OpenSSL is a free, popular, robust, high quality, open source (Apache License) toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL的是一個自由的,受歡迎的,穩健的,高品質,開放原始碼( Apache的授權)工具包,實施安全套接字層( SSL v2/v3 )和傳輸層安全( TLS V1導聯)協議,以及作為一個全面的強度一般用途的密碼學圖書館。 It is available on multiple platforms (Linux, BSD & Windows).它是可利用的多個平台上( Linux的, BSD的與Windows ) 。 In short it means that you can use OpenSSL to easily create certificate signing request (csr file) for your server to request certificate from certification authority like Verisign, Thawte etc. You can also use OpenSSL to create self-signed certificate to use on your Apache web server, Dovecot and other SSL enabled services.在短期內這意味著您可以使用OpenSSL的輕鬆地創建的證書簽名請求( CSR檔案)為您的服務器的要求,證書由認證機構一樣,包括VeriSign , Thawte等,您也可以使用OpenSSL的,以創建自簽發證書上使用你的Apache Web伺服器, dovecot和其他的SSL啟用服務。 Let’s look at how we can easily create a CSR using SSL and also how we can create a self-signed certificate using OpenSSL.讓我們看看我們如何能夠很容易地創建一個CSR的使用SSL ,也是我們如何可以創建一個自簽名證書使用OpenSSL的。

Creating a private key 創造一個私人密碼匙
First you need to create a private key which will be used to generate the CSR or self-signed certificate.首先,您需要創建一個私人密碼匙將用來生成的CSR或自簽發證書。 Let’s create a private key file names ca.key of strength 1024 (very strong):讓我們建立一個私鑰文件的名稱ca.key的力量1024 (很強) :
openssl genrsa -out ca.key 1024 OpenSSL的genrsa指出ca.key 1024

This creates your private key in the file ca.key.這就造成了你的私人密鑰在文件ca.key 。

How to create a CSR to request certificate from external certification authority like Verisgn, Thawte etc. 如何創建一個CSR的要求證書從外部的核證機關一樣, verisgn , Thawte安全認證等。
Now let’s use it to create a CSR which you can use with external certification authorities:現在讓我們用它來創建一個CSR的,其中您可以使用與外部的核證機關:
openssl req -new -key ca.key -out ca.csr OpenSSL的req -新的關鍵ca.key指出ca.csr

This creates a CSR file named ca.csr using the ca.key key file.這將創建一個CSR文件名為ca.csr使用ca.key的關鍵文件。 You can submit this file to certification authorty.您可以提交此文件認證authorty 。 They will use the data in this file to create a certificate for you.他們將利用這些數據在此文件中創建一個證書給你。

Note: You will be asked several pieces of information as follows:注意:您將被要求幾件資料如下:

Country Name (2 letter code) [GB]:國家名稱( 2字母代碼) [ GB的] :
State or Province Name (full name) [Berkshire]:州或省的姓名(全名) [伯克郡] :
Locality Name (eg, city) [Newbury]:地方名稱(例如,市) [紐伯里] :
Organization Name (eg, company) [My Company Ltd]:組織名稱(例如,公司) [我的有限責任公司] :
Organizational Unit Name (eg, section) []:組織單位名稱(例如,一節) [ ] :
Common Name (eg, your name or your server’s hostname) []:共同的名稱(例如,您的姓名或您的服務器的主機名) [ ] :
Email Address []:電子郵件地址[ ] :

Please enter the following ‘extra’ attributes請輸入以下的額外'的屬性
to be sent with your certificate request將被送到您的證書請求
A challenge password []:一個挑戰密碼[ ] :
An optional company name []:一個可選的公司名稱[ ] :

Answer them truthfully.他們如實回答。 Specify the domain name of your server as the Common Name.指定網域您的服務器的名稱作為共同名稱。 For example to generate a CSR for my domain https://taragana.com I must use taragana.com as the common name.例如,以生成的CSR為我的網域通過https : / / taragana.com我必須使用taragana.com作為通用名稱。

How to create self-signed certificate 如何創建自簽名證書
You can create a self-signed certificate for your own servers using the procedure below:您可以創建一個自簽名的證書為自己的服務器上使用的程序如下:
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt OpenSSL的x509 - req -天365 -在ca.csr - signkey ca.key指出ca.crt

Notes:註釋:
1. 1 。 Replace 365 with the number of days you want the certificate to be valid.取代365與天數,您想要的證書的有效期。
2. 2 。 You must first create a CSR (see above) before you run this command您必須先建立企業社會責任(見上文) ,然後才能運行此命令

The certificate will be saved in the file ca.crt.該證書將被儲存在檔案ca.crt 。 You can use this file in your software & services like apache httpd, postfix, dovecot etc.您可以使用這個文件在您的軟件與服務一樣,阿帕奇的httpd , postfix , dovecot等。

Self-signed certificates will not be recognized by browsers (unless you are Verisign or Thawte).自簽名的證書將不會得到承認的瀏覽器(除非你是VeriSign或Thawte安全認證) 。 When accessing websites or services using such certificate user will be asked to accept / reject the certificate.當訪問網站或服務使用這類證書,用戶將被要求接受/拒絕證書。 Certificates signed by recognized external certification authority are automatically accepted by browsers.證書簽署認可核證機關的外部自動接受的瀏覽器。

Self-signed certificates are good for intranet, demo web sites etc. For commercial sites you should use an external certification authority.自簽名的證書是好的,為聯網,演示網站等,為商業用地,你應該使用一個外部的核證機關。