Openssl to generate Self-singed certificate - On Windows Platform

Precondition,

 

  openssl0.9.7c  for windows http://gnuwin32.sourceforge.net/downlinks/openssl-bin.php 

 

  Installed the Openssl, and nevigate to installed path C:/Program Files/GnuWin32/bin by cmd window. Create a temporary folder C:/CAtemp to store the generated files

 

1. Generate a private key

     The openssl toolkit is used to generate an RSA Private Key

    

     Using the command belows to generate a private key

     C:/Program Files/GnuWin32/bin> openssl genrsa -out C:/CAtemp/server.key 1024

    

     genrsa --> generate RSA key

2. Generate a CSR by the private key ( Certificate Signing Request )

     In this step, we use the private key generate from 1 to generate a Certificate that waiting for signing.

     --> Here we have 2 choices that.

           Firstly,       using self-signed to sign the certificate

           Secondly,  using CA industries to sign the certificate, but it's not free but more reliable

      Using the command belows to generate an CSR

      

     ../bin>openssl req -new -key C:/CAtemp/server.key -out C:/CAtemp/server.csr          

     But we got the following errors,

      ../bin> Unable to load config info
      ../bin> unable to find 'distinguished_name' in config
      ../bin> problems making Certificate Request

      ../bin> ...

      It prompt that we miss one config files.

      So the right way described as following,

     

      a. To create a config file named openssl.conf and deploy it at C:/Program Files/GnuWin32/bin, acutally not forced to deploy it here.

          The content of the openssl.conf,

          [ req ]
          default_bits                  = 1024
          default_keyfile              = ca-key.pem
          distinguished_name     = req_distinguished_name
          attributes                     = req_attributes
          prompt                         = no
          output_password         = as12345

         [ req_distinguished_name ]
          C                                   = CN
          ST                                  = Guangdong 测试省份
          L                                  =  Shenzhen 测试地点
          O                                  = Gardent 机构名称
          OU                                = Java  组织单位名称
          CN                                 = Aisce    通用名称
          emailAddress                 = email@gmail.com

          [ req_attributes ]
          challengePassword  = 12345678

      b. To run the following command to generate the CSR

         ../bin>openssl req -new -key C:/CAtemp/server.key -out C:/CAtemp/server.csr -config openssl.conf

      -config to import the config file

      Now the server.csr has been generated with the config file has been imported

3. Generate self-signed certificate (CRT, CeRtificaTe)

         ../bin>openssl x509 -req -days 365 -in C:/CAtemp/server.csr -signkey C:/CAtemp/server.key -out C:/CAtemp/server.crt

          -in             : import the CSR certificate

          -signkey    : the private key that is used to sign the  CSR

          -out           : Generate the certificate

      Finally the self-signed certificate has been generated as server.crt.

Reference links:

                         http://www.akadia.com/services/ssh_test_certificate.html

                         http://blog.sina.com.cn/s/blog_516811a80100ajnw.html