Generate a CA certificate
<p>When configuring HTTPS listener, you can use a self-signed CA certificate, and use the CA certificate as the sign of the client certificate/the CA certificate for full link encryption.</p>
<p><strong><span style="font-size:18px">Use OpenSSL to Generate a CA Certificate</span></strong></p>
<p><strong>Procedures</strong></p>
<p>1. Execute the following command. Create a new ca folder under the /root directory and four subfolders under the ca folder.</p>
<pre>
<code>mkdir ca
cd ca
mkdir newcerts private conf server</code></pre>
<p> </p>
<ul>
<li>The newcerts directory is used to store the digital certificates signed by CA.</li>
<li>The private directory is used to store the private key of CA.</li>
<li>The conf directory is used to store configuration files for simplifying parameters.</li>
<li>The server directory stores the server certificate file.</li>
</ul>
<p>2. Create a new openssl.conf file containing the following information under the conf directory.</p>
<pre>
<code>[ ca ]
default_ca = foo
[ foo ]
dir =/home/cert/ca
database = /home/cert/ca/index.txt
new_certs_dir = /home/cert/ca/newcerts
certificate = /home/cert/ca/private/ca.crt
serial = /home/cert/ca/serial
private_key =/home/cert/ca/private/ca.key
RANDFILE = /home/cert/ca/private/.rand
default_ Days = 365 // the validity period of the issued certificate, on a daily basis.
default_crl_days= 30
//The time interval from the release of the current CRL to the release of the next CRL on a daily basis. When generating a CRL, you need to configure this parameter of default_crl_hours parameter.
default_md = sha256
//Centos does not support md5 encryption, it is set as sha256 to prevent unknown message digest algorithm error
unique_subject = no
policy = policy_any
[ policy_any ]
commonName = supplied
</code></pre>
<p>3. Execute the following command to generate the private key file.</p>
<pre>
<code>cd /home/cert/ca
openssl genrsa -out private/ca.key
</code></pre>
<p>Result</p>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151041-195548b89134.png" style="height:74px; width:830px" /></p>
<p>4. Execute the following command, enter the required information as prompted, and press enter to generate the certificate request csr file.</p>
<pre>
<code>openssl req -new -key private/ca.key -out private/ca.csr</code></pre>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151117-1eed22659f73.png" style="height:22px; margin:1px; width:50px" />: Common name is to fill the local domain name (127.0.0.1 can be filled in), and the rest options are filled with ".".</p>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151147-1a9824c89933.png" style="height:390px; width:689px" /></p>
<p>5. Execute the following command to generate crt file.</p>
<pre>
<code>openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt</code></pre>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151258-14e2fcd8984f.png" style="height:66px; width:830px" /></p>
<p>6. Execute the following command and set the starting sequence number for the key of CA, which can be any four characters.</p>
<pre>
<code>echo FACE > serial</code></pre>
<p>7. Execute the following command to create the CA key library.</p>
<pre>
<code>touch index.txt</code></pre>
<p>8. Execute the following command to create a certificate revocation list for removing client certificates.</p>
<pre>
<code>openssl ca -gencrl -out /home/cert/ca/private/ca.crl -crldays 7 -config "/home/cert/ca/conf/openssl.conf"</code></pre>
<p>Result</p>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151416-19972ad396b1.png" style="height:33px; width:830px" /></p>
<p><strong><span style="font-size:18px">Sign the Client Certificate</span></strong></p>
<p><strong>Procedures</strong></p>
<p>1. Run the following command to create a directory users in the CA directory to store the server key.</p>
<pre>
<code>mkdir users</code></pre>
<p>2. Run the following command to create a key for the server.</p>
<pre>
<code>openssl genrsa -des3 -out /home/cert/ca/users/server.key 1024</code></pre>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151117-1eed22659f73.png" style="height:22px; margin:1px; width:50px" />: When creating a key, you need to enter pass phrase, which is the password of the current key, to prevent the key from being stolen after it is leaked.</p>
<p>3. Enter the same password twice, and you can execute the command openssl rsa -in server.key -out server.key removed.</p>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151549-1a70c8929afa.png" style="height:139px; width:740px" /><br />
<img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151614-166045bb941e.png" style="height:60px; width:627px" /></p>
<p>4. Run the following command to create a certificate signing request CSR file for the client key.</p>
<pre>
<code>openssl req -new -key /home/cert/ca/users/server.key -out /home/cert/ca/users/server.csr</code></pre>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151117-1eed22659f73.png" style="height:22px; margin:1px; width:50px" />:</p>
<p>After entering the command, enter the pass phrase which is entered in the previous step according to the prompt, and then enter the corresponding information according to the prompt.</p>
<p>Set Common Name as the listener vip_vport, and set the other options as ".". For example, the IP of ELB is 100.101.1.30 and that of the HTTPS port is 443, then the IP of Common Name should be 100.101.1.30_ 4433.</p>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151711-1dfac9679e0c.png" style="height:302px; width:830px" /></p>
<p>5. Run the following command to sign the client key with the key of the CA certificate.</p>
<pre>
<code>openssl ca -in /home/cert/ca/users/server.csr -cert /home/cert/ca/private/ca.crt -keyfile /home/cert/ca/private/ca.key -out /home/cert/ca/users/server.crt -config "/home/cert/ca/conf/openssl.conf"</code></pre>
<p>When there are prompts to confirm whether to sign, enter y both times.</p>
<p><img src="https://obs-cn-shanghai.yun.pingan.com/pcp-portal/20201607151755-187f7d239886.png" style="height:115px; width:830px" /></p>
Did the above content solve your problem?
Yes
No
Submitted successfully! Thank you for your feedback, we will try our best to do better and better!