openssl usage

1.  openssl genrsa -out key.pem 1024

2.  openssl req -new -key key.pem -config /etc/ssl/openssl.cnf -out request.pem

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing               
Locality Name (eg, city) []:BeiJing 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.test.com
Organizational Unit Name (eg, section) []:test.cn
Common Name (eg, YOUR name) []:zhangsan
Email Address []:zhangsan@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test2011
An optional company name []:test_company

3.  openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem

4.  openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt

 

 ======================================================================

mutual ca authentication steps (main certification and key creating procedure)

1.   Creating the CA Key and Certificate

The general process for creating a certificate includes:

       1.1  Creating a private key

            openssl genrsa -out CA.key 1024

       1.2  Creating a certificate request

               openssl req -new -key CA.key -out CA.csr -config ..\openssl.cnf

Enter pass phrase for Server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yuvad
Organizational Unit Name (eg, section) []:yuvadbj
Common Name (eg, YOUR name) []:yuv
Email Address []:bj@yuvad.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:hello
An optional company name []:yuvad.cn

        1.3 Creating and signing a certificate from the certificate request
               openssl x509 -req -days 3650 -in CA.csr -out CA.crt -signkey CA.key

2.  Verifying the CA certificate contents (option)

     At this point we have our self-signed CA certificate and our CA key, which will be

    used to sign the web server and client certificates that we create. To verify the

    certificate contents, use the following command:

    openssl x509 -in CA.crt -text

3.   Creating a Web Server Certificate
3.1   The procedure for creating a web server certificate is
similar to that for creating the CA certificate except
that the web server certificate will be signed using
the CA key rather than self-signing with a web
server-specific key.

Command:

openssl genrsa -aes128 -out server.key 1024

and input pass phrase when prompt

3.2     Next, create the web server certificate request for the private key.
When prompted for the pass phrase for the keys, enter the pass
phrase that you used for the private key.

Command:

openssl req -new -key Server.key -out Server.csr -config ..\openssl.cnf

Enter pass phrase for Server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yuvad
Organizational Unit Name (eg, section) []:yuvadbj
Common Name (eg, YOUR name) []:yuv
Email Address []:bj@yuvad.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:hello
An optional company name []:yuvad.cn

3.3    Then, sign the web server certificate with the CA key

Command:

openssl ca -days 3650 -in Server.csr -cert CA.crt -keyfile CA.key -out Server.crt -config ..\openssl.cnf

notes:

at first, modify conf/openssl.cnf file, set dir  = ../DemoCA, because above command is run in conf/ssl

additionally, DemoCA directory should be created in conf directory

and certs, crl, newcerts directory need be created in DemoCA

file index.txt and serial should be create in DemoCA and 01 is writed into serial file.

 

Using configuration from ..\openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 30 07:26:14 2011 GMT
            Not After : Dec 27 07:26:14 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = yuvad
            organizationalUnitName    = yuvadbj
            commonName                = yuv
            emailAddress              = bj@yuvad.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F8:7E:C4:9B:2E:8E:B4:DB:48:97:00:97:66:9A:D9:10:93:2A:B8:2B
            X509v3 Authority Key Identifier:
                DirName:/C=CN/ST=Beijing/L=Beijing/O=yuvad/OU=yuvadbj/CN=yuv/ema
ilAddress=bj@yuvad.com
                serial:B4:EE:50:3B:C9:D1:7A:9C

Certificate is to be certified until Dec 27 07:26:14 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 3.4   To verify the web server certificate contents, use the following command (optional)

openssl x509 -in Server.crt -text