Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to achieve certificate issuance in the Linux system". In daily operation, I believe many people have doubts about how to achieve certificate issuance in the Linux system. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to achieve certificate issuance in the Linux system". Next, please follow the editor to study!

Specific content

OpenSSL components have been integrated in the Linux system, but considering that the steps of the generated operation are extremely complex, it is strongly recommended to build a copy and I give the complete configuration. After the entire generation, you also need to convert the certificate to a certificate format that can be used by Java before it can be configured in Tomcat. In order to download certificates conveniently, this developer directly generates all certificates in the directory specified by ftp (/ srv/ftp). In order to save them, set up a folder to save all certificates: mkdir-p / srv/ftp/cas.

2.1. Issue the root certificate

The certificate generated this time is the root certificate, so save the root certificate in the "/ srv/ftp/cas" directory

1. Generate CA key pair:

Openssl genrsa-out / srv/ftp/cas/cakey.pem 2048 RSA

Generate a key information encoded with RSA, and then save the generated file to "/ srv/ftp/cas/cakey.pem" the key pair is 2048 bytes long.

2. Generate the application for issuing the root certificate:

Openssl req-new-key / srv/ftp/cas/cakey.pem-out / srv/ftp/cas/cacert.csr-subj / CN=cas.com

The certificate must be accessed in the form of a domain name (do not use ip), this domain name should be your own. Now if you want to do native simulation, you need to modify it through hosts under windows.

3. Generate the application for the issuance of the root certificate:

Openssl x509-req-days 3650-sha1-extensions v3_ca-signkey / srv/ftp/cas/cakey.pem-in / srv/ftp/cas/cacert.csr-out / srv/ftp/cas/ca.cer

The validity period of this certificate is 10 years.

2.2. Issue server-side certificates

In order to distinguish from the preservation of the root certificate, it is recommended to establish a directory: mkdir-p / srv/ftp/cas/server

1. Generate the server private key:

Openssl genrsa-aes256-out / srv/ftp/cas/server/server-key.pem 2048

When the server generates a private key, you need to set a password, which is: mldnjava

2. To generate an application for issuing a server-side certificate, you still need to enter the previous password when creating it:

Openssl req-new-key / srv/ftp/cas/server/server-key.pem-out / srv/ftp/cas/server/server.csr-subj / CN=cas.com

3. Generate an application for issuing a server-side certificate, which is valid for 10 years:

Openssl x509-req-days 3650-sha1-extensions v3_req-CA / srv/ftp/cas/ca.cer-CAkey / srv/ftp/cas/cakey.pem-CAserial / srv/ftp/cas/server/ca.srl-CAcreateserial-in / srv/ftp/cas/server/server.csr-out / srv/ftp/cas/server/server.cer

At this point, you can create a client certificate only after you have a server-side certificate.

2.3. Issue client certificate

Set up a directory to store client certificate information: mkdir-p / srv/ftp/cas/client

1. Generate the client private key:

Openssl genrsa-aes256-out / srv/ftp/cas/client/client-key.pem 2048

Enter the password when generating: mldnjava

2. Generate a certificate request for the client:

Openssl req-new-key / srv/ftp/cas/client/client-key.pem-out / srv/ftp/cas/client/client.csr-subj / CN=cas.com

3. Generate the certificate issued by the client:

Openssl x509-req-days 365-sha1-CA / srv/ftp/cas/ca.cer-CAkey / srv/ftp/cas/cakey.pem-CAserial / srv/ftp/cas/server/ca.srl-in / srv/ftp/cas/client/client.csr-out / srv/ftp/cas/client/client.cer

The most important thing to note at this point is that the certificate is valid only for "cas.com".

2.4.Generate Java certificate

Now the digital certificate and private key generated by OpenSSL are used. If you want to use it in java environment, you need to convert it to an encoding format key file of "PKCS#12" so that it can be managed by Java's keytool tool.

Premise: at this time, the certificate on the java side needs to be used on tomcat, so the final certificate is recommended to be saved in the directory of Tomcat, and the path of Tomcat is "/ usr/local/tomcat".

1. Generate client certificate:

Openssl pkcs12-export-clcerts-name cas-client-inkey / srv/ftp/cas/client/client-key.pem-in / srv/ftp/cas/client/client.cer-out / srv/ftp/cas/client/client.p12

The client's certificate then needs to be sent to the client browser.

2. Generate server-side certificates, which are mainly used by Tomcat

Openssl pkcs12-export-clcerts-name cas-server-inkey / srv/ftp/cas/server/server-key.pem-in / srv/ftp/cas/server/server.cer-out / srv/ftp/cas/server/server.p12

3. Import the generated server-side certificate into the trusted authentication certificate of this machine.

Keytool-importcert-trustcacerts-alias cas.com-file / srv/ftp/cas/ca.cer-keystore / usr/local/tomcat/ca-trust.p12

At this point, JDK indicates that the certificate to be used has been approved.

4. View all certificate information:

Keytool-list-keystore / srv/ftp/cas/client/client.p12-storetype pkcs12-v

Then you need to configure the certificate on the client.

At this point, the study on "how to achieve certificate issuance in the Linux system" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.