf

vim /etc/pki/tls/openssl.cnf

2. Create the directory and files required for the root certificate CA

cd /etc/pki/CA

#Create the directories and files required in the configuration file information mkdir -pv {certs,crl,newcerts,private}

touch {serial,index.txt}

3. Indicate the starting number of the certificate

echo 01 >> serial

4. Generate root certificate

# Generate CA private key (ca.key)
openssl genrsa -des3 -out ca.key 2048 
# Generate CA certificate signing request (ca.csr)
openssl req -new -key ca.key -out ca.csr
# Generate a self-signed CA certificate (ca.cert)
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt

5. Generate server certificate

# Generate server private key (server.key)
openssl genrsa -des3 -out server.key 2048 
# Generate server certificate signing request (server.csr)
openssl req -new -key server.key -out server.csr
# Use the CA certificate to sign the server CSR to generate the server certificate (server.cert)
openssl ca -days 3650 -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

6. Generate client certificate

# Generate client private key (client.key)
openssl genrsa -des3 -out client.key 2048
# Generate client certificate signing request (client.csr)
openssl req -new -key client.key -out client.csr
# Use the CA certificate to sign the client csr to generate the client certificate (client.cert)
openssl ca -days 3650 -in client.csr -out client.crt -cert ca.crt -keyfile ca.key

7. View the certificate content

openssl x509 -in server.crt -noout -text

8. Convert crt to pem

openssl x509 -in ca.crt -out ca.pem -outform PEM

openssl x509 -in server.crt -out server.pem -outform PEM

openssl x509 -in client.crt -out client.pem -outform PEM

9. Strip the password of the private key

openssl rsa -in server.key -out serverkey.pem

openssl rsa -in client.key -out clientkey.pem

The generated certificate list:

This is the end of this article about the details of generating openssl certificates in Linux environment. For more relevant content about generating openssl certificates in Linux, please search for previous articles on 123WORDPRESS.COM or continue to browse the related articles below. I hope everyone will support 123WORDPRESS.COM in the future!