What is the whole darned process?

Well that’s a good question. For my purposes, this is what I need to know:

  1. Create a Private Key. These usually end in the file extension “key” If you already have one, don’t worry - it’s cool, we’ll be using that one.
  2. Create a Certificate Signing Request. These usually end in the extension “csr”, and are sent to the certificate authority to generate a certificate.
  3. If you’re not going to be using an existing service (usually for pay) as a certificate authority, you can create your own Certificate Authority, or self-sign your certificate.
  4. Submit your CSR to the CA and get the results. If you’re doing it yourself, I’ll tell you how. The CA creates a Certificate file, which ends in “.crt”.
  5. Take the whole collection of files, keep them somewhere safe, and mash them together to create your PEM file (this is usually just used for email.)

So. Let’s get started, eh?

Step Zero: Basic Assumptions

  • I’ll assume your domain name is domain.tld.
  • I’ll assume you have OpenSSL installed.
  • I’ll assume that you are running some form of Linux. I use Debian.

Step One: Create your Private Key

Ok, here you’re going to create your key - and treat is as such. This should be kept private, and not shared with anyone.

Now, you have a couple of options here - the first is to create your private key with a password, the other is to make it without one. If you create it with a password, you have to type it in every time your start any server that uses it.

Important: If you create your private key with a password, you can remove it later. I recommend creating your private key with a password, and then removing it temporarily every time you need to use it. When you’re done with the key without a password, delete it so it isn’t a security risk.

Create your Private key with a password

openssl genrsa -des3 -out domain.tld.encrypted.key 1024

Create your Private key without a password

openssl genrsa -out domain.tld.key 1024

If you created your private key with a password, you’ll want to complete the rest of the steps using a decrypted private key - else you’ll have to type in your password every time you use the certificate (ie: every time you start a daemon using that certificate.)

Remove the password and encryption from your private key

openssl rsa -in domain.tld.encrypted.key -out domain.tld.key

Step Two: Create a CSR

On this step you’re going to create what you actually send to your Certificate Authority. If you set a password with your Private Key, you’ll be required to enter it to create the CSR. After you finish all these steps, you can delete your CSR.

Create your Certificate Signing Request

openssl req -new -key domain.tld.key -out domain.tld.csr

Step Three: Create your Certificate

You have three options here: 1. Self-signing 2. Creating a certificate authority (CA) 3. Paying a CA to create your certificate for you.

Here’s what’s up: Self-signing is easy, free, and quick. Creating a CA isn’t terribly difficult, but probably more than you want to handle for something small. Paying for a CA can be cheap ($20), easy, quick, and comes with browser-recognition, which is generally important for public websites; especially commercial ones.

My advice: Self-sign your certificates for personal things, and pay for a certificate if its public and important.

If you’d like to pay for someone to sign your certificates, do some research and find which one you want to use. Next, find their instructions for submitting your CSR file.

Self-Sign your Certificate

openssl x509 -req -days 365 -in domain.tld.csr -signkey domain.tld.key -out

domain.tld.crt

If you do happen to want to setup your own certificate authority, check these resources out:

Step Four: Creating a PEM file

A PEM file is used by many different daemons, however how to generate such a PEM file can be hard to come by. There are some complicated ways to build one, however I have had pretty good success with simply combining the .key and the .crt file together:

cat domain.tld.key domain.tld.crt > domain.tld.pem

Disclaimer

I am not an expert with SSL, which is exactly why I created this. This may not be accurate, YMMV, etc. Be careful. Also: Your .key is private. Keep that safe, with appropriate permissions. Make sure nobody else can access it, and do not give it away to anyone. If you have any insight, feel free to comment - I would appreciate them.

原帖地址:http://grahamc.com/blog/openssl-madness-how-to-create-keys-certificate-signing-requests-authorities-and-pem-files

Creating SSL keys, CSRs, self-signed certificates, and .pem files.的更多相关文章

  1. Cross platform GUI for creating SSL certs with OpenSSL

    Someone said: from : https://micksmix.wordpress.com/2012/08/09/xca-cross-platform-gui-for-creating-s ...

  2. Subversion Self Signed Certificates

    When connecting to Subversion repositories using SSL connections the SVN client checks the server ce ...

  3. PHP curl出现SSL certificate problem: self signed certificate in certificate chain

    使用PHP curl请求https的时候出现错误“SSL certificate problem: self signed certificate in certificate chain”,这种情况 ...

  4. SSL certificate problem: self signed certificate

    执行Git命令时出现各种 SSL certificate problem 的解决办法 2014年10月11日 10:45:40   比如我在windows下用git clone gitURL 就提示  ...

  5. Creating SSL Certificates for CRM Test Environment

    不必找第三方去申请证书了, Windows Server 自己也可以作为一个CA的. When working on a CRM Test environment there are many sce ...

  6. 本地git安装完成之后,从远程git服务器上面下载代码。报错SSL certificate problem:self signed certificate in certificate chain。

    解决方案:打开git的控制端黑窗口,输入: git config --global http.sslVerify false 点击Entry之后,就会去掉git的ssl验证. 然后就可以正常的下载代码 ...

  7. git Clone SSL certificate problem: self signed certificate

    自己的git服务器遇到证书是自签的,git验证后会拒绝,此时,采用如下命令临时禁用就好 git -c http.sslVerify=false clone https://domain.com/pat ...

  8. jenkins 使用Git 报错:SSL certificate problem: self signed certificate in certificate chain

    在启动java的脚本上执行 增加参数: -Dorg.jenkinsci.plugins.gitclient.GitClient.untrustedSSL=true 即可!!

  9. Nginx配置SSL安全证书避免启动输入Enter PEM pass phrase

    之前两篇文章已经很好的介绍了Nginx配置SSL的一些情况,配置好的Nginx每次启动都要 输两遍PEM pass phrase,很是不爽,尤其是在服务器重启后,Nginx压根就无法自动启动,必须手动 ...

随机推荐

  1. 查看、关闭登录到linux的终端

    基本概念: tty(终端设备的统称):tty一词源于Teletypes,原来指的是电传打字机,是通过串行线用打印机键盘阅读和发送信息的东西,后来这东西被键盘和显示器取代,所以现在叫终端比较合适.终端是 ...

  2. 170620、springboot编程之页面版Hello World

    书接上回,把Hello World 在页面上显示! 1.在pom文件中加入web支持 <dependency> <groupId>org.springframework.boo ...

  3. spring的AOP个人理解和使用

    1什么是AOP:AOP是面向切面编程,也就是说面向某个功能模块编程,典型的应用就是Spring的声明式事务, Spring的AOP事务解析: 在以前的事务管理是要融合在逻辑代码中的,在逻辑代码中决定事 ...

  4. 利用gulp解决微信浏览器缓存问题

    做了好多项目,这次终于要解决微信浏览器缓存这个令人头疼的问题了.每次上传新的文件,在微信浏览器中访问时,总要先清除微信的缓存,实在麻烦,在网上搜罗了很多解决办法,终于找到了方法:利用gulp解决缓存问 ...

  5. Django - 常用配置

    一.logging配置 Django项目常用的logging配置 settings.py LOGGING = { 'version': 1, 'disable_existing_loggers': F ...

  6. python调用API

    相信做过自动化运维的同学都用过API接口来完成某些动作.API是一套成熟系统所必需的接口,可以被其他系统或脚本来调用,这也是自动化运维的必修课. 本文主要介绍Python中调用API的几种方式,下面是 ...

  7. (4.20)sql server性能指标、性能计数器

    (4.20)sql server性能指标.性能计数器 常规计数器 收集操作系统服务器的服务器性能信息,包括Processor.磁盘.网络.内存 Processor 处理器 1.1 % Processo ...

  8. Sparsity稀疏编码(三)

    稀疏编码(sparse coding)和低秩矩阵(low rank)的区别        上两个小结介绍了稀疏编码的生命科学解释,也给出一些稀疏编码模型的原型(比如LASSO),稀疏编码之前的探讨文章 ...

  9. 分布式存储之MogileFS基于Nginx实现负载均衡(Nginx+MogileFS)

    MogileFS分布式文件系统特点: 1.具有raid的性能 2.不存在单点故障 3.简单的命名空间: 每个文件对应一个key:用于domain定义名称空间 4.不共享任何数据 5.传输中立,无特殊协 ...

  10. Bootstrap单按钮的下拉菜单

    简介 把任意一个按钮放入 .btn-group 中,然后加入适当的菜单标签,就可以让按钮作为菜单的触发器了. 插件依赖 按钮式下拉菜单依赖下拉菜单插件 ,因此需要将此插件包含在你所使用的 Bootst ...