Apache OpenSSL generates certificates using

Recently learning the SSL protocol, this time is based on the Apache server comes with OpenSSL to achieve

TLS: Transport Layer Security Protocol

SSL: Secure Sockets Layer

key: private key

CSR: A certificate signing request, which is the public key, which is required to be submitted to a certificate authority when a certificate is generated, before the X509 digital certificate is generated, typically the user submits the certificate request file and the certificate is issued by the CA

CRT: certificate, General server certificate SERVER.CRT and client certificate CLIENT.CRT need to be signed by CA certificate CA.CRT

1. When you get a ca Signature, you need to be aware that the state, province, and organization need to be the same as the CA Certificate, otherwise it will be reported:

thecountryname field needed to being the same in the CA certificate (CN) and Therequest (SH)

2. when the CA Signature obtains the certificate, if the information completely and the existing certificate information will report an error, that is, the same certificate cannot be generated, the error message is:

failed to update database
txt_db Error Number 2

The certificate format, typically ending with. crt

OpenSSL: An implementation of SSL, (open source)

Here you need to modify the configuration of the two sections and create some folders and files:

First:

Find the following two lines in httpd.conf to remove the previous comment #

LoadModule ssl_modulemodules/mod_ssl.so

Include conf/extra/httpd-ssl.conf

Second:

In the httpd-ssl.conf:

Sslcertificatefile "D:/APACHE/APACHE/CONF/SERVER.CRT"

sslcertificatekeyfile "D:/apache/apache/conf/server.key"

The path that generates the server certificate and private key

Third:

Under the Bin directory, create:

Democa folder;

a blank index.txt;

Serial files with content of 01

Here's why to create these files, because open openssl.cnf, we can find some default configuration:

[Ca_default]

dir =./democa #Where everything is kept

...

Database = $dir/index.txt # database index file.

...

serial = $dir/serial # The current serial number

...

Steps for OpenSSL to generate a certificate:

1. Use OpenSSL to generate the CA private key, i.e. Ca.key

Executed under the D:\Apache\Apache\bin directory:OpenSSL genrsa-out ca.key 1024x768

Get Ca.key (1024-bit)

2. Use the CA's private key to generate the CA certificate, i.e. CA.CRT

Execute in D:\Apache\Apache\bin directory: opensslreq-new-x509-days 365-key ca.key-out ca.crt-config. \CONF\OPENSSL.CNF

Get CA.CSR(X509 certificate format, valid for one year) via CA private key Ca.key

From the issuer and issued to two columns it is known that this is a self-signed certificate

1. Generate the private key, which is Server.key

Executed under the D:\Apache\Apache\bin directory:OpenSSL genrsa-out server.key 1024x768

Get 1024 bits of Server.key

2. Generate a certificate request file CSR, i.e. SERVER.CSR

Execute in D:\Apache\Apache\bin directory: opensslreq-new-out server.csr-key server.key-config. \CONF\OPENSSL.CNF

Generate SERVER.CSR from server server.key

Here you need to fill in some country, province, city, company and other information, where commonname is required, fill in the domain name or IP address

3. CA Sign Certificate for server, generate SERVER.CRT

Executed under the D:\Apache\Apache\bin directory:OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-confi G.. \CONF\OPENSSL.CNF

Get server.crt

Server certificate server.crt is required to be signed by CA.CRT

From the issuer it is known that this certificate was issued by 127.0.0.1 's agency, issued to the server address of Hikvison

6. Copy the Server.crt,server.key to the Apache conf folder, because both the server private key and the server certificate are required files to start the SSL service. If it does not exist, the following error is reported:

To restart Apache, You can access the configured HTTPS address.

7.

1. The certificate is still unavailable at this time, click Open Server.crt and Ca.crt we can see:

Server.crt

Ca.crt

Add the CA's certificate to the trusted root certification authority, enter Certmgr.mscat the beginning of the run, import ca.crtin the Trusted root certification authority, and then view the certificate path information again as:

Server.crt

Ca.crt

8. Open the appropriate IP address or domain name: https://127.0.0.1:8443/

If the certificate is not installed, a warning is displayed as:

The certificate is not prompted for warning after installation:

Summarize the main steps to generate a certificate:

1. Generate CA private key-"Generate CA Request Authentication-" Generate CA Certificate (self-issued certificate)

2. Generate server/Client private key-Generate certificate request-"Get Server/client certificate through CA signature"

How the SSL protocol works:

One-way verification:

Two-way verification:

The ① browser sends a connection request to the secure server.

The ② server sends its own certificate, along with the information associated with the certificate, to the customer's browser.

③ the client browser checks whether the certificate sent by the server is issued by a trusted CA center (such as the Wosign CA). If it is, continue to execute the agreement; if not, the customer's browser gives the customer a warning message: Warn the customer that the certificate is not trustworthy and ask the customer if they need to continue.

④ then the client browser compares the messages in the certificate, such as the domain name and the public key, whether the message that the server has just sent is consistent, and if it is consistent, the client's browser recognizes the legitimate identity of the server.

The ⑤ server requires customers to send their own certificates. Upon receipt, the server verifies the client's certificate and denies the connection if it is not authenticated, and if authenticated, the server obtains the user's public key.

The ⑥ client browser tells the server that it can support a symmetric password scheme for communication.

⑦ server from the customer sent over the password scheme, select a cryptographic scheme of the highest encryption, with the customer's public key after the notification browser.

⑧ Browser for this password scheme, select a call key, and then use the server's public key to be sent to the server.

The ⑨ server receives the message sent by the browser, decrypts it with its own private key, and obtains the call key.

⑩ server, browser Next communication is a symmetric cipher scheme, symmetric key is over-dense.

Two-way authentication is required for the service side and the client to provide identity authentication, only the server allows the client to access, security relative to the higher.

Differences between one-way and two-way verification:

The browser of the ① client transmits the version number of the client SSL protocol to the server, the type of cryptographic algorithm, the random number generated, and the various information needed to communicate between the server and the client.

The ② server transmits the version number of the SSL protocol to the client, the type of encryption algorithm, the random number, and other related information, and the server also transmits its own certificate to the client.

③ customers use the information sent by the server to verify the legitimacy of the server, the legitimacy of the server includes: whether the certificate expires, the issuing server certificate of the CA is reliable, the publisher certificate's public key can correctly unlock the server certificate "publisher's digital signature", the server certificate on the domain name and the server's actual domain name match. If the legitimacy verification is not passed, the communication will be disconnected, and if the legitimacy validation passes, the fourth step will continue.

The ④ client randomly generates a "symmetric password" for subsequent communication, encrypts it with the server's public key (obtained from the server's certificate in step ②), and then passes the encrypted "pre-master password" to the server.

⑤ If the server requires customer authentication, the server must verify the legitimacy of the client certificate and the signature random number, the specific legality verification process includes: whether the customer's certificate use date is valid, to provide a certificate to the client CA is reliable, the issuing CA's public key can correctly unlock the client certificate of the issuing CA's digital signature, Check that the client's certificate is in the certificate revocation list (CRL). If the test is not passed, the communication is interrupted immediately; If authenticated, the server will use its own private key to unlock the encrypted "master password" and then perform a series of steps to generate the primary communication password (the client will also generate the same master communication password in the same way).

⑥ server and client use the same master password as the "Call password", a symmetric key for the SSL protocol of Secure data communication encryption and decryption communication. At the same time in the process of SSL communication to complete the integrity of data communication, to prevent any changes in data communication.

The ⑦ client sends a message to the server that indicates that subsequent data traffic will use the master password in the ⑦ as the symmetric key, and notifies the server client that the handshake process is complete.

The ⑧ server sends a message to the client indicating that the subsequent data traffic will use the master password in the ⑦ as the symmetric key, and notifies the client that the server side of the handshake process is complete.

⑨ssl The handshake part ends, the SSL secure channel data communication begins, the client and the server begin to use the same symmetric key for data communication, while the integrity of the communication test.

SSL One-way authentication requires only that the site is deployed SSL certificate on the line, any user can go to access (except IP restrictions, etc. ) , only the service side provides identity authentication.

Differences between one-way and two-way verification:

Two-way authentication SSL the protocol requires that both the server and the user have certificates . The one-way authentication SSL protocol does not require the client to have a CA certificate , no server-side validation of the client certificate process, And in the negotiation of symmetric cipher schemes, symmetric call keys, the server sends to the customer is no encryption (this does not affect the security of the SSL process) password scheme. In this way, the two sides of the specific communication content, is to add over the dense data, if there is a third-party attack, access to only encrypted data , the third party to obtain useful information, it is necessary to decrypt the encrypted data, as long as the key length is long enough security.

general Web applications are SSL one-way authentication, because the number of users is extensive and there is no need to authenticate user identities at the communication layer, The logic layer is generally used to ensure the user's legal login。 In the enterprise application docking, may require the client (relative) to do authentication, you need to do SSL two-way authentication.

If the above is not correct, welcome the vast number of netizens to shoot bricks point! Come on

Apache OpenSSL generates certificates using