Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Server \ OpenSSL: implementation creates a private CA, certificate signing request Explanation     - Linux kernel netpoll framework netconsole (Linux)

- The basic principles of AIX system security (Linux)

- Use Docker containers (Linux)

- SSH Filesystem use a secure connection for network file system (Linux)

- CentOS 6.4 (64bit) install Python 2.7.5 (Linux)

- Java learning problems encountered (Programming)

- Use custom backup plans for Debian backupninja (Linux)

- wget command Walkthrough (Linux)

- How Linux Log Analysis (Linux)

- A key installation Gitlab 7 on RHEL6.4 and Setup Mail TX (Linux)

- Nginx-1.9.7 TCP reverse proxy (Server)

- Linux commands with browsing and downloading files (Linux)

- CentOS 6.3 compile and install LNMP environment (Server)

- Oracle database with test data insertion speed (Database)

- The user how to install Notepadqq 0.41.0 under ubuntu and debian (Linux)

- Hadoop 2.0 Detailed Configuration Tutorial (Server)

- RMAN backup file is much larger than the size of the database Cause Analysis (Database)

- Ubuntu mysql stop fail to solve the problem (Database)

- ORA-01839 error caused by incorrect system date setting (Database)

- Dynamic programming Android (Programming)

 
         
  OpenSSL: implementation creates a private CA, certificate signing request Explanation
     
  Add Date : 2018-11-21      
         
         
         
  One, OpenSSL: CA default configuration information

1. Certificate Authority CA: public trust CA, private CA
              Up a private CA as follows:
Small-scale tests using openssl,
Large-scale maintenance of a large number of enterprises to use the certificate OpenCA (openssl for a secondary package, more convenient to use)
 
2.openssl profile: /etc/pki/tls/openssl.cnf
     [Root @ localhost tmp] # cat /etc/pki/tls/openssl.cnf
The configuration file to "[configuration section]", in the form of configuration-related information
===================== Openssl.cnf part Summary ========
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
################################################## ####################################
[Ca] #CA configuration section
default_ca = CA_default # The default ca section # default CA in [CA_default] Configuration
################################################## ####################################
[CA_default] # CA as the default work environment
dir = / etc / pki / CA # Where everything is kept the default working directory, variable form
certs = $ dir / certs # Where the issued certs are kept location certificate issued
crl_dir = $ dir / crl # Where the issued crl are kept revocation of the certificate location
database = $ dir / index.txt # database index file. Certificates issued through the index file
new_certs_dir = $ dir / newcerts # default place for new certs.
 
certificate = $ dir / cacert.pem # The CA certificate indicating the self-signed certificate CA
serial = $ dir / serial # The current serial number indicates the serial number of the current certificate, specify the first secondary
crlnumber = $ dir / crlnumber # the current crl number
# Must be commented out to leave a V1 CRL
crl = $ dir / crl.pem # The current CRL
private_key = $ dir / private / cakey.pem # The private key, CA's own private key
RANDFILE = $ dir / private / .rand # private random number file
 
x509_extensions = usr_cert # The extentions to add to the cert
 
# Comment out the following two lines for the "traditional"
# (And highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
 
default_days = 365 # how long to certify for the default certificate is valid
default_crl_days = 30 # how long before next CRL default declaration is valid
default_md = sha256 # use SHA-256 by default default generation algorithm
preserve = no # keep passed DN ordering
##################################################
[Req] # CA-signed certificate to initiate a registration request related properties
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
==================================================
 
 
 
 
Two, OpenSSL: create a private CA certificate issuing authority step
Generate a self-signed certificate for the CA in determining the configuration of the host server and provides directory and file for the CA required;
CA server host does not need to participate in a real network communication process, only need to be involved in the signature is not required to provide services
      1. Generate a private key;
~] # (Umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
    Because the default configuration /etc/pki/CA/private/cakey.pem In the default configuration file, so you want to specify a directory and file name and profile consistent
wKioL1aPCOWTno1lAAHDWpax0Kw301.jpg
 
      2. Generate CA self-signed certificate;
              req - PKCS # 10 certificate request and certificate generating utility, and certificate request generation tool;
  [Root @ localhost tmp] # man req
wKiom1aPCL6xJ27aAADQWnrHrbY384.jpg
  ~] # Openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
                  /etc/pki/CA/cacert.pem: profile in the first directory and file name
  -new: generate a new Certificate Signing Request;
  -x509: generate a self-signed certificate format, when you create a dedicated private CA;
  -key: private files path generation request used;
  -out: request file generated path; if the operation will directly generate a self-signed certificate signed;
  -days: the effective duration of the certificate, the unit is day;
 note:
1) -key /etc/pki/CA/private/cakey.pem specified private key position here because knowledge will automatically extract the private key of the public key
2) req signing request can only be initiated, and needs -x509 parameters to achieve their request, signed by himself. Non-self-signed without increasing this parameter
wKiom1aPCMjBB-SEAAPoGzliXHo264.jpg
[Root @ localhost tmp] # openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
          ==================================== Fill out the certificate request relevant information =========
You are about to be asked to enter information that will be incorporatedinto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [XX]: # country code represented by two characters, CN to China
# The full name of the province or state: State or Province Name (full name) []
Locality Name (eg, city) [Default City]: # Name location (default for the city)
Organization Name (eg, company) [Default Company Ltd]: # organization name (the default for the company)
Organizational Unit Name (eg, section) []: # organization unit name (. Eg Department)
Common Name (eg, your name or your server's hostname) []: # holder name or server host name (ie domain name)
Email Address []: # Administrator e-mail address, may be omitted
        ==================================================
   
3. CA to provide the necessary directories and files;
            ~] # Mkdir -pv / etc / pki / CA / {certs, crl, newcerts} # create a certificate issued when there is no revocation of the certificate, the new certificate directory
            ~] # Touch /etc/pki/CA/{serial,index.txt} # create a certificate serial number of the file, the index file certificate
            ~] # Echo 01> / etc / pki / CA / serial # is created the first time need to be given the certificate serial number
wKiom1aPCNGROuarAALaFb1jY-0436.jpg
 
 
 
 
Three, OpenSSL; service request certificates signed to implement SSL secure communications
    To use certificates for secure communication server, you need to request CA-signed certificate;
    Services need not be required to sign and CA certificate signed by the host institution on the same server.
        Httpd service as an example here to demonstrate, follow these steps:
Demo environment:
httpd service placed 172.16.249.210 host (here rpm package installed)
wKioL1aPCQDDWkCEAAEYveFMHKI944.jpg
 CA signing private placement agencies 172.16 249.18 Host:
wKioL1aPCQrwsRifAAIBzb8XPA0330.jpg
 
1. The use of the server certificate private key is generated;
            ~] # Mkdir / etc / httpd / ssl
            ~] # Cd / etc / httpd / ssl
            ~] # (Umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) # Generates a private key
                  Httpd service generated private key to create a time without / pki / CA created, / etc in / etc / pki / CA directory is created only when a host CA
wKiom1aPCOThiloPAAGASNpnvNM524.jpg
 
2. Generate a Certificate Signing Request
            ~] # Openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
                    1) * .csr represented certificate signing request file
                    2) to ensure that signing authority and signing authority CA consistent information
wKiom1aPCO3TjJrZAANreKGDHqE787.jpg
 
3. The host sends the request to the CA by reliable means
              ~] # Scp /etc/httpd/ssl/httpd.csr root@172.16.249.18: / tmp /
wKioL1aPCRjDvPN2AACu_WHGEiM513.jpg
 
4. CA-signed certificate on the host
            ~] # Openssl ca -in / tmp / httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
                          * .crt: Indicates the certificate file
                          -days: signed certificate is valid
 Note: See here to make their own information is correct, and to determine whether to grant a certificate signed
wKioL1aPCSLiKmtaAAPZ6a-sqPs536.jpg
 
5. Review the information certificate signed
              Method One: ~] # cat /etc/pki/CA/index.txt
wKiom1aPCPvjdxCfAAC8VggKWf0855.jpg
                          V: said that it has signed
                          01: indicates the serial number of the certificate
                          / C = CN / ST = Beijing / O = ... ...: represent topic information (Themes Flag)
            Method two: View information in the certificate (CA or server available):
            ~] # Openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
                          -serial: Serial Number -subject: Topic Information
wKiom1aPCP-gmS13AADaLgDGKfE704.jpg
   
6. The agency will send a CA-signed certificate .crt to the server
          ~] # Scp /etc/pki/CA/certs/httpd.crt root@172.16.249.210: / etc / httpd / ssl
        Note: The first time the hosts based on the ssh scp operation receives a certificate, Queue to you that certification
wKioL1aPCTDz4NpfAAIKbQcNO1s991.jpg
     
7. Remove the signing of the host server and the CA before * .csr documents to ensure safety
httpd Host: ~] # rm -rf /etc/httpd/ssl/httpd.csr
CA Host: ~] # rm -rf /tmp/httpd.csr
 
 
 
 
Four, OpenSSL: private CA certificate signed by the agency revoked certificates
1. The client obtains serial to revoke the certificate (executed on the host using the certificates)
~] # Openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
wKioL1aPCTTiBKRtAAGKNLOArLQ073.jpg
   
2.CA host certificate revocation
        According to the first serial, and subject information submitted by the customer, its comparison with the native database index.txt stored are the same;
        After the / etc / pki / CA / crets / * generated under a certificate in / etc / pki / CA / newcrets / * corresponding certificate store files named SERIAL.pem
wKiom1aPCRPSaUfiAANKOGMJ9OQ686.jpg
     revoke:
  # Openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem wherein SERIAL certificate to replace the real serial number:. Eg 01.pem
wKioL1aPCUCQ72KSAAC-hpFwx2o912.jpg
   
3. Generate a revocation certificate revocation number (the first time to perform certificate revocation)
# Echo 01> / etc / pki / CA / crlnumber
wKiom1aPCRrx6JiSAAB1Kg9aYOk479.jpg
 
4. Update certificate revocation list
# Openssl ca -gencrl -out thisca.crl
wKiom1aPCRyB8sqXAACEmF02TAg768.jpg
 
5. Check crl file:
# Openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
     
         
         
         
  More:      
 
- Linux System Getting Started Learning: Change the name of the network interface on CentOS7 (Linux)
- Linear table with a Java implementation of the iterator (Programming)
- The most commonly used Linux commands (Linux)
- Linux commands to access the cheat sheet (Linux)
- Linux, Eclipse flash back and reinstall the JDK methods (Linux)
- Linux for enterprises to build a firewall (Linux)
- Install mono offline on CentOS (Server)
- I like Linux Security (Linux)
- grep regular expression (Linux)
- To assign multiple IP addresses NIC on the CentOS 7 (Linux)
- MongoDB relations, references, index query coverage (Database)
- Linux configuration startup mount: fstab file (Linux)
- Linux filtration empty file command summary (Linux)
- JavaScript prototype and the prototype chain (Programming)
- How do I delete a NEEDS RECOVERY rollback state of undo tablespace (Database)
- How to adjust the system time CentOS (Linux)
- I use the desktop environment in GNU / Linux combination tool (Linux)
- Mumble installation source VoIP application on Ubuntu (Linux)
- Ubuntu in Vim editor display processing method Chinese garbled (Linux)
- Linux Network Analysis Tcpdump Command Guide (Linux)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.