百度智能云

All Product Document

          Reference

          Create a Certificate by a Third-party Organization

          Users can use OpenSSL to create CSR and rely on relevant agencies (for example: WoSign) to apply for a certificate, the specific operation method is shown below.

          Pre-task

          Before applying for a certificate, users should get and install related tools.

          Linux: OpenSSL is recommended. OpenSSL is a powerful SLL cryptographic library, including the main cryptographic algorithms, commonly used key and certificate package management functions, and the SSL protocol, and provides a wealth of applications for testing or other purposes.

          Windows: Available tools include: IIS Manager, SelfSSL, OpenSSL and Windows PowerShell cmdlets, etc.

          Create a Certificate by OpenSSL

          Before submitting a certificate application, the user needs to generate a private key and a certificate request file (CSR) locally; the user can then submit the CSR to a CA for signature verification, or perform a local test by self-signing. The specific operation method is shown in the following example (the tool used in this example is OpenSSL).

          1. Execute the command openssl genrsa -out my-private-key.pem 2048, generate the private key through the RSA algorithm, and save it in themy-private-key.pem file. Baidu AI Cloud supports private keys with lengths of 1024, 2048 and 4096 bits. The length of 2048 bits is recommended.

          Note:: Please keep the private key properly to avoid loss and disclosure.

          The details of viewing the private key file are as follows:

           -----BEGIN RSA PRIVATE KEY-----
           MIIEowIBAAKCAQEAuRn81tg5aVRtTLAb+96qQPLzgoVzPEJvUCATvOZDoUcfZqx6
           A+PJ33SBZ6wUUMwKwDiAbi3yG2cQ1zfVe68PvtkFcPjwnTFRJbRObZUJXVA8LIMy
           LDC9cq71qvptYCMUVdmsrWeRUzZfJLLo8/+KRV0kAoykLyOVYHVXVKa+XChrEEcD
           ......
           PMKG1QKBgCElb8qQlSPzN7If+4+xY/z6iDZ80H/ktJahcD3QHeFUsaXaYQGokudC
           4ZWHW1JiLwIqsiJ4iLaTKU4JOn5LyFFR/6O/NvhWuMXHmqLtHwhrKtZX2TBwbfdQ
           wRakf1vOSHXHDG1Zym5t5s8UWDtkMcHZ7lIasjgaWB3lgFMwu+0u
           -----END RSA PRIVATE KEY-----'
          1. Run the command openssl req -sha256 -new -key my-private-key.pem -out csr.pem, and enter relevant configuration information as prompted to generate a CSR file. Among them, -key my-private-key.pem is used to specify the private key file generated in step 1.-out csr.pem is used to specify the name of the CSR file.
           You are about to be asked to enter information that will be incorporated
           into your certificate request.
           What you are about to enter is what is called a Distinguished Name or a DN.
           There are quite a few fields but you can leave some blank
           For some fields there will be a default value,
           If you enter '.', the field will be left blank.
           -----
           Country Name (2 letter code) [AU]:CN
           State or Province Name (full name) [Some-State]:Beijing
           Locality Name (eg, city) []:Beijing
           Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
           Organizational Unit Name (eg, section) []:.
           Common Name (e.g. server FQDN or YOUR name) []:www.mycompany.com
           Email Address []:example@mycompany.c
           Please enter the following 'extra' attributes
           to be sent with your certificate request
           A challenge password []:.
           An optional company name []:.

          View the CSR file as follows:

           -----BEGIN CERTIFICATE REQUEST-----
           MIIC5TCCAc0CAQAwgYgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAw
           DgYDVQQHDAdCZWlqaW5nMRMwEQYDVQQKDApNeSBDb21wYW55MRowGAYDVQQDDBF3
           d3cubXljb21wYW55LmNvbTEkMCIGCSqGSIb3DQEJARYVZXhhbXBsZUBteWNvbXBh
           ......
           QIdb7HyrK9Xly3dhTVNpkn/675drBf/0V23RyrXusoJMw+IOtPd9EtyRCvue8b2Z
           niekGvbI+giNyc45OBJwnuVo83tU528UyoZIpHjfNaw15NYCbhSecrxZYmY3xWnE
           uPIZsMavDocgoiGpPN8TyX2XMZUkLtLFCFJ+yU2yD4OycgPJTJSP5zJSCv+JV0mh
           1SPr6Vir4rnT7s+EL+ZkubfWrTvVSmkjyg==
           -----END CERTIFICATE REQUEST-----
          • The contents to be filled in when executing the above command are explained in the following table:
          Field Description
          Country Name ISO code of the country where the company/organization is located, China code is CN, and for other country codes, see ISO Code .
          State or Province Name Name of the province/state where the company/organization is located.
          Locality Name Company/organization city name.
          Organization Name Name of the company/organization, where the full name should be given.
          Organizational Unit Name Product or branch name, optional.
          Common Name Fully-Qualified Domain Name (FQDN) of the company/organization, for example: www.mycompany.com.
          Email Address Email address of the administrator.
          A challenge password Password for the encryption certificate request.
          An optional company name Optional company/organization name.
          1. Submit a digital certificate certification application to the CA Center. Users can choose third-party certification agencies such as VeriSign, GeoTrust.
          • Users can also execute the command openssl x509 -req -days 365 -in csr.pem -signkey my-private-key.pem -out my-certificate.pem to self-sign the certificate for website testing. Among them, -days 365 means that the certificate is valid for 365 days;-in csr.pem is used to specify the step 2 to generate a CSR file; -signkey my-private-key.pem is used to specify to sign the CSR. In this example, the private key generated in step 1 is used for signing; -out my-certificate.pem is used to specify the name of the generated certificate.
          • View the generated certificate file as follows:

             -----BEGIN CERTIFICATE-----
             MIIDjjCCAnYCCQC4xa7g5APX/jANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
             Q04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxEzARBgNVBAoM
             Ck15IENvbXBhbnkxGjAYBgNVBAMMEXd3dy5teWNvbXBhbnkuY29tMSQwIgYJKoZI
            
             ....
              Q1PBQWanUPWbZ2+AIudPWpDkDtq6uZkTTSKNd+6E1f5bIlGGvD0eu/gdYFaJN8Ut
              aUSjls8bToQhXs7EAjzEABM9M8BmaQEkEmPutc/y8KqND1Dv8hox/z6olppmwMn5
              9hgcZecsoJ0qAUJC7kqfpSkpitXLSAsE/1OGJ8MhTtpELQsCO0N5m/h2wtIGaI08
              sLk=
             -----END CERTIFICATE-----
          Previous
          Certificate Replacement
          Next
          API Reference