Got it

Create Security Certificates using OpenSSL

Latest reply: Aug 1, 2022 05:46:24 168 6 2 0 0

Hello, everyone!

Today, I want to share with you how to create a security certificate using OpenSSL.


OpenSSL is a third-party tool used to help users manage certificates

Applying for a Security Certificate Using the CA Center

1. Generating RSA Private Keys.

openssl genrsa -out private-olive.key 2048
  • -out private.key:  Save the generated private key to the private.key file.

  • 2048 indicates the length of the private key to be generated.

Note: After the command is executed, enter the password for protecting the private key file. Generally, the password contains a maximum of six characters.

2. Request to issue a certificate.

openssl req -new -x509 -days 3650 -key private-olive.key -out public-olive.csr
  • -new: indicates that a certificate request file is generated.

  • -x509: description generated from the signature certificate

  • -key: specifies an existing key file to generate a key request. This parameter is used only with -new.

  • -days: certificate validity period.

  • -out: Specifies the name of the generated certificate request or from the signature certificate.

After the command is executed, you need to enter the certificate information.

  • C = Country

  • ST = State/Province

  • L = Locality

  • O = Organization

  • OU = Organization Unit

  • CN = Common Name

Use the generated key certificate to apply for a security certificate from the CA center.

3. Introduction to Third-Party CA Centers

A third-party CA center manages digital certificates, including certificate application, review and approval, update, verification, and query. This section introduces frequently used third-party CA centers.

Table 1 Frequently used third-party CA centers

Name of Third-Party CA Center

Description

Link

VeriSign

Digital certificates of VeriSign are the most complete and support most applications and devices. The supported SSL certificates include Secure Site Pro, Secure Site, Secure Site Pro with EV, and Secure Site with EV.

https://www.verisign.com/

GeoTrust

Digital certificates of GeoTrust are mainly SSL certificates, including the following three types:

  • The ultrafast SSL series (QuickSSL Premium, RapidSSL, and Power ServerID) that verifies domain name ownership and does not verify the business license.

  • Certificate that requires verification of the business license (True Business ID)

  • Newly launched EV SSL certificate (True Business ID with EV)

https://www.geotrust.com/ssl/

Automatic Authentication Certificate Generation

In the test environment, you can use the following methods to create a CA certificate and issue a certificate. The detailed procedure is as follows:

1. Establish a CA environment.

Assume that user omm has been created and the CA path is test.

Log in to SUSE Linux as user root and switch to user omm.

mkdir test
cd /etc/ssl

Copy the configuration file openssl. cnf to test.

cp openssl.cnf ~/test
cd ~/test

Establish the CA environment under the test folder.
Create folder demoCA./demoCA/newcerts./demoCA/private.

mkdir ./demoCA ./demoCA/newcerts ./demoCA/private
chmod 777 ./demoCA/private

Create the serial file and write it to 01.

echo '01'>./demoCA/serial

Create the index.txt file.

touch /home/omm/test/demoCA/index.txt

Modify parameters in the openssl.cnf configuration file.

dir =/home/omm/test/demoCA
default_md=sha256

2. Generate a root private key.

Generate a CA private key.

openssl genrsa -aes256 -out demoCA/private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
.................+++
..................+++
e is 65537 (0x10001)

Set the protection password of the root private key to at least 4 characters, for example, Gauss@MppDB.

Enter pass phrase for demoCA/private/cakey.pem:

Enter the private key password Gauss@MppDB again.

Verifying - Enter pass phrase for demoCA/private/cakey.pem:


3. Generate a root certificate request file.

Generate a CA root certificate application file named server.req.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Note down the following names and use them when entering information in the generated server certificate and client certificate.

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanxi
Locality Name (eg, city) []:xian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
Organizational Unit Name (eg, section) []:hello
Common Name (eg, YOUR name) []:world
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


4. Generate a self-signed root certificate.

Generate a CA self-signed root certificate.


openssl ca -config openssl.cnf -out demoCA/cacert.pem -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem
Using configuration from openssl.cnf
Enter pass phrase for demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 28 02:17:11 2017 GMT
            Not After : Feb 28 02:17:11 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = shanxi
            organizationName          = Abc
            organizationalUnitName    = hello
            commonName                = world
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F
            X509v3 Authority Key Identifier: 
                keyid:F9:91:50:B2:42:8C:A8:D3:41:B0:E4:42:CB:C2:BE:8D:B7:8C:17:1F

Certificate is to be certified until Feb 28 02:17:11 2018 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


5. Generate a private key for the server certificate.

Generate a private key file named server.key.

openssl genrsa -aes256 -out server.key 2048
Generating a 2048 bit RSA private key
.......++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:


6. Generate a server certificate request file.

Generate a server certificate request file server.req.

openssl req -config openssl.cnf -new -key server.key -out server.req
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanxi
Locality Name (eg, city) []:xian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Abc
Organizational Unit Name (eg, section) []:hello
Common Name (eg, YOUR name) []:world
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


7. Generate a server certificate.

Change the demoCA/index.txt.attr attribute to no.

vi demoCA/index.txt.attr

openssl ca  -config openssl.cnf -in server.req -out server.crt -days 3650 -md sha256
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Feb 27 10:11:12 2017 GMT
            Not After : Feb 25 10:11:12 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = shanxi
            organizationName          = Abc
            organizationalUnitName    = hello
            commonName                = world
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                EB:D9:EE:C0:D2:14:48:AD:EB:BB:AD:B6:29:2C:6C:72:96:5C:38:35
            X509v3 Authority Key Identifier: 
                keyid:84:F6:A1:65:16:1F:28:8A:B7:0D:CB:7E:19:76:2A:8B:F5:2B:5C:6A

Certificate is to be certified until Feb 25 10:11:12 2027 GMT (3650 days)

Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Disable password protection for the private key:

Disable the password protection for the server private key:

openssl rsa -in server.key -out server.key

If the password protection of the server private key is not disabled, you need to use gs_guc to encrypt the password.

source ${BIGDATA_HOME}/mppdb/.mppdbgs_profile
gs_guc encrypt -M server -K Gauss@MppDB -D ./

After the password is encrypted using gs_guc, two private key password protection files server.key.cipher and server.key.rand are generated.


8. Generate the client certificate and private key.

Methods and requirements for generating client certificates and private keys are the same as that for server certificates and private keys.

Generate a client private key.

openssl genrsa -aes256 -out client.key 2048

Generate a certificate request file for a client

openssl req -config openssl.cnf -new -key client.key -out client.req

After the generated certificate request file for client is signed and issued, a formal client certificate client.crt is generated.

openssl ca -config openssl.cnf -in client.req -out client.crt -days 3650 -md sha256

Disable password protection for the private key:

Disable the protection for a client private key password.

openssl rsa -in client.key -out client.key

If password protection for a client private key is not removed, you need to use gs_guc to encrypt the password.

gs_guc encrypt -M client -K Gauss@MppDB -D ./

After the password is encrypted using gs_guc, two private key password protection files client.key.cipher and client.key.rand are generated.


9. Generate a CRL

If the CRL is required, you can generate it by following the following procedure:

Create a crlnumber file.

echo '00'>./demoCA/crlnumber

Revoke a server certificate.

openssl ca -config openssl.cnf -revoke server.crt

Generate the CRL sslcrl-file.crl.

openssl ca -config openssl.cnf -gencrl -out sslcrl-file.crl

That's all, thanks!



  • x
  • convention:

Jackson.F
Created Aug 1, 2022 02:34:08

Thanks for your sharing!
View more
  • x
  • convention:

olive.zhao
olive.zhao Created Aug 1, 2022 03:34:47 (0) (0)
Thanks!  
Saqibaz
Created Aug 1, 2022 05:28:38

Thanks for sharing
View more
  • x
  • convention:

olive.zhao
olive.zhao Created Aug 2, 2022 00:44:52 (0) (0)
 
NTan33
Created Aug 1, 2022 05:46:24

Good to know such an option is available.
View more
  • x
  • convention:

olive.zhao
olive.zhao Created Aug 2, 2022 00:45:05 (0) (0)
Thanks!  

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.