() OpenSSL CA (Signed and self-built CA)

Source: Internet
Author: User
Tags openssl x509

A database that is used to sign certificate requests, generate revocation list CRLs, and maintain a list of issued certificates and the status of these certificates. Because the average person does not need to manage CRLs, this article only describes the capabilities of the OpenSSL CA with respect to certificate management.

The certificate request file is signed with the CA's private key , and the certificate is issued to the requester after signing .

When signing, in order to ensure the integrity and consistency of the certificate, you should also generate a digital digest of the signed certificate, that is, the use of one-way encryption algorithm.

Because the OpenSSL CA command is highly dependent on the configuration file (default/etc/pki/tls/openssl.cnf) , it is recommended to combine.

The structure of the file required to sign the certificate is specified in the configuration file, and the structure requirements in the default openssl.cnf are as follows:

[Ca_default]dir             =/etc/pki/ca             # define PATH variable certs           = $dir/certs              The saved directory of issued certificates database        = $dir/ Index.txt          # Database index file New_certs_dir   = $dir/newcerts           newly signed certificate save directory Certificate     = $dir/ CACERT.PEM         CA certificate path name serial          = $dir/serial             # Current certificate serial number Private_key     = $dir/private/ Cakey.pem  CA's private key path name

The directory/etc/pki/ca/{certs,newcerts,private} is present by default after installing OpenSSL, so there is no need to create it independently, but The database file for the certificate index.txt and the sequence file serial must be created manually, and the serial number file will be given an ordinal number, such as "Down".

[Email protected] tmp]# touch/etc/pki/ca/index.txt [[email protected] tmp]# echo >/etc/pki/ca/serial

In addition, to sign a certificate request, the CA's own private key file and the CA's own certificate are required to create the private key of the CA, which is the value specified by Private_key in the configuration file, and the default is/ETC/PKI/CA/PRIVATE/CAKEY.PEM .

[email protected] tmp]# OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem #生成CA私钥

(1). Using the OpenSSL CA self-built CA

to provide the CA's own certificate, the CA can only self-sign in the test environment , the use of "OpenSSL req-x509", "OpenSSL x509" and "OpenSSL CA" can be self-signed certificate request files, here only to describe the OpenSSL The CA command itself is a self-signed method.

To create a certificate request file for a CA, it is recommended to use the CA's private key file/etc/pki/ca/private/cakey.pem to create a certificate request file to be self-signed, although it is not required, but is easy to administer.

When creating the request file, country name, state or province name, Organization name, and common name are required by default.

 [[email protected] tmp]# OpenSSL req-new-key/etc/pki/ca/private/cakey.pem-out ROOTCA.CSR #生成根CA请求证书You is about to is asked to enter information that'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t  He field would be a left blank.----- Country Name (2   letter code) [Xx]:cnstate or province name (full name) []:FJ  Locality name (eg, city) [default CITY]:XM  Organization name (eg, company) [Default company Lt D]:JM  organizational Unit name (eg, section) []:it  Common name (eg, your name or your server  
   
     ' s hostname) []:www.iwant.com  Email Address []:. Please enter the following ' extra ' attributesto is sent with your certificate Requesta challenge password []:. An optional company name []:. 
   

Then use the OpenSSL CA command to self-sign the certificate request file . If two Interactive queries indicate that the self-signed will succeed and if it fails, consider whether the database file Index.txt is created, the serial number file serial exists and has an ordinal value, the private key file Cakey.pem whether the path is correct, When you create a certificate request file, it does not provide a condition that is provided.

[email protected] tmp]# OpenSSL ca-selfsign-in rootca.csrusing configuration from/etc/pki/tls/openssl.cnf #By default,/ETC/PKI/TLS/OPENSSL.CNF is used as the configuration fileCheck that the request matches the signature # to verify the digital signature of the certificate request file, make sure that the certificate request file is intact signature okcertificate Details:            # Information for the certificate to be generated Serial number:1 (0x1) # 1 validity Not Before:jun 10:06:29 GMT # Certificate Valid from date 2017-6-17 10:06:29 not after:jun 27 10:06:29 2018            GMT # Certificate Expiration date is 2018-6-17 10:06:29 Subject: # Subject information, Subject is very important information CountryName = CN Stateorprovincename = FJ OrganizationName = J             M Organizationalunitname = IT commonname = www.iwant.com x509v3 Extensions: X509v3 Basic Constraints:CA:FALSE Netscape comment:openssl Generate D Certificate x509v3 Subject Key identifier:a5:0d:dd:d6:47:c6:24:74:20:f4:62:77:f6:a9:63:3e:52: d2:8a:66 X509V3 Authority Key identifier:keyid:a5:0d:dd:d6:47:c6:24:74:20:f4:62:77:f6:a9:63:3e:52:d2:8a:66 Certificate is certified until June 10:06:29 2018 GMT (365 days) sign the certificate? [Y/n]:y 1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entries # Adds a record of the certificate to the DB file Certificate: #        Information for this certificate Data:version:3 (0x2) Serial number:1 (0x1) Signature algorithm:sha1withrsaencryption            ISSUER:C=CN, ST=FJ, O=JM, Ou=it, cn=www.iwant.com validity not Before:jun 10:06:29 GMT  Not After:jun 10:06:29 2018 GMT SUBJECT:C=CN, ST=FJ, O=JM, Ou=it, cn=www.iwant.com Subject Public                    Key Info:public key algorithm:rsaencryption Public-key: (1024x768 bit) modulus: 00:94:49:33:f4:90:a4:fc:a4:6b:65:75:4c:be:4f:d1:3f:95:bd:24:60:c8:45:f9:eb:00:31:ac:4 5:6b: ae:bb:63:bf:f2:a3:0c:e3:d3:50:20:33:1e:d9:e1:8a:49:42:c6:e0:67:6d:3a:cb:2f:9c:90: Ab:4c:10:7a:4a:82:e1:6e:a0:6a:63:84:56:1c:a2:5f:11:60:99:e0:cd:20:68:e9:98:40:68:c 2:43:7c:97:12:ee:31:8e:b1:73:7d:36:99:97:49:31:50:c1:8c:47:10:16:f9:5d:37:11:00:73 : 3b:01:62:9b:36:36:97:08:48:31:93:56:3f:6a:d9:a6:99 exponent:65537 (0x10001) X5                09v3 extensions:x509v3 Basic Constraints:CA:FALSE Netscape Comment: OpenSSL Generated Certificate x509v3 Subject Key identifier:a5:0d:dd:d6:47:c6:24:74:20:f4:62:77 : f6:a9:63:3e:52:d2:8a:66 x509v3 Authority Key identifier:keyid:a5:0d:dd:d6:47:c6:24:74:20:f4:62 : 77:f6:a9:63:3e:52:d2:8a:66 Signature algorithm:sha1withrsaencryption 1e:4e:f4:e4:c9:33:52:85:69:ae:b4:2a:37:         37:44:90:9B:52:B3:E9:89:1C:B2:F2:17:41:D8:05:02:63:9A:4F:64:4D:C9:CE:0C:81:48:22:4F:73:8A:4C:F7:B8:BF:64:B2:77:8A:2E:43:80:         39:03:DE:27:19:09:D2:88:39:11:8F:8B:4B:37:C0:12:68:EF:79:5B:28:D4:CF:C9:B8:E1:77:24:6E:B4:5B:83:4A:46:49:A1: ad:5c:b7:d8:da:49:9a:45:73:b9:8e:eb:1a:9c:2e:6c:70:d3:c5:db:9c:46:02:59:42:bf:ad:bc:21:4c:d1:6b:6b:a7:87: 33:1A:6B-----BEGIN CERTIFICATE-----MIICITCCAFKGAWIBAGIBATANBGKQHKIG9W0BAQUFADBMMQSWCQYDVQQGEWJDTJELMAKGA1UECAWCRKOXCZAJBGNVBAOMAKPNMQSWCQYDV Qqldajjvdewmbqga1ueawwnd3d3lml3yw50lmnvbtaefw0xnza2mjcxmda2mjlafw0xoda2mjcxmda2mjlamewxczajbgnvbaytaknomqswcqydvqqidajgsj Elmakga1uecgwcsk0xczajbgnvbasmaklumrywfaydvqqdda13d3cuaxdhbnquy29tmigfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcustp0kkt8pgtlduy +t9e/lb0kymhf+esamaxfa667y7/yowzj01agmx7z4ypjqsbgz206yy+ ckktmehpkgufuogpjhfycol8ryjngzsbo6zhaamjdfjcs7jgosxn9npmxstfqwyxhebb5xtcrahm7awkbnjaxcegxk1y/ Atmmmqidaqabo3swetajbgnvhrmeajaamcwgcwcgsagg+eibdqqffh1pcgvuu1nmiedlbmvyyxrlzcbdzxj0awzpy2f0ztAdbgnvhq4efgqupq3d1kfgjhqg9gj39qljpllsimywhwydvr0jbbgwfoaupq3d1kfgjhqg9gj39qljpllsimywdqyjkozihvcnaqefbqadgyeahk705mkzuov prrqqnzdekjtss+mjhllyf0hybqjjmk9ktcnodifiik9zikz3ul9ksneklkoaoqpejxkj0og5ey+lszfaemjvevso1m/ juof3jg60w4nkrkmhrvy32npjmkvzuy7rgpwubhdtxducrgjzqr+tvcfm0wtrp4czgms=-----END CERTIFICATE-----Data Base Updated

After successful signing, a series of files will be generated in the/ETC/PKI/CA directory.

[Email protected] tmp]# tree-c/etc/pki/ca/etc/pki/ca├──certs├──crl├──index.txt├──index.txt.attr├── index.txt.old├──newcerts│   pem #之前添加到serial文件中的序号 ├──private│   └──cakey.pem├──serial└──seri Al.old

where the Newcerts directory of 01.PEM is just the self-signed certificate file, because it is the CA itself certificate , so according to the "Certificate= $dir/cacert.pem" entry in the configuration file, it should be put into/etc/ Pki/ca directory, and named Cacert.pem, you can only sign other certificate requests later .

[Email protected] tmp]# CP/ETC/PKI/CA/NEWCERTS/01.PEM/ETC/PKI/CA/CACERT.PEM

At this point, the self-built CA is complete, viewing the database index file and the serial number file.

[Email protected] tmp]# cat/etc/pki/ca/index.txtv       180627100629Z      unknown/c=cn/st=fj/o=jm/ou=it/cn= Www.iwant.com[[email protected] tmp]# cat/etc/pki/ca/serial02

Then, the next time the certificate request is signed, the serial number will be "02".

The process of self-built CAS is summarized as follows:

[Email protected] tmp]# touch/etc/pki/ca/index.txt [[email protected] tmp]# echo ">/etc/pki/ca/serial[[email Pro" Tected] tmp]# OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem[[email protected] tmp]# OpenSSL req-new-key/etc/pki/ca/ Private/cakey.pem-out Rootca.csr[[email protected] tmp]# OpenSSL ca-selfsign-in rootca.csr[[email protected] tmp]# CP/ Etc/pki/ca/newcerts/01.pem/etc/pki/ca/cacert.pem

The above procedure is created by fully reading the default profile, in fact many processes are not so strict, the OpenSSL CA command itself can specify many options to overwrite the items in the configuration file, but since the default configuration file and directory structure is provided, it is still recommended to fully adopt the items in the configuration file for ease of administration. .

(2). Issue certificates to others.

First the requester creates a certificate request file.

 [[email protected] tmp]# OpenSSL req-new-key privatekey.pem-out youwant1.csr #这里的私钥文件privatekey. Pem must be born in advance Into you is about to being asked to enter information that'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t  He field would be a left blank.----- Country Name (2   letter code) [Xx]:cnstate or province name (full name) []:FJ  Locality name (eg, city) [default CITY]:XM  Organization name (eg, company) [Default company Lt D]:JM  organizational Unit Name (eg, section) []:.  Common name (eg, your name or your server   ' s hostname) []:www.youwant.com  Email Address []:. Please enter the following ' extra ' attributesto is sent with your certificate Requesta challenge password []:. An optional company name []:. 

Where country name, state or province name, Organization name, and common name must be provided, and the first three must be identical to the corresponding entry in the CA's subject. These are determined by the matching policy in the configuration file.

[CA]default_ca      = ca_default            # The default CA section[ca_default]policy          = policy_match[Policy_match]C Ountryname             = matchstateorprovincename     = match OrganizationName        = match organizationalunitname  = optionalcommonname              = suppliedemailaddress            = Optional

"Match" means that the items in the certificate request file to be signed by the OpenSSL CA will match the entries in the CA certificate , that is, "supplied" means the item that must be provided, "optional" represents the optional option, so you can leave it blank.

You can now send the certificate request file to the CA and let the CA help sign it.

[email protected] tmp]# OpenSSL ca-in YOUWANT1.CSR

After successful signing, review the file structure under/ETC/PKI/CA.

[Email protected] tmp]# tree-c/etc/pki/ca//etc/pki/ca/├──cacert.pem├──certs├──crl├──index.txt├── index.txt.attr├──index.txt.attr.old├──index.txt.old├──newcerts│   ├──01.pem│   02.pem├──private│   └──cakey.pem├──serial└──serial.old 4 directories, ten files

where "02.pem" is a certificate that has just been successfully signed , the certificate is sent to the applicant, which means the issue is complete.

Then look at the database index file and the serial number file.

[Email protected] tmp]# cat/etc/pki/ca/index.txtv       180627100629Z      /c=cn/st=fj/o=jm/ou=it/ CN=WWW.IWANT.COMV       180627110022Z      /c=cn/st=fj/o=jm/cn=www.youwant.com[[email protected] tmp]# CAT/ETC/PKI/CA/SERIAL03

(3). OpenSSL CA Command usage

Following the example above, you should have a general understanding of the use of the OpenSSL CA command, with its full usage instructions, excluding CRL-related features.

OpenSSL CA [-verbose] [-config filename] [-name section] [-startdate Date] [-enddate date] [-days arg] [-md ARG] [-policy ARG] [-keyfile arg] [-key arg] [-passin ARG] [-cert file][[- in file] [-out[- Infiles] [-ss_cert file] [-preservedn] [-NOEMAILDN] [-batch] [-extensions section] [-extfile section] [-subj arg] [-u Tf8]

Note that theCA command is used to sign the certificate, so it requires files other than the configuration file, which is the private key file and the certificate request file, and the file generated after the signature is a certificate file , so the object specified with "-in" is the file to be signed (that is, the request certificate),"- Infiles "is to specify multiple pending files ,"-keyfile "is the specified private key file,"-out "is the certificate file for the specified output.

"Option Description:"-config filename:Specifies the configuration file to use, specifying that the configuration options for the CA specified in OPENSSL.CNF will be ignored。 -name section:specifies that the section in the configuration file is used. Default_ca segments in OPENSSL.CNF are ignored after specifying。 -in FileName: Specifya single certificate request file to be signed by the CA。 Used when the root CA is signed for another certificate. -infiles:This option is only the last option, all parameters that are received by this option are considered to be signed certificate request files, i.e.options to use when signing multiple request files at once。 -selfsign:self-signed. This option is ignored when the-ss_cert option is specified. -ss_cert FileName: The individual that will be self-signed by the CACertificateFile. This means that you want to re-sign the certificate. -out FileName: The output file of the certificate, which is also output to the screen. Default output to stdout when not specified. -outdir Dir_name:the output directory of the certificate. When this option is specified, a ". Pem" certificate file with a file name containing 16 binary serial values is automatically generated in this directory。
-CERT:CA your own certificate file. -keyfile FileName: Specifyprivate key file when signing a certificate request, i.e.CA's own private key file。 -key Passwd_value: Specifies the encryption password for the private key.
-passin arg: Pass decryption password-verbose: Details of the print operation-notext: Suppresses the output of the certificate in text format to the file specified by "-out"-days ARG:Certificate validity period, the startdate is calculated from the moment of creation, and the expiry point is enddate. -startdate: The start time of the custom certificate, and the use of "-enddate" can deduce the certificate validity period. -enddate: The end time of the custom certificate. -MD ALG: Specifyone-way encryption algorithm-policy ARG:This option is the section content in the configuration filethat specifies whether the field part of the certificate information needs to be mandatory, or if it is forced to match, or is not available. See the description of the configuration file in detail. -extensions section:specifies which section in the configuration file is the currently created certificate to use as an extended property. -batch: Use batch mode when signing, i.e.non-interactive mode. There will be no two queries in this mode (whether signed, submitted)。 -SUBJ ARG:Replace subject in a certificate request, Format/type0=value0/type1=value1/type2= ...

The configuration file is part of the CA, where it is marked as a required item in the presentation configuration file, or the option and its value must be given in the command line.

New_certs_dir: Equivalent to the "-outdir" option. Must be an item Certificat: equivalent to the "-cert" option, the CA's own certificate file. Must be an item Private_key: equivalent to the "-keyfile" option, when signing the certificate request file, the private key file is the CA's own private key file. Required item Default_days: equivalent to the "-days" option default_startdate: equivalent to the "-startdate" option. Default_enddate: Equivalent to the "-enddate" option. DEFAULT_MD: Equivalent to the "-md" option. The database file that must be maintained by the item Database:openssl. Store Certificate entry information and status information. Required entry Serial: the serial number (16 binary) file for the issued certificate. Must be an item and there must be a sequence value in the file Unique_subject: If the Subject column value set to Yes,database must not be duplicated. If set to No, subject is allowed to repeat. The default is yes, this is to be compatible with the old version of OpenSSL and is recommended to set to No. X509_extensions: Equivalent to the "-extensions" option. Policy: Equivalent to the "-policy" option. Required item Name_opt/cert_opt: The presentation format of the certificate,Although it is not mandatory but recommended to be set to Ca_default, the old version of the certificate format (not recommended) will be used by default. :The pseudo-command CA Cannot set these two options directly, while the pseudo-command x509 "-nameopt" and "-certopt" options can be set separately。 Copy_extensions: Determines how extensions in a certificate request are handled.
: If the option is set to none or does not write, the extension is ignored and not copied to the certificate. : If set to copy, theThe certificate request already exists, whileThe certificate does not existThe extension is copied to the certificate. : If set to Copyall, theCertificate RequestAll of the extensions are copied to the certificate, and if an extension is already present in the certificate, then the copy is deleted first. :The primary purpose of this option is to allow a certificate request to provide a value for a specific extension such as SubjectAltName. : Before using this option, check the warnings section of the man ca. It is recommended that the general simple use is set to none or not set.

() OpenSSL CA (Signed and self-built CA)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.