Generate a self-signed root certificate and a user certificate issued based on the root certificate through openSSL

Public key certificate: The certificate with crt suffix commonly used in Linux. Commonly used certificates with the suffix cer on Windows.

Generate CA certificate (self-signed root certificate)

1. Generate private key: generate des3 encrypted private key private.pem (1024/2048-bit key)

[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# openssl genrsa -des3 -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
......................+++
................+++
e is 65537 (0x10001)
Enter pass phrase for private.pem: #输入自定义口令
Verifying - Enter pass phrase for private.pem:  #输入确认自定义口令
[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# ll
total 4
-rw-r--r-- 1 root root 1751 Jul 20 14:50 private.pem    #最终生成的私钥文件

2. Generate a public key (the public key can be calculated based on the private key, but not vice versa)

[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# openssl rsa -in private.pem -pubout -out public.pem
Enter pass phrase for private.pem:  #输入上面的访问密钥的口令
writing RSA key
[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# ll
total 8
-rw-r--r-- 1 root root 1751 Jul 20 14:50 private.pem
-rw-r--r-- 1 root root  451 Jul 20 14:52 public.pem  #公钥文件

3. Generate a certificate: Generate a CA self-signed certificate in X509 format (valid for one year)

[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# openssl req -new -x509 -key private.pem -out ca.crt -days 3650
Enter pass phrase for private.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:#CN
State or Province Name (full name) []:#BEIJING
Locality Name (eg, city) [Default City]:#BEIJING
Organization Name (eg, company) [Default Company Ltd]:#GUANGDA
Organizational Unit Name (eg, section) []:#HR
Common Name (eg, your name or your server's hostname) []:#CA ROOT
Email Address []:#[email protected]
[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# ll
total 12
-rw-r--r-- 1 root root 1407 Jul 20 14:55 ca.crt #CA自签名证书
-rw-r--r-- 1 root root 1751 Jul 20 14:50 private.pem  #私钥文件
-rw-r--r-- 1 root root  451 Jul 20 14:52 public.pem  #公钥文件

说明：这里第三步生成crt证书时，没有直接使用到第二步的公钥文件，而是直接使用的私钥 文件。 是因为，通过私钥可以推算出公钥，并把公钥集成到crt证书里面。然后这里 使用私钥还有另外一个作用，就是 对我们输入的 国家 省会 城市 组织 用户名 邮箱等信息通过摘要算法生成摘要，然后用自己的私钥对摘要做签名 然后 把这个签名也集成到crt证书里面了，这个就是自签名证书(自己给自己颁发的证书 )。 ca.crt证书也叫公钥证书。里面包括 身份信息，摘要签名，公钥，但是不包括私钥

这里也可以看下public.pem和从 ca.crt中导出的公钥是否相同：

[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# openssl x509 -in ca.crt -pubkey -noout  #导出并打印ca证书中的公钥
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxjhzq2e3zvFC6pJ3grBQ
JTzy6K2d6lc43/nq3xAXWHHywfax3g5ej9FyMuCELV22ycgEHLVfmvSn6q8hgjT8
yTK6mwDEHb10oDJk8y/sm/d5vwJsQ5+5v+TboQAUXK+U215da4KBwEMQLFXOnB/4
ekk7WgQVGv9BE5tAyNXdQm77XeUcSuO09eSosG9fTa5TcYTCgF2NnHXFV/KqGl0C
pZfyAVhYW2ipP0b3uO1ScHy54pacd6tho3Rkwz5GYE4cKE9dKitD+zonWB3P5Z//
AZlDOHm1/QirZqj96AW37Lz1wcI/fAXzOWbmw3vYNETRskRRQ2bKIP5ksJhRAPWR
gQIDAQAB
-----END PUBLIC KEY-----
[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# cat public.pem # 查看 上方第二步生成的公钥文件
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxjhzq2e3zvFC6pJ3grBQ
JTzy6K2d6lc43/nq3xAXWHHywfax3g5ej9FyMuCELV22ycgEHLVfmvSn6q8hgjT8
yTK6mwDEHb10oDJk8y/sm/d5vwJsQ5+5v+TboQAUXK+U215da4KBwEMQLFXOnB/4
ekk7WgQVGv9BE5tAyNXdQm77XeUcSuO09eSosG9fTa5TcYTCgF2NnHXFV/KqGl0C
pZfyAVhYW2ipP0b3uO1ScHy54pacd6tho3Rkwz5GYE4cKE9dKitD+zonWB3P5Z//
AZlDOHm1/QirZqj96AW37Lz1wcI/fAXzOWbmw3vYNETRskRRQ2bKIP5ksJhRAPWR
gQIDAQAB
-----END PUBLIC KEY-----

发现 ca.crt中的公钥和public.pem的内容是一样的，说明没问题。

Issue user certificates based on CA certificates

1. Generate private key: generate des3 encrypted private key private.pem (1024/2048-bit key)

[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# openssl genrsa -des3 -out server_private.pem 
Generating RSA private key, 2048 bit long modulus
..........................................................+++
...........+++
e is 65537 (0x10001)
Enter pass phrase for server_private.pem:
Verifying - Enter pass phrase for server_private.pem:
[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# ll
total 16
-rw-r--r-- 1 root root 1407 Jul 20 14:55 ca.crt
-rw-r--r-- 1 root root 1751 Jul 20 14:50 private.pem
-rw-r--r-- 1 root root  451 Jul 20 14:52 public.pem
-rw-r--r-- 1 root root 1743 Jul 20 15:47 server_private.pem

2. Generate csr (certificate request file) according to the private key

[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# openssl req -new -key server_private.pem -out server.csr
Enter pass phrase for server_private.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:#cn
State or Province Name (full name) []:#henan
Locality Name (eg, city) [Default City]:#puyang
Organization Name (eg, company) [Default Company Ltd]:#xiaoniu
Organizational Unit Name (eg, section) []:#kaifa
Common Name (eg, your name or your server's hostname) []:# xiaoniu
Email Address []:#[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# ll
total 20
-rw-r--r-- 1 root root 1407 Jul 20 14:55 ca.crt
-rw-r--r-- 1 root root 1751 Jul 20 14:50 private.pem
-rw-r--r-- 1 root root  451 Jul 20 14:52 public.pem
-rw-r--r-- 1 root root 1041 Jul 20 15:55 server.csr
-rw-r--r-- 1 root root 1743 Jul 20 15:47 server_private.pem

3. Apply for a certificate from an authoritative certificate authority (at this time, ca.crt is the certificate of the authority, and server.crt is the certificate we need)

openssl x509 -req -days 3650 -in server.csr \
-CA ca.crt -CAkey private.pem \
-CAcreateserial -out server.crt

It is the following newline command

[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# openssl x509 -req -days 3650 -in server.csr \
> -CA ca.crt -CAkey private.pem \
> -CAcreateserial -out server.crt
Signature ok
subject=/C=cn/ST=henan/L=puyang/O=xiaoniu/OU=kaifa/CN=xiaoniu/emailAddress=xiaoniu@qq.com
Getting CA Private Key
Enter pass phrase for private.pem: #输入ca的私钥的访问口令
[root@iZ2zeddfx87fw4m4dlxu8dZ certs]# ll
total 28
-rw-r--r-- 1 root root 1407 Jul 20 14:55 ca.crt
-rw-r--r-- 1 root root   17 Jul 20 15:59 ca.srl
-rw-r--r-- 1 root root 1751 Jul 20 14:50 private.pem
-rw-r--r-- 1 root root  451 Jul 20 14:52 public.pem
-rw-r--r-- 1 root root 1281 Jul 20 15:59 server.crt
-rw-r--r-- 1 root root 1041 Jul 20 15:55 server.csr
-rw-r--r-- 1 root root 1743 Jul 20 15:47 server_private.pem

此时会在当前目录下生成server.csr: 公钥证书和ca.srl: 储存公钥证书的证书序列号
首先 提取server.csr里的内容：分公钥 和用户信息。通过ca的私钥来对用户信息做签名，然后把签名集成到server.crt里， 然后也把提取的公钥信息集成到server.crt里。这样一个用户证书就颁发成功了

如果要在google等浏览器显示出安全的绿锁标志，使用自己生成的自签证书作为颁发机构的根证书,然后给其他人进行颁发的证书肯定不好使，得花钱向第三方权威证书颁发机构申请。

Download the server.crt file to the Windows desktop. Double click to open.


You can see the certificate serial number, issuer information, and user information.