Generate certificates

Last Updated: May 05, 2017

You have to generate the corresponding certificate, including the server, CA and client certificates, and upload them to the certificate management system of the Server Load Balancer service.

  • Server certificate: used by the user browser to check whether the certificate sent by the server is signed by a trusted center. The server certificate must be uploaded to the certificate management system of the Server Load Balancer.
  • Client certificate: used to prove the identity of the client user for communication with the server end.
  • CA certificate: used to verify the client certificate. The server requires the client browser to send the client certificate and, once the certificate is received, a verification occurs. If the verification fails, the connection is denied. After two-way authentication is enabled, you must upload both the CA certificate and server certificate to the certificate management system of the Server Load Balancer service.

Generate a server certificate

You can buy and generate the server certificate from Alibaba Cloud Security Certificate Service, or from other providers.

Generate a self-signed CA certificate using OpenSSL

  1. Create a ca folder in the /root directory and create four subfolders under the ca folder:

    1. $ sudo mkdir ca
    2. $ cd ca
    3. $ sudo mkdir newcerts private conf server
    • The newcerts folder stores CA signed digital certificates (certificate backup directory);
    • The private folder stores the CA private key;
    • The conf folder stores some configuration files to simplify parameters;
    • The server folder stores the server certificate file.
  2. Create an openssl.conf file under the conf directory and edit the content as follows.

    Conf File Editing

  3. Run the following command to generate the private key file.

    1. $ cd /root/ca
    2. $ sudo openssl genrsa -out private/ca.key
    3. Output
    4. Generating RSA private key, 512 bit long modulus
    5. ..++++++++++++
    6. .++++++++++++
    7. e is 65537 (0x10001)

    A ca.key file is generated under the private folder. The OpenSSL is 512 bits by default, but usually 2048 bits is used.

  4. Run the following command and provide the required information according to the figure after the command. Press Enter to generate the certificate request csr file.

    1. $ sudo openssl req -new -key private/ca.key -out private/ca.csr

    Csr Information Example

    Note: Enter xxx.xxx.cn as the common name if you do not have a domain name ready.

  5. Run the following command to generate the crt file.

    1. $ sudo openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt

    The following is an output example on the console. A ca.crt file is generated under the private directory.

    Crt Console Output

  6. Run the following command to set a starting serial number for the key. The serial number can be any four characters.

    1. $ sudo echo FACE > serial
  7. Run the following command to create a CA key library.

    1. $ sudo touch index.txt
  8. Run the following command to create a certificate revocation list for removing User Certificates.

    1. $ sudo openssl ca -gencrl -out /root/ca/private/ca.crl -crldays 7 -config "/root/ca/conf/openssl.conf"

    Output:

    1. Using configuration from /root/ca/conf/openssl.conf

    A ca.crl file is generated under the private directory.

Generate a client certificate

  1. Run the following command to create a users directory for storing the key.
    1. $ sudo mkdir users
  2. Run the following command to create a key for the user.

    1. $ sudo openssl genrsa -des3 -out /root/ca/users/client.key 1024

    The pass phrase is required. This is the password of the current key and acts to prevent the key from being stolen and used by others. Enter the same password for the two prompts. A client.key file is generated under the users directory.

  3. Run the following command to create a certificate signature request csr file for the key.

    1. $ sudo openssl req -new -key /root/ca/users/client.key -out /root/ca/users/client.csr

    The pass phrase is required, and is the current key password. It prevents the key from being stolen and used by others. Enter the same password for the two prompts. A client.key file is generated under the users directory.

    Csr Input Example 2

  4. Run the following command to sign the key with your private CA key.

    $ sudo openssl ca -in /root/ca/users/client.csr -cert /root/ca/private/ca.crt -keyfile /root/ca/private/ca.key -out /root/ca/users/client.crt -config "/root/ca/conf/openssl.conf"

    Output on the console: Sign Key with Private CA Key

    Enter y for both confirmation prompts. A client.crt file is generated under the users directory.

  5. Run the following command to concert the certificate into the PKCS12 file that is recognizable by most browsers.

    $ sudo openssl pkcs12 -export -clcerts -in /root/ca/users/client.crt -inkey /root/ca/users/client.key -out /root/ca/users/client.p12

    1. Enter the pass phrase of theclient.key file when the following prompt is displayed.

      PKCS12_1

    2. Enter Export Password when the following prompt is displayed. This is the protection password of the client certificate. The password is required when the client installs a certificate.

      PKCS12_2

      A client.p12 file is generated under the users directory.

Thank you! We've received your feedback.