Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Server \ OpenSSL: implementation creates a private CA, certificate signing request Explanation     - Mount and unloading disks under Linux (Linux)

- Using Linux stat command to view the files (Linux)

- To create a Linux server network security (Linux)

- Linux NFS FTP use (Server)

- About Samba certification process and permissions (Linux)

- CentOS7 build GlusterFS (Linux)

- Let's Encrypt with semiautomatic into Nginx configuration https (Server)

- Using Libreoffice under ubuntu (Linux)

- MySQL Tutorial: Philosophical Reflections on the unauthenticated user (Database)

- Customize the output format in Linux history (Linux)

- Linux system last command usage (Linux)

- Oracle GoldenGate encryption (Database)

- Httpclient4.4 of principle (Http execution context) (Programming)

- SSH keys using login and password to log prohibited practice (Linux)

- Oracle Enterprise Linux 64-bit install apache-tomcat-7.0.53 step (Server)

- Spring AOP for logging (Programming)

- Ubuntu 14.10 install KDE Plasma 5.2 (Linux)

- How to install Nginx on FreeBSD 10.2 as an Apache reverse proxy (Server)

- Linux file permissions to modify the command: chmod (Linux)

- C ++ inheritance and derived (induction principle) (Programming)

 
         
  OpenSSL: implementation creates a private CA, certificate signing request Explanation
     
  Add Date : 2018-11-21      
         
         
         
  One, OpenSSL: CA default configuration information

1. Certificate Authority CA: public trust CA, private CA
              Up a private CA as follows:
Small-scale tests using openssl,
Large-scale maintenance of a large number of enterprises to use the certificate OpenCA (openssl for a secondary package, more convenient to use)
 
2.openssl profile: /etc/pki/tls/openssl.cnf
     [Root @ localhost tmp] # cat /etc/pki/tls/openssl.cnf
The configuration file to "[configuration section]", in the form of configuration-related information
===================== Openssl.cnf part Summary ========
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
################################################## ####################################
[Ca] #CA configuration section
default_ca = CA_default # The default ca section # default CA in [CA_default] Configuration
################################################## ####################################
[CA_default] # CA as the default work environment
dir = / etc / pki / CA # Where everything is kept the default working directory, variable form
certs = $ dir / certs # Where the issued certs are kept location certificate issued
crl_dir = $ dir / crl # Where the issued crl are kept revocation of the certificate location
database = $ dir / index.txt # database index file. Certificates issued through the index file
new_certs_dir = $ dir / newcerts # default place for new certs.
 
certificate = $ dir / cacert.pem # The CA certificate indicating the self-signed certificate CA
serial = $ dir / serial # The current serial number indicates the serial number of the current certificate, specify the first secondary
crlnumber = $ dir / crlnumber # the current crl number
# Must be commented out to leave a V1 CRL
crl = $ dir / crl.pem # The current CRL
private_key = $ dir / private / cakey.pem # The private key, CA's own private key
RANDFILE = $ dir / private / .rand # private random number file
 
x509_extensions = usr_cert # The extentions to add to the cert
 
# Comment out the following two lines for the "traditional"
# (And highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
 
default_days = 365 # how long to certify for the default certificate is valid
default_crl_days = 30 # how long before next CRL default declaration is valid
default_md = sha256 # use SHA-256 by default default generation algorithm
preserve = no # keep passed DN ordering
##################################################
[Req] # CA-signed certificate to initiate a registration request related properties
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
==================================================
 
 
 
 
Two, OpenSSL: create a private CA certificate issuing authority step
Generate a self-signed certificate for the CA in determining the configuration of the host server and provides directory and file for the CA required;
CA server host does not need to participate in a real network communication process, only need to be involved in the signature is not required to provide services
      1. Generate a private key;
~] # (Umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
    Because the default configuration /etc/pki/CA/private/cakey.pem In the default configuration file, so you want to specify a directory and file name and profile consistent
wKioL1aPCOWTno1lAAHDWpax0Kw301.jpg
 
      2. Generate CA self-signed certificate;
              req - PKCS # 10 certificate request and certificate generating utility, and certificate request generation tool;
  [Root @ localhost tmp] # man req
wKiom1aPCL6xJ27aAADQWnrHrbY384.jpg
  ~] # Openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
                  /etc/pki/CA/cacert.pem: profile in the first directory and file name
  -new: generate a new Certificate Signing Request;
  -x509: generate a self-signed certificate format, when you create a dedicated private CA;
  -key: private files path generation request used;
  -out: request file generated path; if the operation will directly generate a self-signed certificate signed;
  -days: the effective duration of the certificate, the unit is day;
 note:
1) -key /etc/pki/CA/private/cakey.pem specified private key position here because knowledge will automatically extract the private key of the public key
2) req signing request can only be initiated, and needs -x509 parameters to achieve their request, signed by himself. Non-self-signed without increasing this parameter
wKiom1aPCMjBB-SEAAPoGzliXHo264.jpg
[Root @ localhost tmp] # openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
          ==================================== Fill out the certificate request relevant information =========
You are about to be asked to enter information that will be incorporatedinto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [XX]: # country code represented by two characters, CN to China
# The full name of the province or state: State or Province Name (full name) []
Locality Name (eg, city) [Default City]: # Name location (default for the city)
Organization Name (eg, company) [Default Company Ltd]: # organization name (the default for the company)
Organizational Unit Name (eg, section) []: # organization unit name (. Eg Department)
Common Name (eg, your name or your server's hostname) []: # holder name or server host name (ie domain name)
Email Address []: # Administrator e-mail address, may be omitted
        ==================================================
   
3. CA to provide the necessary directories and files;
            ~] # Mkdir -pv / etc / pki / CA / {certs, crl, newcerts} # create a certificate issued when there is no revocation of the certificate, the new certificate directory
            ~] # Touch /etc/pki/CA/{serial,index.txt} # create a certificate serial number of the file, the index file certificate
            ~] # Echo 01> / etc / pki / CA / serial # is created the first time need to be given the certificate serial number
wKiom1aPCNGROuarAALaFb1jY-0436.jpg
 
 
 
 
Three, OpenSSL; service request certificates signed to implement SSL secure communications
    To use certificates for secure communication server, you need to request CA-signed certificate;
    Services need not be required to sign and CA certificate signed by the host institution on the same server.
        Httpd service as an example here to demonstrate, follow these steps:
Demo environment:
httpd service placed 172.16.249.210 host (here rpm package installed)
wKioL1aPCQDDWkCEAAEYveFMHKI944.jpg
 CA signing private placement agencies 172.16 249.18 Host:
wKioL1aPCQrwsRifAAIBzb8XPA0330.jpg
 
1. The use of the server certificate private key is generated;
            ~] # Mkdir / etc / httpd / ssl
            ~] # Cd / etc / httpd / ssl
            ~] # (Umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) # Generates a private key
                  Httpd service generated private key to create a time without / pki / CA created, / etc in / etc / pki / CA directory is created only when a host CA
wKiom1aPCOThiloPAAGASNpnvNM524.jpg
 
2. Generate a Certificate Signing Request
            ~] # Openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
                    1) * .csr represented certificate signing request file
                    2) to ensure that signing authority and signing authority CA consistent information
wKiom1aPCO3TjJrZAANreKGDHqE787.jpg
 
3. The host sends the request to the CA by reliable means
              ~] # Scp /etc/httpd/ssl/httpd.csr root@172.16.249.18: / tmp /
wKioL1aPCRjDvPN2AACu_WHGEiM513.jpg
 
4. CA-signed certificate on the host
            ~] # Openssl ca -in / tmp / httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
                          * .crt: Indicates the certificate file
                          -days: signed certificate is valid
 Note: See here to make their own information is correct, and to determine whether to grant a certificate signed
wKioL1aPCSLiKmtaAAPZ6a-sqPs536.jpg
 
5. Review the information certificate signed
              Method One: ~] # cat /etc/pki/CA/index.txt
wKiom1aPCPvjdxCfAAC8VggKWf0855.jpg
                          V: said that it has signed
                          01: indicates the serial number of the certificate
                          / C = CN / ST = Beijing / O = ... ...: represent topic information (Themes Flag)
            Method two: View information in the certificate (CA or server available):
            ~] # Openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
                          -serial: Serial Number -subject: Topic Information
wKiom1aPCP-gmS13AADaLgDGKfE704.jpg
   
6. The agency will send a CA-signed certificate .crt to the server
          ~] # Scp /etc/pki/CA/certs/httpd.crt root@172.16.249.210: / etc / httpd / ssl
        Note: The first time the hosts based on the ssh scp operation receives a certificate, Queue to you that certification
wKioL1aPCTDz4NpfAAIKbQcNO1s991.jpg
     
7. Remove the signing of the host server and the CA before * .csr documents to ensure safety
httpd Host: ~] # rm -rf /etc/httpd/ssl/httpd.csr
CA Host: ~] # rm -rf /tmp/httpd.csr
 
 
 
 
Four, OpenSSL: private CA certificate signed by the agency revoked certificates
1. The client obtains serial to revoke the certificate (executed on the host using the certificates)
~] # Openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
wKioL1aPCTTiBKRtAAGKNLOArLQ073.jpg
   
2.CA host certificate revocation
        According to the first serial, and subject information submitted by the customer, its comparison with the native database index.txt stored are the same;
        After the / etc / pki / CA / crets / * generated under a certificate in / etc / pki / CA / newcrets / * corresponding certificate store files named SERIAL.pem
wKiom1aPCRPSaUfiAANKOGMJ9OQ686.jpg
     revoke:
  # Openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem wherein SERIAL certificate to replace the real serial number:. Eg 01.pem
wKioL1aPCUCQ72KSAAC-hpFwx2o912.jpg
   
3. Generate a revocation certificate revocation number (the first time to perform certificate revocation)
# Echo 01> / etc / pki / CA / crlnumber
wKiom1aPCRrx6JiSAAB1Kg9aYOk479.jpg
 
4. Update certificate revocation list
# Openssl ca -gencrl -out thisca.crl
wKiom1aPCRyB8sqXAACEmF02TAg768.jpg
 
5. Check crl file:
# Openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
     
         
         
         
  More:      
 
- Analysis of C ++ exception mechanism (Programming)
- C ++ Supplements --new delete overload (Programming)
- Gitolite how to import other Git repositories (Server)
- [Android] Eclipse does not update the Android SDK Manager solution [using GoAgent] (Programming)
- Linux platform NTOP Installation and Configuration (Linux)
- Linux Getting Started tutorial: 3D effects and beautify your desktop (Linux)
- Oracle conditional select statements and looping statements (Database)
- NET Developers need to know some Linux commands (Linux)
- CentOS yum source deployment (Linux)
- lolcat: an output terminal rainbow effects in the Linux command-line tool (Linux)
- C ++ pointer of the (error-prone model) (Programming)
- Installation Sublime Text 3 (Build 3065) text editor in Ubuntu (Linux)
- Android working with Volley Comments (Programming)
- DBCA Error: ORA-19809: limit exceeded for recovery files process (Database)
- Making Linux root file system problems on-link library (Programming)
- CentOS 6.5 platform offline compile and install PHP5.6.6 (Server)
- Oracle procedure or function Empty Table (Database)
- Linux file permissions chmod chown (Linux)
- To remove those IP is prohibited Fail2ban on CentOS 6/7 (Server)
- Linux file permissions and access modes (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.