This article has been published by NetEase Cloud community authorized by the author Zhao Bin.

Welcome to visit NetEase Cloud Community to learn more about NetEase’s technical product operation experience.

One, foreword


In order to test the new function added to the Content Delivery Network (CDN), which supports HYTTPS security acceleration, you need to verify the validity of the certificate, so you need to generate legitimate, illegal, and expired certificates. This section describes how to use OpenSSL to generate a certificate.


2. Use OpenSSL to generate certificates


  1. Create a certificate key file


openssl genrsa -des3 -out ca.key 8192Copy the code

It will prompt you for a password that will be used to encrypt the key file. (The parameter des3 is the encryption algorithm, but you can choose any other algorithm that you think is secure.) Each time you want to read this file (through a command or API provided by OpenSSL), you will need to enter a password. You can remove this password if it’s inconvenient, but be sure to use other protection measures! Command to remove the key file password:


openssl genrsa -out ca.key 8192Copy the code

2. Create a certificate request and self-sign the certificate:


openssl req -new -x509 -sha256 -days 365 -key ca.key -out ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=Netease/OU=Netease Root CA"The meanings of the options (and parameters) are as follows: Req Use the req subcommand of OpenSSL -new to generate a new certificate request -x509 to generate a self-signed certificate -days 365 Validity period of the self-signed certificate 365 days (1 year) -key ca.key The name of the private key file is set to ca.key. Otherwise, the newly generated private key file is named ca.key】 -out ca. CRT Specifies that information about the generated self-signed certificate is displayed in the file named ca. CRT. -subj arg Arg is the parameter of -subj and its format is similar to: /type0=value0/type1=value1/type2 =... Form. Every /typeEach unit in the form of =value corresponds to a complete DN field.Copy the code
DN field name Abbreviated instructions Fill in the required
Country Name C Country of certificate holder Ask to fill in the country code, with 2 letters
State or Province Name ST Certificate holder’s state or province Fill in the full name, can be omitted
Locality Name L Certificate holder’s city Can be omitted without filling
Organization Name O Organization or company to which the certificate holder belongs Can be omitted without filling
Organizational Unit Name Department of OU certificate holder Can be omitted without filling
Common Name CN Common name of the certificate holder mandatory
Email Address The certificate holder’s mailbox Can be omitted without filling


A simple way to generate expired certificates


1. Modify the system time 2 years ahead of time;


2. When performing Step 2 in Step 2, set -days to the certificate validity period, for example, 365.


3. Restore the system time. The certificate has expired for one year.


4. Check the certificate


Click ca.crt to generate the certificate according to the methods in (2) or (3). In general, you can see that the validity period of the certificate is from XXX to XXX. The certificate is generated according to the method in (2). The expired certificate is generated according to the method in (3). To generate an invalid CERTIFICATE, enter the following format: —–BEGIN CERTIFICATE—– XXX —–END CERTIFICATE—–.



Free experience cloud security (EASY Shield) content security, verification code and other services

11.1-11.15 50% off for cloud computing basic services

For more information about NetEase’s technology, products and operating experience, please click here.


Why do you want to set up captcha on the website