Generate certificates

Last Updated: Sep 12, 2017

When configuring HTTPS listeners, you can use the self-signed CA certificates. Follow the instructions in this document to generate a CA certificate and use the CA certificate to sign a client certificate.

Generate a CA certificate using Open SSL

  1. Run the following commands to create a ca folder under the /root directory and then create four sub folders under the ca folder.

    1. $ sudo mkdir ca
    2. $ cd ca
    3. $ sudo mkdir newcerts private conf server
    • newcerts: Used to store the digit certificated signed by a CA certificate.
    • private: Used to store the private key of the CA certificate.
    • conf: Used to store the configuration files.
    • server: Used to store the server certificate.
  2. Create an openssl.conf file with the following content under the conf folder.

    1. [ ca ]
    2. default_ca = foo
    3. [ foo ]
    4. dir = /root/ca
    5. database = /root/ca/index.txt
    6. new_certs_dir = /root/ca/newcerts
    7. certificate = /root/ca/private/ca.crt
    8. serial = /root/ca/serial
    9. private_key = /root/ca/private/ca.key
    10. RANDFILE = /root/ca/private/.rand
    11. default_days = 365
    12. default_crl_days= 30
    13. default_md = md5
    14. unique_subject = no
    15. policy = policy_any
    16. [ policy_any ]
    17. countryName = match
    18. stateOrProvinceName = match
    19. organizationName = match
    20. organizationalUnitName = match
    21. localityName = optional
    22. commonName = supplied
    23. emailAddress = optional
  3. Run the following command to generate a private key.

    1. $ cd /root/ca
    2. $ sudo openssl genrsa -out private/ca.key

    The following figure is an example of the key generation.

    2

  4. Run the following command and input the required information according to the prompts. Press Enter to generate the csr file used to generate the certificate.

    $ sudo openssl req -new -key private/ca.key -out private/ca.csr

    Note: Enter the domain name of the SLB instance as the value of Common Name.

    3

  5. Run the following command to generate the crt file.

    $ sudo openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt

  6. Run the following command to set the start sequence number for the private key, which can be any four characters.

    $ sudo echo FACE > serial

  7. Run the following command to create the CA key library.

    $ sudo touch index.txt

  8. Run the following command to create a certificate revocation list for removing the client certificate.

    $ sudo openssl ca -gencrl -out /root/ca/private/ca.crl -crldays 7 -config "/root/ca/conf/openssl.conf"

    The response is as follows:

    Using configuration from /root/ca/conf/openssl.conf

Generate a client certificate

  1. Run the following command to generate a users folder under the ca folder to store the client certificate.

    $ sudo mkdir users

  2. Run the following command to create a key for the client certificate.

    $ sudo openssl genrsa -des3 -out /root/ca/users/client.key 1024

    Note: The pass phrase entered is the phrase for this key.

  3. Run the following command to create a csr file for requesting certificate sign.

    $ sudo openssl req -new -key /root/ca/users/client.key -out /root/ca/users/client.csr

    As prompted, input the pass phrase set in the previous step.

  4. Run the following command to sign the certificate.

    $ sudo openssl ca -in /root/ca/users/client.csr -cert /root/ca/private/ca.crt -keyfile /root/ca/private/ca.key -out /root/ca/users/client.crt -config "/root/ca/conf/openssl.conf"

    Input y when prompted to confirm the operation.

  5. Run the following command to convert the certificate to the PKCS12 file.

    $ sudo openssl pkcs12 -export -clcerts -in /root/ca/users/client.crt -inkey /root/ca/users/client.key -out /root/ca/users/client.p12

    Input the password of the client key when prompted, and then input the password used for exporting the client certificate.

  6. Run the following command to view the generated certificates.

    1. cd users
    2. ls
Thank you! We've received your feedback.