Baidu AI Cloud
中国站

百度智能云
All Product Document

Reference

  • Reference
  • >
  • Certificate Management
  • >
  • Create a Certificate by a Third-party Organization

Create a Certificate by a Third-party Organization

Last Updated2020-07-20

Users can use OpenSSL to create CSR and rely on relevant agencies (for example: WoSign) to apply for a certificate, the specific operation method is shown below.

Pre-task

Before applying for a certificate, users should get and install related tools.

Linux: OpenSSL is recommended. OpenSSL is a powerful SLL cryptographic library, including the main cryptographic algorithms, commonly used key and certificate package management functions, and the SSL protocol, and provides a wealth of applications for testing or other purposes.

Windows: Available tools include: IIS Manager, SelfSSL, OpenSSL and Windows PowerShell cmdlets, etc.

Create a Certificate by OpenSSL

Before submitting a certificate application, the user needs to generate a private key and a certificate request file (CSR) locally; the user can then submit the CSR to a CA for signature verification, or perform a local test by self-signing. The specific operation method is shown in the following example (the tool used in this example is OpenSSL).

  1. Execute the command openssl genrsa -out my-private-key.pem 2048, generate the private key through the RSA algorithm, and save it in themy-private-key.pem file. Baidu AI Cloud supports private keys with lengths of 1024, 2048 and 4096 bits. The length of 2048 bits is recommended.

Note:: Please keep the private key properly to avoid loss and disclosure.

The details of viewing the private key file are as follows: 

 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAuRn81tg5aVRtTLAb+96qQPLzgoVzPEJvUCATvOZDoUcfZqx6
 A+PJ33SBZ6wUUMwKwDiAbi3yG2cQ1zfVe68PvtkFcPjwnTFRJbRObZUJXVA8LIMy
 LDC9cq71qvptYCMUVdmsrWeRUzZfJLLo8/+KRV0kAoykLyOVYHVXVKa+XChrEEcD
 ......
 PMKG1QKBgCElb8qQlSPzN7If+4+xY/z6iDZ80H/ktJahcD3QHeFUsaXaYQGokudC
 4ZWHW1JiLwIqsiJ4iLaTKU4JOn5LyFFR/6O/NvhWuMXHmqLtHwhrKtZX2TBwbfdQ
 wRakf1vOSHXHDG1Zym5t5s8UWDtkMcHZ7lIasjgaWB3lgFMwu+0u
 -----END RSA PRIVATE KEY-----'
  1. Run the command openssl req -sha256 -new -key my-private-key.pem -out csr.pem, and enter relevant configuration information as prompted to generate a CSR file. Among them, -key my-private-key.pem is used to specify the private key file generated in step 1.-out csr.pem is used to specify the name of the CSR file. 
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:CN
 State or Province Name (full name) [Some-State]:Beijing
 Locality Name (eg, city) []:Beijing
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
 Organizational Unit Name (eg, section) []:.
 Common Name (e.g. server FQDN or YOUR name) []:www.mycompany.com
 Email Address []:example@mycompany.c
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:.
 An optional company name []:.

View the CSR file as follows: 

 -----BEGIN CERTIFICATE REQUEST-----
 MIIC5TCCAc0CAQAwgYgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAw
 DgYDVQQHDAdCZWlqaW5nMRMwEQYDVQQKDApNeSBDb21wYW55MRowGAYDVQQDDBF3
 d3cubXljb21wYW55LmNvbTEkMCIGCSqGSIb3DQEJARYVZXhhbXBsZUBteWNvbXBh
 ......
 QIdb7HyrK9Xly3dhTVNpkn/675drBf/0V23RyrXusoJMw+IOtPd9EtyRCvue8b2Z
 niekGvbI+giNyc45OBJwnuVo83tU528UyoZIpHjfNaw15NYCbhSecrxZYmY3xWnE
 uPIZsMavDocgoiGpPN8TyX2XMZUkLtLFCFJ+yU2yD4OycgPJTJSP5zJSCv+JV0mh
 1SPr6Vir4rnT7s+EL+ZkubfWrTvVSmkjyg==
 -----END CERTIFICATE REQUEST-----
  • The contents to be filled in when executing the above command are explained in the following table:
Field Description
Country Name ISO code of the country where the company/organization is located, China code is CN, and for other country codes, see ISO Code .
State or Province Name Name of the province/state where the company/organization is located.
Locality Name Company/organization city name.
Organization Name Name of the company/organization, where the full name should be given.
Organizational Unit Name Product or branch name, optional.
Common Name Fully-Qualified Domain Name (FQDN) of the company/organization, for example: www.mycompany.com.
Email Address Email address of the administrator.
A challenge password Password for the encryption certificate request.
An optional company name Optional company/organization name.
  1. Submit a digital certificate certification application to the CA Center. Users can choose third-party certification agencies such as VeriSign, GeoTrust.
  • Users can also execute the command openssl x509 -req -days 365 -in csr.pem -signkey my-private-key.pem -out my-certificate.pem to self-sign the certificate for website testing. Among them, -days 365 means that the certificate is valid for 365 days;-in csr.pem is used to specify the step 2 to generate a CSR file; -signkey my-private-key.pem is used to specify to sign the CSR. In this example, the private key generated in step 1 is used for signing; -out my-certificate.pem is used to specify the name of the generated certificate.

  • View the generated certificate file as follows: 

     -----BEGIN CERTIFICATE-----
 MIIDjjCCAnYCCQC4xa7g5APX/jANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
 Q04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxEzARBgNVBAoM
 Ck15IENvbXBhbnkxGjAYBgNVBAMMEXd3dy5teWNvbXBhbnkuY29tMSQwIgYJKoZI

 ....
  Q1PBQWanUPWbZ2+AIudPWpDkDtq6uZkTTSKNd+6E1f5bIlGGvD0eu/gdYFaJN8Ut
  aUSjls8bToQhXs7EAjzEABM9M8BmaQEkEmPutc/y8KqND1Dv8hox/z6olppmwMn5
  9hgcZecsoJ0qAUJC7kqfpSkpitXLSAsE/1OGJ8MhTtpELQsCO0N5m/h2wtIGaI08
  sLk=
 -----END CERTIFICATE-----
Previous
Certificate Replacement
Next
API Reference