|
First, OpenSSL brief
OpenSSL is a powerful Secure Sockets Layer library password, include major cryptographic algorithms, key and certificate common package management functions and SSL protocols and provides rich application for testing or other purposes.
SSL is the Secure Sockets Layer (Secure Sockets Layer protocol) acronym secrecy can provide transmission on the Internet. SSL communications enables client / server applications between being the attacker eavesdropping, and always to authenticate the server, you can also choose to authenticate the user. SSL protocol requires the establishment of reliable transport protocol (TCP) above.
Second, install the appropriate software package
$ Sudo apt-get install apache2 ## install Apache
$ Sudo apt-get install openssl ## installed openssl
$ Sudo apt-get install libssl-dev ## openssl installed development libraries
$ Sudo apt-get install bless ## Editor bless hex editor, to be pre-installed
Three, openssl.cnf simple interpretation
$ Vi /usr/lib/ssl/openssl.cnf
127 [req_distinguished_name]
128 countryName = Country Name (2 letter code) ## Country name, two-letter code referred to
129 countryName_default = CN ## is CN China
130 countryName_min = 2
131 countryName_max = 2
132
Name 133 stateOrProvinceName = State or Province Name (full name) ## states or provinces
134 stateOrProvinceName_default = beijing
135
136 localityName = Locality Name (eg, city) ## local city name
137 localityName_default = beijing
138 0.organizationName = Organization Name (eg, company) ## organization (company) name
139 0.organizationName_default = beijing www company
140
145 organizationalUnitName = Organizational Unit Name (eg, section) ## organizational units (departments) name
146 organizationalUnitName_default = www
147
148 commonName = Common Name (e.g.server FQDN or YOUR name) ## Domain Name Server
149 commonName = www.baidu.com
150 commonName_max = 64
151
152 #emailAddress = Email Address ## Email Address
153 emailAddress = admin@baidu.com
154 emailAddress_max = 64
155
156 # SET-ex3 = SET extension number 3
157
158 [req_attributes]
159 #challengePassword = A challenge password ## Change Password
160 challengePassword =
161
163 challengePassword_min = 4
164 challengePassword_max = 20
Fourth, a digital certificate authority (CA), and generates a certificate for that CA
1. Copy openssl.cnf configuration file to the current directory and create the following specified in the configuration file subfolders
$ Sudo ln /usr/lib/ssl/openssl.cnf.
$ Mkdir demoCA
$ Cd demoCA
$ Mkdir certs crl newcerts
$ Touch index.txt serial ## index.txt is empty;
## Serial must be written, and is formatted number string (such as 1111)
After these set, you can now create and publish a certificate
2. Generate a self-signed certificate for your CA, which means that the body is to be trusted, and its certificate as a root certificate will
$ Openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
NOTE: Be sure to remember your password entered, file storage command output: ca.key and ca.crt in. File ca.key including CA's private key, which contains a public key certificate ca.crt.
Fifth, for the customer to generate a certificate
Now, we are the root CA, and can provide customers with a signed digital certificate, the client is www.baidu.com.
1. Generate a public / private key pair
$ Openssl genrsa -des3 -out server.key 1024
Note: You need to provide a password to protect your key, which will be stored in the server.key file.
2. Generate a certificate signing request, once the company has a key file, which should generate a certificate signing request (CSR). CSR will be sent to the CA, CA will generate a certificate for the request (usually after the CSR matches the identity information in the confirmation).
$ Openssl req -new -key server.key -out server.csr -config openssl.cnf
Note: Please remember your input
3. Generate certificate. CSR file needs to have constituted the CA's signature certificate (in the real world, CSR files are often sent to a trusted CA-signed). Enter the CA key, using our own CA to generate the certificate:
$ Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Sixth, the use of PKI in the site
1.
$ Sudo vi / etc / hosts
127.0.0.1 www.baidu.com
2. Start a certificate has previously generated a simple web server
$ Cp server.key server.pem
$ Cat server.crt >> server.pem ## keys and certificates will be merged into one file
$ Openssl s_server -cert server.pem -www ## to start the server using server.pem
3. By default, the server listens on port 4433. Enter https://www.baidu.com:4433
NOTE: Tip This connection is not trusted because our CA is self-signed, like the case of VeriSign CA authorized, then there would not be the situation.
Here you can configure Firefox allows us to accept self-signed (other browsers similar), configured as follows:
Menu ---> Preferences ---> Advanced ---> Certificates ---> View Certificate (Certificate Manager) ---> Import ---> into your configuration openssl directory, select ca.crt-- -> open (download the certificate) ---> check the "trust this CA using the site identified by" ---> OK, and then refresh the Web |
|
|
|