Now, we are the root CA, and we are ready for our customers to sign a digital certificate, three steps need to obtain a digital certificate from a CA:
1. Generate a public / private key pair
We run the following command to generate an RSA key pair. You also need to provide a password to protect your key (password I set here is 123456). Key will be stored in the server.key file.
openssl genrsa -des3 -out server.key 1024
2. Generate a Certificate Signing Request
Once the company has a key document, it should generate a certificate signing request (CSR). CSR will be transmitted to the CA, CA may generate a certificate for the request (usually after confirming identity information matches the CSR). Please qy-bb.club as a generic name for the certificate request, and keep in mind their own have lost some Han.
openssl req -new -key server.key -out server.csr -config openssl.cnf
3. Generate certificate
Generate the certificate. CSR file needs to have a CA certificate constitutes a signature. In the real world, CSR files are often sent to the trusted CA signature. In this study, we will use our own CA to generate the certificate:
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
If OpenSSL refuse to generate a certificate, it is probably because your request in the name of the CA held mismatch. Matching rules specify ([policy match] at) in the configuration file, you can change the name can also change the rules. We have done this, and it would change the rules.
At this time, the directory structure is as follows:
.
|-- ca.crt
|-- ca.key
|-- demoCA
| |-- certs
| |-- crl
| |-- index.txt
| |-- newcerts
| `-- serial
|-- openssl.cnf
|-- server.crt
|-- server.csr
`-- server.key
