Create a Certificate by a Third-party Organization
Users can use OpenSSL to create CSR and rely on relevant agencies (for example: WoSign) to apply for a certificate, the specific operation method is shown below.
Pre-task
Before applying for a certificate, users should get and install related tools.
Linux: OpenSSL is recommended. OpenSSL is a powerful SLL cryptographic library, including the main cryptographic algorithms, commonly used key and certificate package management functions, and the SSL protocol, and provides a wealth of applications for testing or other purposes.
Windows: Available tools include: IIS Manager, SelfSSL, OpenSSL and Windows PowerShell cmdlets, etc.
Create a Certificate by OpenSSL
Before submitting a certificate application, the user needs to generate a private key and a certificate request file (CSR) locally; the user can then submit the CSR to a CA for signature verification, or perform a local test by self-signing. The specific operation method is shown in the following example (the tool used in this example is OpenSSL).
- Execute the command
openssl genrsa -out my-private-key.pem 2048
, generate the private key through the RSA algorithm, and save it in themy-private-key.pem file. Baidu AI Cloud supports private keys with lengths of 1024, 2048 and 4096 bits. The length of 2048 bits is recommended.
Note:: Please keep the private key properly to avoid loss and disclosure.
The details of viewing the private key file are as follows:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuRn81tg5aVRtTLAb+96qQPLzgoVzPEJvUCATvOZDoUcfZqx6
A+PJ33SBZ6wUUMwKwDiAbi3yG2cQ1zfVe68PvtkFcPjwnTFRJbRObZUJXVA8LIMy
LDC9cq71qvptYCMUVdmsrWeRUzZfJLLo8/+KRV0kAoykLyOVYHVXVKa+XChrEEcD
......
PMKG1QKBgCElb8qQlSPzN7If+4+xY/z6iDZ80H/ktJahcD3QHeFUsaXaYQGokudC
4ZWHW1JiLwIqsiJ4iLaTKU4JOn5LyFFR/6O/NvhWuMXHmqLtHwhrKtZX2TBwbfdQ
wRakf1vOSHXHDG1Zym5t5s8UWDtkMcHZ7lIasjgaWB3lgFMwu+0u
-----END RSA PRIVATE KEY-----'
- Run the command
openssl req -sha256 -new -key my-private-key.pem -out csr.pem
, and enter relevant configuration information as prompted to generate a CSR file. Among them,-key my-private-key.pem
is used to specify the private key file generated in step 1.-out csr.pem
is used to specify the name of the CSR file.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:www.mycompany.com
Email Address []:example@mycompany.c
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
View the CSR file as follows:
-----BEGIN CERTIFICATE REQUEST-----
MIIC5TCCAc0CAQAwgYgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAw
DgYDVQQHDAdCZWlqaW5nMRMwEQYDVQQKDApNeSBDb21wYW55MRowGAYDVQQDDBF3
d3cubXljb21wYW55LmNvbTEkMCIGCSqGSIb3DQEJARYVZXhhbXBsZUBteWNvbXBh
......
QIdb7HyrK9Xly3dhTVNpkn/675drBf/0V23RyrXusoJMw+IOtPd9EtyRCvue8b2Z
niekGvbI+giNyc45OBJwnuVo83tU528UyoZIpHjfNaw15NYCbhSecrxZYmY3xWnE
uPIZsMavDocgoiGpPN8TyX2XMZUkLtLFCFJ+yU2yD4OycgPJTJSP5zJSCv+JV0mh
1SPr6Vir4rnT7s+EL+ZkubfWrTvVSmkjyg==
-----END CERTIFICATE REQUEST-----
- The contents to be filled in when executing the above command are explained in the following table:
Field | Description |
---|---|
Country Name | ISO code of the country where the company/organization is located, China code is CN, and for other country codes, see ISO Code . |
State or Province Name | Name of the province/state where the company/organization is located. |
Locality Name | Company/organization city name. |
Organization Name | Name of the company/organization, where the full name should be given. |
Organizational Unit Name | Product or branch name, optional. |
Common Name | Fully-Qualified Domain Name (FQDN) of the company/organization, for example: www.mycompany.com. |
Email Address | Email address of the administrator. |
A challenge password | Password for the encryption certificate request. |
An optional company name | Optional company/organization name. |
- Submit a digital certificate certification application to the CA Center. Users can choose third-party certification agencies such as VeriSign, GeoTrust.
- Users can also execute the command
openssl x509 -req -days 365 -in csr.pem -signkey my-private-key.pem -out my-certificate.pem
to self-sign the certificate for website testing. Among them,-days 365
means that the certificate is valid for 365 days;-in csr.pem
is used to specify the step 2 to generate a CSR file;-signkey my-private-key.pem
is used to specify to sign the CSR. In this example, the private key generated in step 1 is used for signing;-out my-certificate.pem
is used to specify the name of the generated certificate. -
View the generated certificate file as follows:
-----BEGIN CERTIFICATE----- MIIDjjCCAnYCCQC4xa7g5APX/jANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC Q04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxEzARBgNVBAoM Ck15IENvbXBhbnkxGjAYBgNVBAMMEXd3dy5teWNvbXBhbnkuY29tMSQwIgYJKoZI .... Q1PBQWanUPWbZ2+AIudPWpDkDtq6uZkTTSKNd+6E1f5bIlGGvD0eu/gdYFaJN8Ut aUSjls8bToQhXs7EAjzEABM9M8BmaQEkEmPutc/y8KqND1Dv8hox/z6olppmwMn5 9hgcZecsoJ0qAUJC7kqfpSkpitXLSAsE/1OGJ8MhTtpELQsCO0N5m/h2wtIGaI08 sLk= -----END CERTIFICATE-----