Shulou(Shulou.com)06/01 Report--

This article introduces the operation method of using req command to generate certificate in OpenSSL client under Linux. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Openssl req is used to generate certificate requests to be signed by a third-party authority, CA, to generate the certificates we need. The req command can also call the x509 command to convert the format and display information such as text,modulus in the certificate file. If you don't already have a key pair, the req command can help you generate a key pair and a certificate request, or you can specify whether to encrypt the private key file.

1. Key, certificate request, certificate summary description

In the process of certificate application and issuance, the client involves the concepts of key, certificate request and certificate. Beginners may not understand the relationship between the three. On the Internet, some people are confused to distinguish the three according to the suffix name. We use the process of applying for a certificate to explain the relationship between the three. When a client (as opposed to CA) applies for a certificate, there are generally three steps:

The first step: generate the key of the client, that is, the public and private key pair of the client, and ensure that the private key is owned only by the client.

The second step: take the key of the client and the information of the client (country, institution, domain name, mailbox, etc.) as input to generate the certificate request file. The client public key and client information are stored in the certificate request file in plain text, while the client private key is used to sign the client public key and client information, which is not included in the certificate request. Then send the certificate request file to the CA institution.

Step 3: after receiving the certificate request file from the client, the CA institution first verifies its signature, and then examines the information of the client. Finally, the CA institution uses its own private key to sign the certificate request file, generate the certificate file, and send it to the client. This certificate is the ID card of the client to indicate the identity of the user.

At this point, the client application certificate process is completed, which involves that the certificate issuer CA,CA is an absolutely trusted organization. If the client certificate is compared to the user ID card, then CA is the authority that issues the ID card. We take https as an example to illustrate the use of the certificate.

For the security of data transmission, more and more websites enable https. In the https handshake phase, the server first sends its own certificate to the user (browser), which looks at the issuing authority in the certificate, then looks for the corresponding CA certificate in the machine's built-in certificate (on PC or mobile phone, built-in the certificate of the world-famous CA institution), and then uses the built-in certificate public key to verify the authenticity of the server's certificate. If the verification fails, the browser prompts the server that there is a problem with the certificate and asks the user whether to continue.

For example, the 12306 website uses a self-signed certificate, so the browser will prompt you to download and install the root certificate on the 12306 website, and its users will install their own root certificate into the built-in certificate on the user's machine, so that the browser will not report a certificate error. Note, however, that it is dangerous not to import certificates on the machine unless you have special trust in an organization.

2. Req instruction description

In the previous section, we saw the process of applying for a certificate. We already know how to generate a key pair, so it is time for the req directive to generate a certificate request. We can check the man manual of req, as follows:

Openssl req [- inform PEM | DER] [- outform PEM | DER] [- in filename] [- passin arg] [- out filename] [- passout arg] [- text] [- pubkey] [- noout] [- verify] [- modulus] [- rand file (s)] [- newkey rsa:bits] [- newkey alg:file] [- nodes] [- key filename] [- keyform PEM | DER] [- keyout filename] [- keygen_engine] Id] [- [digest]] [- config filename] [- subj arg] [- multivalue-rdn] [- days n] [- set_serial n] [- asn1-kludge] [- no-asn1-kludge] [- newhdr] [- extensions section] [- reqexts section] [- utf8] [- nameopt] [- reqopt] [- subject] [- subj arg] [- batch] [- verbose] [- engine id]

It is found that there are many and complex parameters, and there are many parameters that have not been used before. However, in practical application, the parameters we use are very limited, so we learn according to the basic functions of req.

There are two basic functions of req: generating certificate request and generating self-signed certificate. There are also some other functions such as checking and viewing request files, which will be briefly explained in the example. The parameters are described as follows

[new/x509]

When using the-new selection, it means to generate a certificate request, and when using the x509 option, it means to generate a self-signed certificate.

[key/newkey/keyout]

Key and newkey are mutually exclusive. Key specifies the existing key file, while newkey means that the key is generated automatically when a certificate request or self-signed certificate is generated, and then the key name is specified by the keyout parameter.

When the newkey option is specified, the rsa:bits description is specified later to generate the rsa key, and the number of bits is specified by the bits. Specify dsa:file description to generate dsa key. File refers to the parameter file that generates dsa key (generated by dsaparam)

[in/out/inform/outform/keyform]

The in option specifies the certificate request file, which is used when viewing the certificate request content or when generating a self-signed certificate

The out option specifies either the certificate request or the self-signed certificate file name, or the public key file name (used when using the pubkey option), and some other output information.

Inform, outform, and keyform specify the file format specified by the in, out, and key options, respectively. The default is PEM format.

[config]

Parameter file, default is / etc/ssl/openssl.cnf (ubuntu12.04), depending on the location of the system. This file contains the parameters when the req was generated, and when not specified on the command line, the default value in the file is taken.

In addition to the above main parameters, there are many other parameters, which are not described one by one. Interested readers can check out req's man manual.

3. Examples of using req instructions

(1) generate a certificate request using an existing private key

Use the original RSA key to generate a certificate request file and enter information about the principal:

The code is as follows:

$openssl req-new-key RSA.pem-passin pass:123456-out client.pem

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [AU]: AU

State or Province Name (full name) [Some-State]: BJ

Locality Name (eg, city) []: BJ

Organization Name (eg, company) [Internet Widgits Pty Ltd]: BJ

Organizational Unit Name (eg, section) []: BJ

Common Name (e.g. Server FQDN or YOUR name) []: BJ

Email Address []: BJ

Please enter the following 'extra' attributes

To be sent with your certificate request

A challenge password []: 12345

An optional company name []: BJ

.

Use the original RSA key to generate the certificate request file, specify the-batch option, and read the principal information from the configuration file:

The code is as follows:

$openssl req-new-key RSA.pem-passin pass:123456-out client.pem-batch

Use the original RSA key to generate the certificate request file, specify the-batch option, and the principal information is specified by the command line subj:

The code is as follows:

Openssl req-new-key RSA.pem-passin pass:123456-out client.pem-subj / C=AU/ST=Some-State/O=Internet

Use the original RSA key to generate the certificate request file, specify the-batch option, the principal information is specified by the command line subj, and output the public key:

The code is as follows:

$openssl req-new-key RSA.pem-passin pass:123456-out client.pem-subj / C=AU/ST=Some-State/O=Internet-pubkey

You can see the public key and request information:

The code is as follows:

$cat client.pem

-BEGIN PUBLIC KEY-

MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6e+hk0TAsYlPk5XB1tLCtCO8wQ7JMM

YQ9SMy4Q1liPg4TdgSkdfbLB2UXmzzMCp+ZBDk9txwtewqv7PVcvY0MCAwEAAQ==

-END PUBLIC KEY-

-BEGIN CERTIFICATE REQUEST-

MIIBGDCBwwIBADA1MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTER

MA8GA1UECgwISW50ZXJuZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAvp76GTRM

CxiU+TlcHW0sK0I7zBDskwxhD1IzLhDWWI+DhN2BKR19ssHZRebPMwKn5kEOT23H

C17Cq/s9Vy9jQwIDAQABoCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsG

A1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAANBAFBiB0fTUwTSoFeQdTWIr3KXzDHP

BgLy1/nlJ71dYLfGGrR61RKmrXgpf76akURtF+gEXwLMfPO6FQlaIOYEe/c=

-END CERTIFICATE REQUEST-

(2) automatically generate keys and certificate request files

Automatically generate a 1024-bit RSA key and generate a certificate request file:

The code is as follows:

$openssl req-new-newkey rsa:1024-out client.pem-keyout RSA.pem-batch

Generating a 1024 bit RSA private key

.. +

.. +

Writing new private key to 'RSA.pem'

Enter PEM pass phrase:

Verifying-Enter PEM pass phrase:

.

Automatically generate a 1024-bit RSA key and generate a certificate request file, specify the-nodes file, and the key file is not encrypted:

The code is as follows:

$openssl req-new-newkey rsa:1024-out client.pem-keyout RSA.pem-batch-nodes

Generating a 1024 bit RSA private key

.. +

. +

Writing new private key to 'RSA.pem'

.

Automatically generate 1024-bit DSA key parameters:

The code is as follows:

$openssl dsaparam-out DSA.param 1024

Generating DSA parameters, 1024 bit long prime

This could take some time

. +. +.

. +

Automatically generate a 1024-bit DSA key and generate a certificate request file, specify the-nodes file, and the key file is not encrypted:

The code is as follows:

$openssl req-new-newkey dsa:DSA.param-out client.pem-keyout DSA.pem-batch-nodes

Generating a 1024 bit DSA private key

Writing new private key to 'DSA.pem'

.

(3) generate self-signed certificate

To generate a self-signed certificate, like the req parameter, you only need to modify req to x509:

The code is as follows:

$openssl req-x509-newkey rsa:1024-out client.cer-keyout RSA.pem-batch-nodes

Generating a 1024 bit RSA private key

. +

.. +

Writing new private key to 'RSA.pem'

.

View the certificate file:

The code is as follows:

$openssl x509-in client.cer-noout-text

Certificate:

Data:

Version: 3 (0x2)

.

Signature Algorithm: sha1WithRSAEncryption

5b:d7:f5:fd:18:3a:a9:22:2a:d9:f1:fc:00:3a:cf:23:ff:d1:

82:e5:2d:3f:7e:97:a8:38:32:e6:88:7a:ce:9f:31:cc:ea:60:

06:d1:96:bb:c8:42:ec:ef:26:73:4e:3b:2d:fa:0f:16:c2:25:

30:1b:a5:ca:35:bd:9b:dd:4b:41:d4:8b:95:3a:d4:7c:aa:8d:

0d:2d:e7:f3:95:33:d2:4a:5a:7f:a2:5d:cc:48:60:9f:ca:2d:

77:d9:ed:e9:09:f3:a1:18:96:1d:91:c6:1c:2b:7a:c1:d6:5d:

81:87:25:0d:32:6a:55:d2:89:95:c5:32:44:cc:9d:e7:68:6f:

D8:80

(4) View the content of the certificate request

Generate a certificate request:

The code is as follows:

$openssl req-new-newkey rsa:1024-out client.req-keyout RSA.pem-batch-nodes

Generating a 1024 bit RSA private key

... +

.. +

Writing new private key to 'RSA.pem'

.

View the content of the certificate request. Subject specifies the output principal:

The code is as follows:

$openssl req-in client.req-noout-text-subject

Certificate Request:

Data:

Version: 0 (0x0)

Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (1024 bit)

Modulus:

...

Exponent: 65537 (0x10001)

Attributes:

Requested Extensions:

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Non Repudiation, Key Encipherment

Signature Algorithm: sha1WithRSAEncryption

...

Subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd

(5) verify the certificate request document

Specify the verify directive to verify the certificate request file, and extract the public key from the request file to verify the signature information during operation:

The code is as follows:

$openssl req-verify-in client.req-noout

Verify OK

4. Summary of the steps of generating certificate

Step 1. Create key (password protected)

The code is as follows:

Openssl genrsa-out prvtkey.pem 1024 Universe 2038 (with out password protected)

The code is as follows:

Openssl genrsa-des3-out prvtkey.pem 1024 Compact 2048 (password protected)

This command generates a key of 1024 ram 2048 bits.

Step 2. Create certification request

The code is as follows:

Openssl req-new-key prvtkey.pem-out cert.csr

Openssl req-new-nodes-key prvtkey.pem-out cert.csr

This command will generate a certificate request, of course, using the key prvtkey.pem file generated earlier

Here will generate a new file cert.csr, that is, a certificate request file, you can take this file to the digital certificate authority (CA) to apply for a digital certificate. CA will give you a new file cacert.pem, which is your digital certificate.

Step 3: Send certificate request to Certification Authority (CA)

If you do the test yourself, then both the applicant and the issuing authority of the certificate are on your own. You can use the following command to generate the certificate:

The code is as follows:

Openssl req-new-x509-key prvtkey.pem-out cacert.pem-days 1095

This command will generate a digital certificate cacert.pem using the key privkey.pem generated above

The operation method of using req command to generate certificate in OpenSSL client under Linux is shared here. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.