Creating SSL keys, CSRs, self-signed certificates, and .pem files.
What is the whole darned process?
Well that’s a good question. For my purposes, this is what I need to know:
- Create a Private Key. These usually end in the file extension “key” If you already have one, don’t worry - it’s cool, we’ll be using that one.
- Create a Certificate Signing Request. These usually end in the extension “csr”, and are sent to the certificate authority to generate a certificate.
- If you’re not going to be using an existing service (usually for pay) as a certificate authority, you can create your own Certificate Authority, or self-sign your certificate.
- Submit your CSR to the CA and get the results. If you’re doing it yourself, I’ll tell you how. The CA creates a Certificate file, which ends in “.crt”.
- Take the whole collection of files, keep them somewhere safe, and mash them together to create your PEM file (this is usually just used for email.)
So. Let’s get started, eh?
Step Zero: Basic Assumptions
- I’ll assume your domain name is domain.tld.
- I’ll assume you have OpenSSL installed.
- I’ll assume that you are running some form of Linux. I use Debian.
Step One: Create your Private Key
Ok, here you’re going to create your key - and treat is as such. This should be kept private, and not shared with anyone.
Now, you have a couple of options here - the first is to create your private key with a password, the other is to make it without one. If you create it with a password, you have to type it in every time your start any server that uses it.
Important: If you create your private key with a password, you can remove it later. I recommend creating your private key with a password, and then removing it temporarily every time you need to use it. When you’re done with the key without a password, delete it so it isn’t a security risk.
Create your Private key with a password
openssl genrsa -des3 -out domain.tld.encrypted.key 1024
Create your Private key without a password
openssl genrsa -out domain.tld.key 1024
If you created your private key with a password, you’ll want to complete the rest of the steps using a decrypted private key - else you’ll have to type in your password every time you use the certificate (ie: every time you start a daemon using that certificate.)
Remove the password and encryption from your private key
openssl rsa -in domain.tld.encrypted.key -out domain.tld.key
Step Two: Create a CSR
On this step you’re going to create what you actually send to your Certificate Authority. If you set a password with your Private Key, you’ll be required to enter it to create the CSR. After you finish all these steps, you can delete your CSR.
Create your Certificate Signing Request
openssl req -new -key domain.tld.key -out domain.tld.csr
Step Three: Create your Certificate
You have three options here: 1. Self-signing 2. Creating a certificate authority (CA) 3. Paying a CA to create your certificate for you.
Here’s what’s up: Self-signing is easy, free, and quick. Creating a CA isn’t terribly difficult, but probably more than you want to handle for something small. Paying for a CA can be cheap ($20), easy, quick, and comes with browser-recognition, which is generally important for public websites; especially commercial ones.
My advice: Self-sign your certificates for personal things, and pay for a certificate if its public and important.
If you’d like to pay for someone to sign your certificates, do some research and find which one you want to use. Next, find their instructions for submitting your CSR file.
Self-Sign your Certificate
openssl x509 -req -days 365 -in domain.tld.csr -signkey domain.tld.key -out
domain.tld.crt
If you do happen to want to setup your own certificate authority, check these resources out:
- http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
- http://codeghar.wordpress.com/2008/03/17/create-a-certificate-authority-and-certificates-with-openssl/
Step Four: Creating a PEM file
A PEM file is used by many different daemons, however how to generate such a PEM file can be hard to come by. There are some complicated ways to build one, however I have had pretty good success with simply combining the .key and the .crt file together:
cat domain.tld.key domain.tld.crt > domain.tld.pem
Disclaimer
I am not an expert with SSL, which is exactly why I created this. This may not be accurate, YMMV, etc. Be careful. Also: Your .key is private. Keep that safe, with appropriate permissions. Make sure nobody else can access it, and do not give it away to anyone. If you have any insight, feel free to comment - I would appreciate them.
原帖地址:http://grahamc.com/blog/openssl-madness-how-to-create-keys-certificate-signing-requests-authorities-and-pem-files
Creating SSL keys, CSRs, self-signed certificates, and .pem files.的更多相关文章
- Cross platform GUI for creating SSL certs with OpenSSL
Someone said: from : https://micksmix.wordpress.com/2012/08/09/xca-cross-platform-gui-for-creating-s ...
- Subversion Self Signed Certificates
When connecting to Subversion repositories using SSL connections the SVN client checks the server ce ...
- PHP curl出现SSL certificate problem: self signed certificate in certificate chain
使用PHP curl请求https的时候出现错误“SSL certificate problem: self signed certificate in certificate chain”,这种情况 ...
- SSL certificate problem: self signed certificate
执行Git命令时出现各种 SSL certificate problem 的解决办法 2014年10月11日 10:45:40 比如我在windows下用git clone gitURL 就提示 ...
- Creating SSL Certificates for CRM Test Environment
不必找第三方去申请证书了, Windows Server 自己也可以作为一个CA的. When working on a CRM Test environment there are many sce ...
- 本地git安装完成之后,从远程git服务器上面下载代码。报错SSL certificate problem:self signed certificate in certificate chain。
解决方案:打开git的控制端黑窗口,输入: git config --global http.sslVerify false 点击Entry之后,就会去掉git的ssl验证. 然后就可以正常的下载代码 ...
- git Clone SSL certificate problem: self signed certificate
自己的git服务器遇到证书是自签的,git验证后会拒绝,此时,采用如下命令临时禁用就好 git -c http.sslVerify=false clone https://domain.com/pat ...
- jenkins 使用Git 报错:SSL certificate problem: self signed certificate in certificate chain
在启动java的脚本上执行 增加参数: -Dorg.jenkinsci.plugins.gitclient.GitClient.untrustedSSL=true 即可!!
- Nginx配置SSL安全证书避免启动输入Enter PEM pass phrase
之前两篇文章已经很好的介绍了Nginx配置SSL的一些情况,配置好的Nginx每次启动都要 输两遍PEM pass phrase,很是不爽,尤其是在服务器重启后,Nginx压根就无法自动启动,必须手动 ...
随机推荐
- CSS Spritec下载,精灵图,雪碧图,初探之原理、使用
CSS Spritec下载,精灵图,雪碧图,初探之原理.使用 关于CSS Sprite CSSSprites在国内很多人叫css精灵雪碧图,是一种网页图片应用处理方式.它允许你将一个页面涉及到的所有零 ...
- Error:(12, 64) java: 未报告的异常错误java.io.IOException; 必须对其进行捕获或声明以便抛出
Error:(12, 64) java: 未报告的异常错误java.io.IOException; 必须对其进行捕获或声明以便抛出 package com.test; import org.apach ...
- MAC OSX
你可以输入下面的命令来查看IPv4端口:(最好加 sudo) # lsof -Pnl +M -i4
- MySQL 数据库的主从配置
mysql主从配置.鄙人是在如下环境测试的: 主数据库所在的操作系统:win7 主数据库的版本:5.0 主数据库的ip地址:192.168.1.111 从数据库所在的操作系统:linux 从数据的版本 ...
- SprinBoot CLI 安装(Mac版)
1. 安装 HomeBrew /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/instal ...
- Hotel---poj3667(线段树区间问题)
题目链接:http://poj.org/problem?id=3667 题意:酒店有n个房间,现有m个团队,每个团队需要连续 d 个房间,现在有两个操作,1:需要 d 个房间,2:从 x 开始连续 d ...
- Python开发【模块】:M2Crypto RSA加密、解密
M2Crypto 模块 快速安装: # 环境centos7.0,提前装好openssl(自行百度安装),windows装不上,暂不考虑了 [root@localhost ~]# pip install ...
- Python开发【笔记】:进程
序言 进程与线程概述: 很多同学都听说过,现代操作系统比如Mac OS X,UNIX,Linux,Windows等,都是支持“多任务”的操作系统. 什么叫“多任务”呢?简单地说,就是操作系统可以同时运 ...
- Django自带的加密算法及加密模块
Django 内置的User类提供了用户密码的存储.验证.修改等功能,可以很方便你的给用户提供密码服务. 默认的Ddjango使用pbkdf2_sha256方式来存储和管理用的密码,当然是可以自定义的 ...
- 【Loadrunner接口测试】什么情况需要区分PC和手机端去做压测?
1.PC和手机本身访问的都是接口,能有啥不一样的 这个一般看不出来,除非你们开发给APP的接口定义为http://api.mobile.com之类的 网站是网站,APP是APP但是不论是网站还是APP ...