How to create Self-Signed Certificates for use with Intel® SGX Remote Attestation using OpenSSL_intel sgx creating a self signed certificate-优快云博客

本文介绍使用OpenSSL创建TLS认证证书的方法。首先需安装OpenSSL，接着按步骤在指定文件夹创建证书，包括设置环境变量、创建配置文件、启动OpenSSL、生成私钥、证书请求等，最后创建pfx文件并验证证书，还提及相关资源。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

Published on March 28, 2016

TranslateChinese SimplifiedChinese TraditionalEnglishFrenchGermanItalianPortugueseRussianSpanishTurkish

Translate

Prerequisites:

If you don’t have OpenSSL installed, an installable version of it is available here: http://slproweb.com/products/Win32OpenSSL.html. Choose either 32 or 64 bit depending on your OS. Install OpenSSL using the default settings.

Create certificates for TLS authentication:

Step 1: The following instructions creates the certificates in folder c:\demo. So go ahead and create this folder on your machine. Then start a command-line prompt (cmd.exe), and go to the demo folder (type: cd \demo). Before you start OpenSSL, you need to set the environment variable shown below:

set RANDFILE=c:\demo\.rnd

Step 2: To create a self signed certificate for TLS authentication, you must create a file named client.cnfin c:\demo folder with the following information:

[ ssl_client ]
keyUsage = digitalSignature, keyEncipherment, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
extendedKeyUsage = clientAuth, serverAuth

Step 3: Now you can start OpenSSL, type: c:\OpenSSL-Win64\bin\openssl.exe:

Step 4: First we have to create a private key:

genrsa -out client.key 2048

Step 5: Now create the certificate request. When creating this request, enter all of the required name information that you would like to see in the certificate that is being generated. Common Name is one field that is required:

req -key client.key -new -out client.req

Step 6: The next step is to create a certificate using the extensions defined in client.cnf file and the certificate request client.req:

x509 -req -days 365 -in client.req -signkey client.key -out client.crt -extfile client.cnf -extensions ssl_client

Step 7: Now that you have the required certificate (client.crt) and key (client.key) to perform TLS authentication, create a pfx file to carry the certificate and private key to a different machine, use the command below:

pkcs12 -export -out client.pfx -inkey client.key -in client.crt

Step 8: The final step to verify that your certificate passes the openssl verification, run the following command and the result returns OK:

verify –x509_strict –purpose sslclient -CAfile client.crt client.crt

Step 9: Final file contents in C:\demo folder

Related resources:

Certificate Requirements for Intel® Attestation Services