How to configure encryption authentication and ca certificates in Linux

Encryption mechanism: plaintext encryption: telnetftppop3 password unreliable sendmailNFSNIS information data unreliable rshrcp verification unreliable security mechanism: 1. random number generator (RandomNumberGenerater) /dev/random system initialization to generate soft devices: Character devices that generate random numbers/dev/urandom -- ent encryption mechanism:
Plaintext encryption: The telnet ftp pop3 password is unreliable.
SendmailUnreliable nfs nis information data
Unreliable rsh rcp verification

Security mechanisms:
1. Random Number generator (Random Number Generater)
/Dev/random system initialization to generate a soft device: the character device that generates a random number
/Dev/urandom -- "entropy pool: random number generated in the entropy pool. when the entropy pool is empty, the pseudo-random number mechanism is used.
Cat/dev/random

2. individual encryption
Single-item encryption: Data signature extraction does not encrypt data
Features: arbitrary input, fixed-length output
Avalanche effect
Data irreversible
Common algorithms:
Md2 md5 mdc2 rmd160 sha sha1 ---> md5 sha1

3. symmetric encryption:
DES 3DES AES Twofish RC6

4. asymmetric encryption: Public key encryption
Implemented based on one-way function, key pair appears
Encryption component: openssl gpg (file encryption)
Use openssl rand 67 to generate a random number for 67 pairs
Openssl rand-base64 67 convert binary
Digital signature: the sender encrypts the data with the private key and sends it to the receiver. the receiver has the public key of the other party to decrypt the data.
CA: a trusted third-party certificate authority
OpenCA manages a large number of CA certificates
CA command:
# Openssl genrsa 1024>/root/http. key to generate a key pair
# Openssl rsa-in/root/http. key-pubout
# Openssl req-new-key/root/http. key-out./private/http. csr generate CA application
# Openssl req-noout-in/root/http. csr-text View CA Application Information
Self-signed certificate: generally stored in/etc/pki/CA
# Openssl req-new-x509-key/private/http. key-out./private/http. crt-days 3655
Openssl configuration file:/etc/pki/tls/openssl. cnf can be used to configure the default certificate options.
Test CA certificate: # cd/etc/pki/tls/certs
# Make httpd. crt generate a certificate
# Make httpd. key can also generate a private key
Revoke Certificate:
# Openssl ca-revoke httpd. crt
Update the certificate list:
# Openssl ca-gencrl-out httpd. crl

OpenSSL configuration
1. configure a CA server (192.168.0.21)
1. generate a key
# Cd/etc/pki/CA
# Openssl genrsa 1024> private/cakey. pem generate a key pair
# Chmod 400 private/cakey. pem
2. Self-signed documents
# Openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 3655
Enter relevant information as needed
3. edit the openssl configuration file/etc/pki/tls/openssl. cnf.
# Vim/etc/pki/tls/openssl. cnf
Locate [CA_default] and change the dir value
Dir =/etc/pki/CA
4. create Required files
# Mkdir certs newcerts crl
# Touch serial index.txt
# Echo 01> serial (hexadecimal starting from 01)

2. configuring the client to provide https services requires the certificate client ip address 192.168.0.65
5. create and enter the working directory
# Cd/etc/httpd
# Mkdir certs stores certificate information
# Cd certs
6. simulate a client to generate a key
# Openssl genrsa 1024> httpd. key
# Chmod 400 httpd. key
7. Generate and submit an application to the CA server
# Openssl req-new-key httpd. key-outhttpd. csr
The entered information must be consistent with that of the CA.
8. submit the CA application to the CA server.
# Scp httpd. csr 192.168.0.21:/tmp
9. sign the certificate at 192.168.0.21 on the server side
# Cd/tmp
# Openssl ca-in httpd. csr-out/etc/pki/CA/certs/httpd. crt
After the certificate is generated, it can be directly sent to the client.
# Scp/etc/pki/CA/certs/httpd. crt192.168.0.65:/etc/httpd/certs/