When you configure an HTTPS listener, you can use a self-signed CA certificate to issue client certificates.
Generate a CA certificate using OpenSSL
Log on to a Linux machine with OpenSSL installed. This topic uses Alibaba Cloud Linux 3 with OpenSSL 1.1.1k as an example.
-
Run the following commands to create a directory named
cain the/homedirectory and four subdirectories within it.sudo mkdir /home/ca cd /home/ca sudo mkdir newcerts private conf server-
The
newcertsdirectory stores digital certificates that are signed by the CA. -
The
privatedirectory stores the CA's private key. -
The
confdirectory stores configuration files to simplify parameter settings. -
The
serverdirectory stores server certificate files.
-
-
Create an
openssl.conffile in theconfdirectory.vim /home/ca/conf/openssl.confThe
openssl.conffile contains the following information.[ ca ] default_ca = foo [ foo ] dir = /home/ca database = /home/ca/index.txt new_certs_dir = /home/ca/newcerts certificate = /home/ca/private/ca.crt serial = /home/ca/serial private_key = /home/ca/private/ca.key RANDFILE = /home/ca/private/.rand default_days = 365 default_crl_days= 30 default_md = sha256 unique_subject = no policy = policy_any [ policy_any ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match localityName = optional commonName = supplied emailAddress = optional -
Run the following commands to generate a private key file.
cd /home/ca sudo openssl genrsa -out /home/ca/private/ca.keyThe output is as follows.
cd /home/ca sudo openssl genrsa -out private/ca.key Generating RSA private key, 2048 bit long modulus .....+++ .+++ e is 65537 (0x10001) -
Run the following command to generate a certificate signing request (CSR) file. Provide the required information when prompted.
sudo openssl req -new -key /home/ca/private/ca.key -out /home/ca/private/ca.csr:@izxxx1jbxxxz:~/ca# sudo openssl req -new -key private/ca.key -out private/ca.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:ZheJiang Locality Name (eg, city) []:HangZhou Organization Name (eg, company) [Internet Widgits Pty Ltd]:Alibaba Organizational Unit Name (eg, section) []:Test Common Name (e.g. server FQDN or YOUR name) []:mydomain Email Address []:a@axxx Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: @izxxxz:~/ca#NoteFor Common Name, enter the domain name of your Cloud Load Balancer (CLB).
-
Run the following command to generate a certificate file (
.crt).sudo openssl x509 -req -days 365 -in /home/ca/private/ca.csr -signkey /home/ca/private/ca.key -out /home/ca/private/ca.crtImportantThe
ca.crtfile is the CA certificate that you must upload to CLB. -
Run the following command to set the initial serial number for the CA key. The serial number can be four characters. In this example,
FACEis used.echo FACE | sudo tee /home/ca/serial -
Run the following command to create the CA database.
sudo touch /home/ca/index.txt -
Run the following command to create a certificate revocation list (CRL).
sudo openssl ca -gencrl -out /home/ca/private/ca.crl -crldays 7 -config "/home/ca/conf/openssl.conf"The output is:
Using configuration from /home/ca/conf/openssl.conf
Sign a client certificate
-
Run the following command to create a directory named
usersin thecadirectory to store client keys.sudo mkdir /home/ca/users -
Run the following command to create a client key.
sudo openssl genrsa -des3 -out /home/ca/users/client.key 2048NoteWhen creating the key, you are prompted for a passphrase. This passphrase protects the key from unauthorized use if it is leaked. Re-enter the passphrase to confirm.
-
Run the following command to create a certificate signing request (CSR) file for the client key.
sudo openssl req -new -key /home/ca/users/client.key -out /home/ca/users/client.csrAfter running the command, enter the passphrase that you set in Step 2, and then provide the required information when prompted.
NoteThe
challenge passwordis the passphrase for the client certificate. Do not confuse it with the passphrase for theclient.keyfile. -
Run the following command to sign the client CSR with your CA.
sudo openssl ca -in /home/ca/users/client.csr -cert /home/ca/private/ca.crt -keyfile /home/ca/private/ca.key -out /home/ca/users/client.crt -config "/home/ca/conf/openssl.conf"When prompted to confirm the signing, enter y twice.
root @iZxxx:~/ca# sudo openssl ca -in /xxx/a/users/client.csr -cert /xxx/ca/private/ca.crt -keyfile /xxx/ca/private/ca.key -out /xxx/ca/users/client.crt -config "/xxx/a/conf/openssl.conf" Using configuration from /xxx/ca/conf/openssl.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :ASN.1 12:'ZheJiang' localityName :ASN.1 12:'HangZhou' organizationName :ASN.1 12:'Alibaba' organizationalUnitName:ASN.1 12:'Test' commonName :ASN.1 12:'mydomain' emailAddress :IA5STRING:'a@xxx.xxx.com' Certificate is to be certified until Jun 4 15:28:55 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated -
Run the following command to export the certificate to a PKCS#12 file.
sudo openssl pkcs12 -export -clcerts -in /home/ca/users/client.crt -inkey /home/ca/users/client.key -out /home/ca/users/client.p12When prompted, enter the passphrase for the
client.keyfile. Then, create and confirm an export password. This password, which is required for installation, protects the client certificate. -
Run the following commands to view the generated client certificate files.
cd /home/ca/users ls