lab environment:
Linux ubuntu/Centos 64 x86_64 x86_64 x86_64 GNU/Linux
1, according to the official website of the installation instructions gmssl
The unzip GmSSL-master.zip $ $ cd GmSSL-Master $ ./config SAF NO-NO-NO-SDF SKF SOF NO-NO-NO-Shared # ZUC not compile a dynamic library, compiled by the gmssl no longer dependent libssl. SO $ the make $ sudo the make install
2, the configuration modification /usr/local/ssl/openssl.cnf
$ We /usr/local/sslopenssl.cnf
[ ca ] default_ca = CA_default # The default ca section [ CA_default ] #dir = ./demoCA # Where everything is kept dir = /home/myapp/demoCA #此处修改
3, initialize the CA directory
1) Create a root directory
$ mkdir -p /home/myapp/demoCA $ cd /home/myapp/demoCA
2) create another directory
In this path you want to create a good /usr/local/ssl/openssl.cnf in need of certs, crl, new_certs_dir and private_key subdirectory, the default is newcerts and private
$ mkdir certs crl newcerts private
3) Create a good database file index.txt
touch index.txt
4) Create a good serial file and write the initial sequence number, such as 01
echo "01" > serial
4, the step of generating a state secret certificate
(1) generating a root certificate
1) generating a private key
$ gmssl ecparam -genkey -name sm2p256v1 -text -out Root.key -config /usr/local/ssl/openssl.cnf
2) generate a certificate signing request
$ gmssl req -new -key Root.key -out Root.req -subj /C=CN/ST=Guang\ Zhou/L=GZ/O=Root/OU=Root\ Sign/CN=RootCA/[email protected] -config /usr/local/ssl/openssl.cnf
3) generating a root certificate
$ gmssl x509 -req -days 3650 -sm3 -in Root.req -signkey Root.key -out RootCA.crt $ cp RootCA.crt demoCA/ $ cp Root.key demoCA/private/
Similar to the apache / ssl / ca.crt and apache / ssl / ca.key
(2) generating an intermediate certificate (i.e., client certificate)
1) generates a secret key
$ gmssl ecparam -genkey -name sm2p256v1 -text -out Medium.key -config /usr/local/ssl/openssl.cnf
2) generates a client certificate request
$ gmssl req -new -key Medium.key -out Medium.req -subj /C=CN/ST=Guang\ Zhou/L=GZ/O=Medium/OU=Medium\ Sign/CN=MediumCA/[email protected] -config /usr/local/ssl/openssl.cnf
3) a certificate issued
$ gmssl x509 -req -sm3 -days 3650 -CA RootCA.crt -CAkey demoCA/private/Root.key -CAcreateserial -in Medium.req -out MediumCA.crt
4) certificate validation
$ gmssl verify -CAfile RootCA.crt MediumCA.crt
$ cp MediumCA.crt demoCA/ $ cp Medium.key demoCA/private/
Convert 5) certificates into the browser know pfx format
$ gmssl pkcs12 -export -inkey Medium.key -in MediumCA.crt -out test.pfx -passin pass:xxx -passout pass:xxx
6) View Certificate Information
PKCS converted to PEM gmssl PKCS12 -IN test.pfx -out cert.pem -nodes after the conversion can view the certificate information to print out the contents of the certificate: gmssl X509 -IN cert.pem -noout -text prints out the certificate serial number gmssl x509 - in cert.pem erial -noout -s owner name to print out a certificate of gmssl x509 -in cert.pem -noout -subject to print out a certificate MD5 characteristic parameters gmssl x509 -in cert.pem -noout -fingerprint
(3) generating a server certificate
1) generates a secret key
$ gmssl ecparam -genkey -name sm2p256v1 -text -out Server.key -config /usr/local/ssl/openssl.cnf
2) a certificate request
$ gmssl req -new -key Server.key -out Server.csr -subj /C=CN/ST=Guang\ Zhou/L=GZ/O=Server/OU=Server\ Sign/CN=ServerCA/[email protected] -config /usr/local/ssl/openssl.cnf
3) a certificate issued
$ gmssl x509 -req -sm3 -days 3650 -CA RootCA.crt -CAkey demoCA/private/Root.key -CAcreateserial -in Server.csr -out ServerCA.crt
4) certificate validation
$ gmssl verify -CAfile RootCA.crt ServerCA.crt