Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
On this page

Show all

Help Center/ Partner Center/ Developer Guide/ Appendix/ Generating a Certificate

Generating a Certificate

Updated on 2023-05-10 GMT+08:00

A partner can purchase certificates issued by commercial CA or use OpenSSL to generate free certificates. There are many OpenSSL commands for generating certificates. This section describes the recommended OpenSSL commands.

  1. Generate the RSA public-private key pair of CA.

    Command: openssl genrsa [-out filename] [-aes256] [numbits]

    Example: openssl genrsa -out CAkey.pem -aes256 2048

    When the command is executed, a message is displayed on the OpenSSL UI to prompt you to manually enter the password of the generated private key file. The password automatically derives an encryption key and encrypts the private key file.

    Table 1 Parameter description

    Parameter

    Description

    [-out filename]

    Indicates the name and path of the file that stores the public-private key pair.

    [-aes256]

    Indicates that the encryption algorithm is AES256-CBC.

    You can also use other encryption algorithms, such as -des, -des3, -aes128, and -idea. The recommended symmetric encryption algorithms are AES (128 or higher bits). Therefore, AES256 is recommended. If no encryption algorithm is specified in the command for generating the public-private key pair, the generated key-pair file is not protected by the password.

    [numbers]

    Indicates the length of the generated public-private key pair. The recommended asymmetric encryption algorithm is RSA (2048 bits or higher). Therefore, the recommended length of the public-private key pair has 2048 bits.

  2. Use the CA private key to perform self signature and generate a root certificate.

    Command: openssl req [-x509] [-new] [-key filename] [-out filename] [-md2|-md5|-sha1|-mdc2|-sha256] [-days n] [-config path of openssl.cnf]

    Example: openssl req -x509 -new -key CAkey.pem -sha256 -out CA.pem -days 3650 -config openssl.cnf

    In the example, Cakey.pem is the private key file generated in 1. When the command is executed, a message is displayed on the OpenSSL UI to prompt you to manually enter the password of the private key file generated in 1 and information of the certificate applicant.

    Table 2 Parameter description

    Parameter

    Description

    [-x509]

    Generates the root CA certificate. The extension item of the certificate is specified in the config file.

    [-new]

    Generates a new Certificate Secure Request (CSR) file. If this parameter is used together with -x509, a self-signed root certificate file is generated. In this case, you need to enter the necessary information for creating a CSR file. The required information is defined in the config file.

    [-key filename]

    Indicates the source of the certificate private key file. The format of the file is PKCS#8.

    [-out filename]

    Generates the certificate request file. If -x509 is specified, a self-signed root certificate file is generated. By default, a standard CSR file is generated.

    [-md2|-md5|-sha1|-mdc2|-sha256]

    Indicates the hash algorithm of the certificate. It is recommended to use SHA256 in the signature scenario. In addition, because the RSA public-private key pair is generated in 1, the signature algorithm specified here is SHA256RSA.

    [-days n]

    Indicates the validity period of the certificate with the signature. If this parameter is not specified, the validity period of the generated certificate is 30 days (default). Generally, it is recommended to set the validity period of the generated certificate to 10 years. That is, the value of n is 3650.

    [-config path of openssl.cnf]

    Indicates the name and path of the openssl.cnf configuration file.

  3. Generates the public-private key pair of the device certificate.

    The command for generating the public-private key pair of the device certificate. The command is the same as that for generating the public-private key-pair of the CA certificate.

    Example: openssl genrsa -out Devicekey.pem -aes256 2048

    Devicekey.pem is the file that stores the public-private key of the device certificate. When the command is executed, a message is displayed on the OpenSSL UI to prompt you to manually enter the password of the generated private key file. The password automatically derives an encryption key and encrypts the private key file.

  4. Generates a CSR file of the device certificate.

    Command: openssl req [-new] [-key filename] [-out filename] [-config path of openssl.cnf]

    Example: openssl req -new -key Devicekey.pem -out DeviceCert.csr -config openssl.cnf

    In the example, Devicekey.pem is the private key file generated in 3. When the command is executed, a message is displayed on the OpenSSL UI to prompt you to manually enter the password of the private key file generated in 3 and information of the certificate applicant.

    Table 2 describes the parameters.

  5. Use the CA private key to issue the device certificate.

    Command: openssl x509 [-req] [-in filename] [-out filename] [-CA filename] [-CAkey filename] [-md2|-md5|-sha1|-mdc2|-sha256] [-days arg] [-CAcreateserial] [-extfile filename] [-extensions v3_req]

    Example: openssl x509 -req -in DeviceCert.csr -out DeviceCert.pem -CA CA.pem -CAkey CAkey.pem -sha256 -days 3650 -CAcreateserial -extensions v3_req -extfile openssl.cnf

    When the command is executed, a message is displayed on the OpenSSL UI to prompt you to manually enter the password of the CA root private key file generated in 1.

    Table 3 Parameter description

    Parameter

    Description

    [-req]

    Indicates that the input file (the file following the -in parameter) is the CSR file (in x509 commands).

    [-in filename]

    Indicates the name of the input file. The file is the CSR file of the device certificate generated in 4.

    [-out filename]

    Indicates the name of the generated file. The file is the device certificate file.

    [-CA filename]

    Indicates the name of the CA certificate file for signature, that is, the CSR file generated in 2.

    [-CAkey filename]

    Indicates the CA private key file, that is, the RSA public-private key pair of CA generated in 1.

    [-md2|-md5|-sha1|-mdc2|-sha256]

    Indicates the hash algorithm of the certificate. It is recommended to use SHA256 in the signature scenario. In addition, because the RSA public-private key pair is generated in 1, the signature algorithm specified here is SHA256RSA.

    [-days n]

    Indicates the validity period of the certificate with the signature. If this parameter is not specified, the validity period of the generated certificate is 30 days (default). Generally, it is recommended to set the validity period of the generated certificate to 10 years. That is, the value of n is 3650.

    [-CAcreateserial]

    If there is no CA serial number file (default file name CA.srl), one CA serial number file will be generated. If there is a default CA serial number file, the default file is used. The serial number increases by one every time when a certificate is issued.

    [-extfile filename]

    Indicates the name of the file containing the certificate extension item. In the example, the file name is openssl.cnf. If this parameter is not specified, the generated certificate does not contain any extension item, that is, the generated certificate is of the x.509 v1 version.

    [-extensions section]

    Indicates the extended items in the issued certificate file. If this parameter is not specified, the default value is v3_ca, indicating that a CA root certificate is generated. In this example, the device certificate is to be issued. Therefore, the section value is set to v3_req, indicating that the basic constraint of the generated certificate is Subject Type=End Entity (the certificate is a terminal entity certificate).

  6. The body of the DeviceCert.pem file (excluding the header and tail of the file) generated in 5 is the values of <ds:X509Certificate> </ds:X509Certificate> in Example of the IDP Metadata File (Saved Using UTF-8).

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback