Server Network Development Guidelines#

SSL/TLS Certificate Generation

SSL/TLS Certificate Generation#

The overall steps for certificate generation using openssl in this project are as: follows

Generate private key#

Specifically, you can create two folders: certs (for final usable files) and private (for intermediate files).

First, generate an RSA private key. Example:

openssl genrsa -aes256 -out private/private-key-name.pem 8192

Here, 8192 denotes the key length (customizable). The command will prompt you to enter a password; please remember it.

For non-root certificates, you need to remove the encryption protection from the private key file and output it to a new file. Example command:

openssl rsa -in private/private-key-name.pem -out certs/private-key-name.key

Generate a certificate signing request (CSR) based on the private key.#

Example of CSR generation command:

openssl req -new -key private/private-key-name.pem -out private/crt-name.csr

The crt-name should match the private-key-name as the certificate filename.

After entering, you’ll be prompted to input various information such as country code and region. For root certificates, you may fill in truthfully or leave blank as desired. If you want a sense of ritual, fill in carefully

This step may require entering the pem password you just set.

If it’s a non-root certificate, embed the domain name information at this point.#

For non-root certificates, create a file private/crt-name.dns.ext and paste the following information:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
 
[ SubjectAlternativeName ]
DNS.1=your.domain.name
DNS.2=此处填写你的网站的域名.cn
DNS.3=如果有多个域名就这么增加.com
DNS.4=*.当然支持泛解析域名.net

This file will be used later.

If you don’t have a domain name but have a fixed IP, use the following file. Create a file private/crt-name.ip.ext and paste the following information:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
 
[SubjectAlternativeName]
IP.1=192.168.1.2
IP.2=222.90.155.789

Attach whichever is needed later. Generally, only domain name information is required.

Issue certificate pem#

Use this command to issue a root certificate valid for 10 years

openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey private/private-key-name.pem -i

Use this command to issue a non-root certificate crt-name.pem with ca

openssl x509 -req -days 730 -CA certs/ca-name.pem -CAkey private/ca-private-key-name.pem -CAserial ca-name.srl -CAcreateserial -in private/crt-name.csr -out certs/crt-name.pem -extfile private/crt-name.dns.ext

Here, ca-private-key-name refers to the root certificate’s key name.