Shulou(Shulou.com)06/03 Report--

I: Environment and installation instructions

WIN7_64, Nginx server, OpenSSL_Win64. I use phpStudy integrated development environment, using Nginx+PHP, support browser https request.

Nginx download address: nginx.org/en/download.html

openssl download address: slproweb.com/products/Win32OpenSSL.html

Official website address: www.openssl.org/source/

2: Installation and configuration of OpenSSL

1> Double-click to install after downloading. The default installation path is C:\OpenSSL-Win64.

2> Configure environmental variables, not detailed here, skip.

III: Generate SSL Certificates

1> First of all, whether in Linux or Cygwin on Windows, verify that the OpenSSL package is installed before doing the following:

2> Create the root certificate key file myopenssl.key by typing the following command: openssl genrsa -des3 -out myopenssl.key

Here you will be prompted to enter the password twice. Please keep the password consistent twice.

Enter pass phrase for root.key: ← Enter a new password

Verifying - Enter pass phrase for root.key: ← Enter password again

3> To create a root certificate application file myopenssl.csr, type the following command: openssl req -new -key myopenssl.key -out myopenssl.csr

Here are the tips

Enter pass phrase for root.key: ← Enter the password created earlier

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '. ', the field will be left blank.

--

Country Name (2 letter code) [AU]:CN ← Country code, China Enter CN

State or Province Name (full name) [Some-State]:BeiJing ← PROVINCE's FULL NAME, pinyin

Location Name (eg, city) []:BeiJing ← city's full name, Pinyin

Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名称

Organizational Unit Name (eg, section) []: ← No input

Common Name (eg, YOUR name) []: ← Not entered at this time

Email Address []: admin@mycompany.com ← Email Address, optional

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: ← No input

An optional company name []: ← No input

4> To create a root certificate myopenssl.crt for ten years from the current date, enter the following command:openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey myopenssl.key -in myopenssl.csr -out myopenssl. crt

Here are the tips:

Enter pass phrase for root.key: ← Enter the password created earlier

5> To create a server certificate key server.key, enter the following command: openssl genrsa -des3 -out server.key 2048

When running, you will be prompted to enter a password, which is used to encrypt the key file (the parameter des3 refers to the encryption algorithm, of course, you can also choose other algorithms that you think are safe.), Enter a password whenever you want to read this file (via commands or APIs provided by openssl). If you feel uncomfortable, you can remove this password, but be sure to take other protective measures.

Command to remove key file password:

openssl rsa -in server.key -out server.key

6> To create a server certificate request file server.csr, enter the following command: openssl req -new -key server. key-out server.csr

Country Name (2 letter code) [AU]:CN ← Country name, United Kingdom Enter CN

State or Province Name (full name) [Some-State]:Beijing ← Municipalities

Location Name (eg, city) []:BeiJing ← CITY NAME, pinyin

Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名称

Organizational Unit Name (eg, section) []: ← No input

Common Name (eg, YOUR name) []: www.mycompany.com ← Server host name, if incorrectly filled, the browser will report the certificate invalid, but does not affect the use

Email Address []: admin@mycompany.com ← Email Address, Feel free to fill in

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: ← No input

An optional company name []: ← No input

7> To create a server certificate server.crt valid for three years from the current date, enter the following command:

openssl x509 -req -days 1095 -sha1 -extensions v3_req -CA myopenssl.crt -CAkey myopenssl.key -CAserial myopenssl.srl -CAcreateserial -in server.csr -out server.crt

8> Create client certificate key file client.key by typing the following command: openssl genrsa -des3 -out client.key 2048

Enter pass phrase for client.key: ← Enter a new password

Verifying - Enter pass phrase for client.key: ← Enter pass phrase again

9> To create a client certificate request file client.csr, enter the following command: openssl req -new -key client. key-out client.csr

Country Name (2 letter code) [AU]:CN ← Country name, United Kingdom Enter CN

State or Province Name (full name) [Some-State]:Beijing ← PROVINCE NAME, pinyin

Location Name (eg, city) []:BeiJing ← CITY NAME, pinyin

Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名称

Organizational Unit Name (eg, section) []: ← Optional

Common Name (eg, YOUR name) []:Lenin ← Your English name, you can fill it freely

Email Address []: admin@mycompany.com ← Email Address, Feel free to fill in

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: ← Not required

An optional company name []: ← Not required

10> To create a client certificate client.crt valid for three years from the current date, enter the following command:

openssl x509 -req -days 1095 -sha1 -extensions v3_req -CA myopenssl.crt -CAkey myopenssl.key -CAserial myopenssl.srl -CAcreateserial -in client.csr -out client.crt

11> Merge client certificate file client.crt and client certificate key file client.key into client certificate installation package client.pfx. Enter the following command: openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx

Enter pass phrase for client.key: ← Enter the password created above

Enter Export Password: ← Enter a new password to use as a protection password for the client certificate, which is required when installing the certificate on the client

Verifying - Enter Export Password: ← Confirm Password

12> Save the generated files for later use, where server.crt and server.key are the certificate files required to configure unidirectional SSL, client.crt is the certificate file required to configure bidirectional SSL, client.pfx is the certificate file required to be installed by the client when configuring bidirectional SSL.Crt file and.key can be combined into one file, and the two files can be combined into a.pem file (copy directly).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.