Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Server \ Construction CA certificate using OpenSSL command line     - Linux systems use IP masquerading anti-hacker (Linux)

- Binary Tree Traversal (Linux)

- Expert advice: Do not use the computer security IE browser (Linux)

- BackTrack (BT3, BT4) Linux installation tutorial (Linux)

- RedHat 6.5 installation and deployment Openfire (Server)

- Linux System Tutorial: Ubuntu on the desktop is disabled by default keyring to unlock tips (Linux)

- Use value type build better applications Swift (Programming)

- Java implementation of stacks and queues (Programming)

- IBM Data Studio to create objects using ---- double quotes / sensitive issues and the table / column renaming (Database)

- Java Foundation - implicit conversion vs cast (Programming)

- Linux Apache server security (Linux)

- Upgrade Goldengate 11.1.1.1.2 to 11.2.1.0.1 (Database)

- Linux System Getting Started Learning: Change the name of the network interface on CentOS7 (Linux)

- JavaScript function definition mode (Programming)

- How to install Linux Kernel 4.0 On CentOS 7 system (Linux)

- Debian 8.1 (amd64) deployed Memcached (Server)

- No password on Oracle and MySQL login (Database)

- Actual custom yum repository ---- gem commands commonly used parameters (Linux)

- PCM audio under Linux (Linux)

- Laravel 4 Expansion Pack (Server)

 
         
  Construction CA certificate using OpenSSL command line
     
  Add Date : 2018-11-21      
         
         
         
  This is a quick guide to using OpenSSL to generate a CA (certificate authority (certificate authority)), intermediate CA (intermediate CA) certificate and an end (end certificate). Including OCSP, CRL and CA issuer (Issuer) information specific issue and expiration dates.

We will set our own root CA (root CA), and then use the root CA to generate a sample of the intermediate CA, and use the intermediate CA issuing end-user certificates.

Root CA

Create a directory for the root CA, and enter:

mkdir-p ~ / SSLCA / root /
cd ~ / SSLCA / root /
Root CA to generate the RSA key length of 8192:

openssl genrsa -out rootca.key 8192
Output similar to the following:

Generating RSA private key, 8192 bit long modulus
......... +
.................................................. .................................................. ................ +
e is65537 (0x10001)
If you wish to password protect this key, add the command line option -aes256.

SHA-256 to create a self-signed root CA certificate ca.crt; you need to provide identification information for your root CA:

openssl req -sha256 -new-x509 -days 1826-key rootca.key -out rootca.crt
Output similar to the following:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a DistinguishedNameor a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
CountryName (2 letter code) [AU]: CN
StateorProvinceName (full name) [Some-State]: Beijing
LocalityName (eg, city) []: Chaoyang dist.
OrganizationName (eg, company) [InternetWidgitsPtyLtd]: Linux.CN
OrganizationalUnitName (eg, section) []: Linux.CN CA
CommonName (e.g server FQDN or YOUR name.) []: Linux.CN Root CA
EmailAddress []: ca@linux.cn
Create several files for the CA to store its serial number:

touch certindex
echo1000> certserial
echo1000> crlnumber
Create CA configuration file that contains the stub CRL and OCSP terminal.

#vim ca.conf
[Ca]
default_ca = myca
[Crl_ext]
issuerAltName = issuer: copy
authorityKeyIdentifier = keyid: always
[Myca]
dir =. /
new_certs_dir = $ dir
unique_subject = no
certificate = $ dir / rootca.crt
database = $ dir / certindex
private_key = $ dir / rootca.key
serial = $ dir / certserial
default_days = 730
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $ dir / crlnumber
default_crl_days = 730
[Myca_policy]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[Myca_extensions]
basicConstraints = critical, CA: TRUE
keyUsage = critical, any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid: always, issuer
keyUsage = digitalSignature, keyEncipherment, cRLSign, keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @ crl_section
subjectAltName = @ alt_names
authorityInfoAccess = @ ocsp_section
[V3_ca]
basicConstraints = critical, CA: TRUE, pathlen: 0
keyUsage = critical, any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid: always, issuer
keyUsage = digitalSignature, keyEncipherment, cRLSign, keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @ crl_section
subjectAltName = @ alt_names
authorityInfoAccess = @ ocsp_section
[Alt_names]
DNS.0 = Linux.CN? Root CA
DNS.1 = Linux.CN CA Root

[Crl_section]
URI.0 = http://pki.linux.cn/rootca.crl
URI.1 = http://pki2.linux.cn/rootca.crl
[Ocsp_section]
caIssuers; URI.0 = http://pki.linux.cn/rootca.crt
caIssuers; URI.1 = http://pki2.linux.cn/rootca.crt
OCSP; URI.0 = http://pki.linux.cn/ocsp/
OCSP; URI.1 = http://pki2.linux.cn/ocsp/
If you want to set a specific start and end time certificate, add the following content to [myca].

# Format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911
Creating No. 1 Intermediate CA

Generate intermediate CA private key

openssl genrsa -out intermediate1.key 4096
Generate their CSR:

openssl req -new-sha256 -key intermediate1.key -out intermediate1.csr
Output similar to the following:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a DistinguishedNameor a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
CountryName (2 letter code) [AU]: CN
StateorProvinceName (full name) [Some-State]: Beijing
LocalityName (eg, city) []: Chaoyang dist.
OrganizationName (eg, company) [InternetWidgitsPtyLtd]: Linux.CN
OrganizationalUnitName (eg, section) []: Linux.CN CA
CommonName (e.g server FQDN or YOUR name.) []: Linux.CN Intermediate CA
EmailAddress []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Make sure that the different intermediate CA subject name (CN, Common Name) and the root CA.

Intermediate root CA for the CA you created CSR signature:

openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt
Output similar to the following:

Using configuration from ca.conf
Check that the request matches the signature
Signature ok
TheSubject's Distinguished Name is as follows
countryName: PRINTABLE: 'CN?'
stateOrProvinceName: ASN.1 12: '? Beijing'
localityName: ASN.1 12: 'chaoyang dist.'
organizationName: ASN.1 12: 'Linux.CN'
organizationalUnitName: ASN.1 12: 'Linux.CN CA'
commonName: ASN.1 12: 'Linux.CN Intermediate CA'
Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
Write out database with 1 new entries
Data Base Updated
Generating CRL (including PEM and DER formats):

openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
You need to generate a CRL after each use of the CA-signed certificate.

If desired, you can withdraw (revoke) the Intermediate Certificate:

openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt
Configuration No. 1 Intermediate CA

The intermediate CA to create a new directory and enter:

mkdir ~ / SSLCA / intermediate1 /
cd ~ / SSLCA / intermediate1 /
From the other side a copy of the root CA Intermediate CA certificate and private key:

cp ../ root / intermediate1.key ./
cp ../ root / intermediate1.crt ./
Create index file:

touch certindex
echo1000> certserial
echo1000> crlnumber
Create a new ca.conf:

#vim ca.conf
[Ca]
default_ca = myca
[Crl_ext]
issuerAltName = issuer: copy
authorityKeyIdentifier = keyid: always
[Myca]
dir =. /
new_certs_dir = $ dir
unique_subject = no
certificate = $ dir / intermediate1.crt
database = $ dir / certindex
private_key = $ dir / intermediate1.key
serial = $ dir / certserial
default_days = 365
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $ dir / crlnumber
default_crl_days = 365
[Myca_policy]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[Myca_extensions]
basicConstraints = critical, CA: FALSE
keyUsage = critical, any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid: always, issuer
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = @ crl_section
subjectAltName = @ alt_names
authorityInfoAccess = @ ocsp_section
[Alt_names]
DNS.0 = Linux.CN Intermidiate CA 1
DNS.1 = Linux.CN CA Intermidiate1
[Crl_section]
URI.0 = http://pki.linux.cn/intermediate1.crl
URI.1 = http://pki2.linux.cn/intermediate1.crl
[Ocsp_section]
caIssuers; URI.0 = http://pki.linux.cn/intermediate1.crt
caIssuers; URI.1 = http://pki2.linux.cn/intermediate1.crt
OCSP; URI.0 = http://pki.linux.cn/ocsp/
OCSP; URI.1 = http://pki2.linux.cn/ocsp/
Modify [alt_names]? Alternative subject name for the section you need (Subject Alternative names). If you do not delete the introduction of its subjectAltName = @alt_names line.

If you need to specify the starting and ending time, add the following line to the [myca] in.

# Format: YYYYMMDDHHMMSS
default_enddate = 20191222035911
default_startdate = 20181222035911
Generates an empty CRL (including PEM and DER formats):

openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
Create end-user certificates

We use the new intermediate CA to generate end-user certificates. You need to use this for each end-user certificate signed by a CA repeat these steps.

mkdir ~ / enduser-certs
cd ~ / enduser-certs
Produce an end user's private key:

openssl genrsa -out enduser-example.com.key 4096
End user generated CSR:

openssl req -new-sha256 -key enduser-example.com.key -out enduser-example.com.csr
Output similar to the following:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a DistinguishedNameor a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
CountryName (2 letter code) [AU]: CN
StateorProvinceName (full name) [Some-State]: Shanghai
LocalityName (eg, city) []: Xuhui dist.
OrganizationName (eg, company) [InternetWidgitsPtyLtd]: ExampleInc
OrganizationalUnitName (eg, section) []: IT Dept
CommonName (e.g server FQDN or YOUR name.) []: Example.com
EmailAddress []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
No. 1 Intermediate CA signature end-user certificates:

cd ~ / SSLCA / intermediate1
openssl ca -batch -config ca.conf -notext -in ~ / enduser-certs / enduser-example.com.csr -out ~ / enduser-certs / enduser-example.com.crt
Output similar to the following:

Using configuration from ca.conf
Check that the request matches the signature
Signature ok
TheSubject's Distinguished Name is as follows
countryName: PRINTABLE: 'CN'
stateOrProvinceName: ASN.1 12: 'Shanghai'
localityName: ASN.1 12: 'Xuhui dist.'
organizationName: ASN.1 12: 'ExampleInc'
organizationalUnitName: ASN.1 12: 'IT Dept'
commonName: ASN.1 12: 'example.com'
Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
Generating CRL (including PEM and DER formats):

cd ~ / SSLCA / intermediate1 /
openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
You need to generate a CRL after each use of the CA-signed certificate.

If desired, you can revoke revoke this end-user certificate:

cd ~ / SSLCA / intermediate1 /
openssl ca -config ca.conf -revoke ~ / enduser-certs / enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt
Output similar to the following:

Using configuration from ca.conf
RevokingCertificate1000.
DataBaseUpdated
The root certificate and intermediate certificates linked to create the certificate chain file:

cat ../ root / rootca.crt intermediate1.crt> ~ / enduser-certs / enduser-example.com.chain
These documents will be sent to the end user:

enduser-example.com.crt
enduser-example.com.key
enduser-example.com.chain
You can also allow end users to provide their intermediate CSR document, but only back to them this .crt? File. Do not delete them from the server, otherwise it can not be withdrawn.

Calibration certificate

You can use a certificate chain using the following commands to verify end-user certificates:

cd ~ / enduser-certs
openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt
enduser-example.com.crt: OK
You can also use the CRL to verify it. First PEM CRL connect to the certificate chain file:

cd ~ / SSLCA / intermediate1
cat ../ root / rootca.crt intermediate1.crt intermediate1.crl.pem> ~ / enduser-certs / enduser-example.com.crl.chain
Calibration certificate:

cd ~ / enduser-certs
openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt
If the certificate is not revoked, the output is as follows:

enduser-example.com.crt: OK
If revoked, the output is as follows:

enduser-example.com.crt: CN = example.com, ST = Beijing, C = CN, O = ExampleInc, OU = IT Dept
error 23 at 0 depth lookup: certificate revoked
     
         
         
         
  More:      
 
- CentOS 7 virt-manager can not connect a local hypervisor (Linux)
- Hadoop2.4.0 Eclipse plug-in making (Server)
- Hadoop + Zookeeper NameNode achieve high availability (Server)
- Installation Android IDE development tools, Android Studio 1.5 under Ubuntu (Linux)
- YUM install desktop environment in CentOS (Linux)
- Analyzing Linux server architecture is 32-bit / 64-bit (Server)
- MongoDB polymerization being given (Database)
- Linux SSH commands (Linux)
- To setup CentOS LAMP environment (Server)
- Varnish achieve page jump (Server)
- Security experience: to see how the experts deal with DDoS attacks (Linux)
- Installation Enpass secure password manager on Ubuntu (Linux)
- CentOS installation of the ftp (Linux)
- Ubuntu 14.10 / 14.04 / 12.04 installation GNOME Pie 0.5.6 (Linux)
- The YUM package management under Linux (Linux)
- Oracle PL / SQL selective basis (IF CASE), (LOOP WHILE FOR) (Database)
- Comparison of Nginx and Nginx + (Server)
- Oracle Client + PL SQL Developer enables remote access to the Oracle database (Database)
- How to Install Winusb in Ubuntu 14.04 (Linux)
- Use Hexo quickly build and deploy a blog to Github (Server)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.