OpenSSL is a free, popular, robust, high quality, open source (Apache License) toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL的是一个自由的,受欢迎的,稳健的,高品质,开放原始码( Apache的授权)工具包,实施安全套接字层( SSL v2/v3 )和传输层安全( TLS V1导联)协议,以及作为一个全面的强度一般用途的密码学图书馆。 It is available on multiple platforms (Linux, BSD & Windows).它是可利用的多个平台上( Linux的, BSD的与Windows ) 。 In short it means that you can use OpenSSL to easily create certificate signing request (csr file) for your server to request certificate from certification authority like Verisign, Thawte etc. You can also use OpenSSL to create self-signed certificate to use on your Apache web server, Dovecot and other SSL enabled services.在短期内这意味着您可以使用OpenSSL的轻松地创建的证书签名请求( CSR档案)为您的服务器的要求,证书由认证机构一样,包括VeriSign , Thawte等,您也可以使用OpenSSL的,以创建自签发证书上使用你的Apache Web伺服器, dovecot和其他的SSL启用服务。 Let’s look at how we can easily create a CSR using SSL and also how we can create a self-signed certificate using OpenSSL.让我们看看我们如何能够很容易地创建一个CSR的使用SSL ,也是我们如何可以创建一个自签名证书使用OpenSSL的。

Creating a private key 创造一个私人密码匙
First you need to create a private key which will be used to generate the CSR or self-signed certificate.首先,您需要创建一个私人密码匙将用来生成的CSR或自签发证书。 Let’s create a private key file names ca.key of strength 1024 (very strong):让我们建立一个私钥文件的名称ca.key的力量1024 (很强) :
openssl genrsa -out ca.key 1024 OpenSSL的genrsa指出ca.key 1024

This creates your private key in the file ca.key.这就造成了你的私人密钥在文件ca.key 。

How to create a CSR to request certificate from external certification authority like Verisgn, Thawte etc. 如何创建一个CSR的要求证书从外部的核证机关一样, verisgn , Thawte安全认证等。
Now let’s use it to create a CSR which you can use with external certification authorities:现在让我们用它来创建一个CSR的,其中您可以使用与外部的核证机关:
openssl req -new -key ca.key -out ca.csr OpenSSL的req -新的关键ca.key指出ca.csr

This creates a CSR file named ca.csr using the ca.key key file.这将创建一个CSR文件名为ca.csr使用ca.key的关键文件。 You can submit this file to certification authorty.您可以提交此文件认证authorty 。 They will use the data in this file to create a certificate for you.他们将利用这些数据在此文件中创建一个证书给你。

Note: You will be asked several pieces of information as follows:注意:您将被要求几件资料如下:

Country Name (2 letter code) [GB]:国家名称( 2字母代码) [ GB的] :
State or Province Name (full name) [Berkshire]:州或省的姓名(全名) [伯克郡] :
Locality Name (eg, city) [Newbury]:地方名称(例如,市) [纽伯里] :
Organization Name (eg, company) [My Company Ltd]:组织名称(例如,公司) [我的有限责任公司] :
Organizational Unit Name (eg, section) []:组织单位名称(例如,一节) [ ] :
Common Name (eg, your name or your server’s hostname) []:共同的名称(例如,您的姓名或您的服务器的主机名) [ ] :
Email Address []:电子邮件地址[ ] :

Please enter the following ‘extra’ attributes请输入以下的额外'的属性
to be sent with your certificate request将被送到您的证书请求
A challenge password []:一个挑战密码[ ] :
An optional company name []:一个可选的公司名称[ ] :

Answer them truthfully.他们如实回答。 Specify the domain name of your server as the Common Name.指定网域您的服务器的名称作为共同名称。 For example to generate a CSR for my domain https://taragana.com I must use taragana.com as the common name.例如,以生成的CSR为我的网域通过https : / / taragana.com我必须使用taragana.com作为通用名称。

How to create self-signed certificate 如何创建自签名证书
You can create a self-signed certificate for your own servers using the procedure below:您可以创建一个自签名的证书为自己的服务器上使用的程序如下:
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt OpenSSL的x509 - req -天365 -在ca.csr - signkey ca.key指出ca.crt

Notes:注释:
1. 1 。 Replace 365 with the number of days you want the certificate to be valid.取代365与天数,您想要的证书的有效期。
2. 2 。 You must first create a CSR (see above) before you run this command您必须先建立企业社会责任(见上文) ,然后才能运行此命令

The certificate will be saved in the file ca.crt.该证书将被储存在档案ca.crt 。 You can use this file in your software & services like apache httpd, postfix, dovecot etc.您可以使用这个文件在您的软件与服务一样,阿帕奇的httpd , postfix , dovecot等。

Self-signed certificates will not be recognized by browsers (unless you are Verisign or Thawte).自签名的证书将不会得到承认的浏览器(除非你是VeriSign或Thawte安全认证) 。 When accessing websites or services using such certificate user will be asked to accept / reject the certificate.当访问网站或服务使用这类证书,用户将被要求接受/拒绝证书。 Certificates signed by recognized external certification authority are automatically accepted by browsers.证书签署认可核证机关的外部自动接受的浏览器。

Self-signed certificates are good for intranet, demo web sites etc. For commercial sites you should use an external certification authority.自签名的证书是好的,为联网,演示网站等,为商业用地,你应该使用一个外部的核证机关。