OpenSSL self signed CA certificate and issuing server / client certificate

There are many people on the Internet , But I feel the operation is more complicated , Some issued certificates are not available . Now let's introduce a simple method . Suppose you have installed openssl, existing sudo jurisdiction . The path has been established ：/ope/ca, All operations are performed under this path .

1. preparation , Because of the certificate we issued , Not necessarily used when there is a domain name , And the server may be deployed in any Ip Address , therefore , To prepare an extended configuration of a certificate , File name is ：server-ext.cnf, use echo Command to generate this file directly , Command line ：

echo "subjectAltName=DNS:*.demo.com,IP:0.0.0.0" > server-ext.cnf

The contents of the document are as follows ：

subjectAltName=DNS:platon.com,IP:0.0.0.0

2. Generate CA Private key , And sign yourself

openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout ca-key.pem -out ca-cert.pem -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=Demo, Ltd./OU=Demo CA ROOT/CN=*.demo.com/[email protected]"

You can check the newly generated CA certificate

openssl x509 -in ca-cert.pem -noout -text

3. Generate server private key , And generate a signature request （ Generate CSR file ）

openssl req -newkey rsa:4096 -nodes -keyout server-key.pem -out server-req.pem -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=Demo, Ltd./OU=MyServer/CN=*.demo.com/[email protected]"

4. use CA The private key is the of the server CSR The file signature , And generate a signed digital certificate

openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile server-ext.cnf

Again , You can view the newly generated server certificate

openssl x509 -in server-cert.pem -noout -text

If only the client is required to verify the digital certificate of the server in one direction , It's over here , Just configure the server certificate to the server .

If the server is required to verify the digital certificate of the client , Then we also need to generate a digital certificate for the client , Of course , All clients use the same digital certificate .

5. Refer to the process of generating array certificates for the server , Generate client private key , And generate a signature request （ Generate CSR file ）

openssl req -newkey rsa:4096 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=Demo, Ltd./OU=MyApp/CN=*.platon.com/[email protected]"

6. use CA The private key is the private key of the client CSR The file signature , And generate a signed digital certificate , Here too server-ext.cnf file

openssl x509 -req -in client-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile server-ext.cnf

Again , You can view the newly generated client certificate

openssl x509 -in client-cert.pem -noout -text

summary , You can put the above command line , Write a shell Script , Such as gen_certs.sh, Before execution , You have to be ready first server-ext.cnf file , meanwhile , open gen_certs.sh, modify subj, Replace with what you need .

# 1. Generate CA's private key and self-signed certificate
openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout ca-key.pem -out ca-cert.pem -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=Demo, Ltd./OU=Demo CA ROOT/CN=*.demo.com/[email protected]"

echo "CA's self-signed certificate"
openssl x509 -in ca-cert.pem -noout -text

# 2. Generate server's private key and certificate signing request (CSR)
openssl req -newkey rsa:4096 -nodes -keyout server-key.pem -out server-req.pem -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=Demo, Ltd./OU=MyServer/CN=*.demo.com/[email protected]"

# 3. Use CA's private key to sign server's CSR and get back the signed certificate
openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile server-ext.cnf

echo "Server's signed certificate"
openssl x509 -in server-cert.pem -noout -text


# 4. Generate client's private key and certificate signing request (CSR)
openssl req -newkey rsa:4096 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=Demo, Ltd./OU=MyApp/CN=*.platon.com/[email protected]"

# 5. Use CA's private key to sign client's CSR and get back the signed certificate
openssl x509 -req -in client-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile server-ext.cnf

echo "Client's signed certificate"
openssl x509 -in client-cert.pem -noout -text