Create Self-Signed SSL Certificate Memo with OpenSSL

1. Log in to the server with SSH, and use the following command to create the private key of the root certificate:

openssl genrsa -out ca.key 2048

Many people on the Internet use 1024, and I have strengthened the strength to 2048 here.

2. Use the private key to create a root certificate:

openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj
"/C=CN/ST=Jiangsu/L=Yangzhou/O=Your Company Name/ OU=Your Root CA"

Here /C means country, which can only be abbreviations of country letters, such as CN, US, etc.; /ST means state or province (State/Provice); /L means city or region (Locality); /O indicates the organization name; /OU other display contents are generally displayed in the issuer column.

At this point, the root certificate has been created. Here are the steps to create a website SSL certificate:

3. Create the private key of the SSL certificate, here the encryption strength is still 2048:

openssl genrsa -out server.key 2048 bit

4. Use the private key just now Create SSL certificate:

openssl req -new -key server.key -out server.csr -subj
"/C=CN/ST=Jiangsu/L=Yangzhou/O=Your Company Name/OU=wangye.org/CN=wangye. org"

It should be noted here that the content of the /O field must be the same as the CA root certificate just now; the /CN field is the Common Name, which must be the domain name of the website (without www); the /OU field should also be the same as the website Domain name, of course, it doesn't matter if you choose another name.

5. Do some preparatory work:

mkdir demoCA
cd demoCA
mkdir newcerts
touch index.txt
echo '01' > serial
cd ..

Note cd .., use the ls command to check whether there is a demoCA directory.

6. Sign the SSL self-built certificate with the CA root certificate:

openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

Next, there is a prompt, find Sign the certificate? [y/n] In this sentence, type y and press Enter, then out of 1 certificate requests certified, commit? [y/n] appears, and press Enter as well.

Well, now there are two SSL certificates and related files required by the server in the directory, namely server.crt and server.key, and then you can use them to configure your server software.

It should be noted that since it is a self-signed certificate, the client needs to install the root certificate, download the root certificate ca.crt created in step 2 to the client, and then double-click to import, otherwise it will prompt the problem of untrusted certificate publishers .

Usually, for private or internal use, a self-built certificate is more than enough, but if your product is for the public, then spend some money to buy a formal SSL certificate, but you can't learn a ticketing system to force the installation of self-built certificates the root certificate.

https://wangye.org/blog/archives/732/

http://blog.fens.me/nodejs-https-server/

http://cnodejs.org/topic/54745ac22804a0997d38b32d

https://blog.csdn.net /xu_0705/article/details/34435445

Detailed explanation of OpenSSL commands
https://blog.csdn.net/boss666666/article/details/10284649