https://bz.apache.org/bugzilla/show_bug.cgi?id=66684
--- Comment #12 from DigitalCat <digital...@huawei.com> --- Creating a Certificate 1. Generate a certificate private key file and save it as server.key. The 3des algorithm is used. The key length is 2048 bytes. openssl genrsa -des3 -out server.key 2048 2. Generate the certificate signature application file (csr). Save the file as the server.csr file. (You need to enter the certificate information.) openssl req -new -key server.key -out server.csr -config openssl.cnf 3. Generate a CA certificate (root). The root certificate is saved as ca.crt, and the key is saved as ca.key, which is used to issue the server certificate. (You need to enter the certificate-related information, which is the same as that in the csr file in step 2.) openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf -extensions v3_ca -days 3650 4. Sign the root certificate with the .csr file generated in step 2 and generate the server certificate server.crt. openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf 5. Combine the crt and key certificates into the pfx format and import them to the system in the Windows environment (optional). openssl pkcs12 -export -inkey server.key -in server.crt -out server.pfx 6. All files are generated. Check the files required and generated during the whole process. ├── demoCA │ ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 01.pem ├── private ├── serial └── serial.old ├── openssl.cnf ca.crt #Root certificate ca.key #Key of the root certificate server.crt # Server certificate to be generated server.csr #Signing request file of the server certificate server.key # Key of the server certificate to be generated Generating a CRL File 1. Copy the root certificate and private key of the root certificate to the corresponding folder and set the CRL number. cp ca.key ./demoCA/private/cakey.pem cp ca.crt ./demoCA/cacert.pem echo '00'> ./demoCA/crlnumber 2. Revoke the certificate. openssl ca -revoke server.crt -config openssl.cnf 3. Generate a revocation list file. openssl ca -gencrl -out server.crl -config openssl.cnf The revocation list file server.crl is generated. The revoked certificate is server.crt. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
