(a) Multiple implementations of OpenSSL signing and self-signed certificates

1. How to implement a custom configuration file 1.1 self-built CAS

Self-built CA mechanism: 1. Generate the private key; 2. Create a certificate request; 3. Use the private key to sign the certificate request.

Because of the test environment, a self-built CA can only be a root CA.

The configuration file used is as follows:

[Default]name = ROOT-CA/* Variable */default_ca = ca_defaultname_opt = ca_defaultcert_opt = Ca_default[ca_default]home =. /* Variable */database = $home/db/indexserial = $home/db/serialcrlnumber = $home/db/crlnumbercertificate = $home/$name. Crtpriv Ate_key = $home/private/$name. keyrandfile = $home/private/randomnew_certs_dir = $home/certsunique_subject = Nocopy_ Extensions = Nonedefault_days = 3650default_crl_days = 365DEFAULT_MD = Sha256policy = Policy_to_match[policy_to_match]countryname = MatchStateorprovincename = OptionalOrganizationName = MatchOrganizationalunitname = OptionalCommonName = suppliedEmailAddress = Optional[ca_dn]countryname = "C" Contryname_default = "CN" OrganizationName = "O" Organizationname_default = "JMU" commonname = "CN" Commonname_default = "longshuai.com" [req]default_bits = 4096encrypt_key = NODEFAULT_MD = Sha256ut F8 = Yesstring_mask = utf8only# prompt = no/* This option causes an error when testing, so comment it out */distinguished_name = Ca_dnreq_extensions = Ca_ext[ca_e Xt]basicconstraints = Critical,ca:trueKeyusage = Critical,keycertsign,crlsignsubjectkeyidentifier = Hash

(1). Create a directory structure for OpenSSL (a). Create a configuration file

[[email protected] ~]# mkdir/ssl;touch/ssl/ssl.conf[[email protected] ~]# cd/ssl[[email protected] ssl]# vim ssl.conf

(b). Create a directory in the directory structure of OpenSSL, where the directories in the above configuration file are/ssl/db,/ssl/private, and/ssl/certs, respectively, toto consider setting the private directory's permissions to 600 or。

[Email protected] ssl]# mkdir/ssl/{db,private,certs}[[email protected] ssl]# chmod-r [private/]

(2). CA self-signed

A normal certificate request needs to be signed using the CA's private key to become a certificate, since it is a self-signed certificate, which of course is signed with its own private key. You can use the pseudo command req or CA or X509 to come from the signature.

2.1 Creating a CA using the Req pseudo-command

There are two ways to do this:

1. One step is complete, that is, the private key, the certificate request, the self-signature are all done in one command

2. Step through, make the private key, create the certificate request, and then specify the private key to sign. In the fact that Method 2 generates the private key and the certificate request can be merged in one step, the certificate request and the signature can also be combined in one step to complete.

Method One: Complete one step

In the following step command, the use of-new is automatically saved in ssl.conf default_keyfile the specified PRIVATE.PEM because no private key output location is specified;

Since the Req segment in ssl.conf is set to Encrypt_key=no, the encryption password of the private key is not required for interaction;

Because the req-x509 self-signed certificate validity period defaults to 30 days , and the Req segment in the configuration file cannot be configured, you can only use-days to specify the expiration date

Note: This -days option only works on X509 signatures, if the time specified in the certificate request is not valid.

[email protected] ssl]# OpenSSL req-x509   -new   -out req.crt   -config ssl.conf   -days 365[[email Protected] ssl]# ll total 24drwxr-xr-x 2 root root 4096 Nov 09:05 certsdrwxr-xr-x 2 root root 4096 Nov 09:05 dbdrwx- -----2 root root 4096 09:05 private-rw-r--r--1 root root 3272 Nov 10:52 private.pem  ?/* Note permissions are 644 */-rw-r--  r--1 root root 1753 Nov 10:52 req.crt-rw-r--r--1 root root 1580 Nov 10:51 ssl.conf[[email protected] ssl]# OpenSSL X509-noout-dates-in req.crt Notbefore=nov 02:52:24 Gmtnotafter=nov GMT

Method Two: Step through, here the various possible steps to merge are demonstrated once

>> Create a private key and a certificate request merge, and the signature is done alone in the method <<

[email protected] ssl]# OpenSSL req-newkey rsa:1024-keyout key.pem-out req1.csr-config ssl.conf-days 365 #请求证书和私钥一同生成 [[email protected] ssl]# OpenSSL req-x509-in req1.csr-key key.pem-out req1.crt #使用私钥生成自签名证书 [[ Email protected] ssl]# OpenSSL x509-noout-dates-in req1.crt/* NoteSign not configure file*/notbefore=nov 02:58:25 gmtnotafter=dec 02:58:25 GMT?/* You can see that the specified-days in the certificate request is not valid */[[email protected] ssl]#   Lltotal 36drwxr-xr-x 2 root root 4096 Nov 09:05 certsdrwxr-xr-x 2 root root 4096 Nov 09:05 db-rw-r--r--1 root root 912 10:57 key.pemdrwx------2 root root 4096 Nov 09:05 private-rw-r--r--1 root root 3272 Nov 10:52 private . pem-rw-r--r--1 root root 826 Nov 10:58 req1.crt-rw-r--r--1 root root 688 Nov 10:57 req1.csr-rw-r--r--1 root ro OT 1753 Nov 10:52 req.crt-rw-r--r--1 root root 1580 Nov 10:51 ssl.conf

>> generate private keys alone , and methods for requesting and signing merges <<

 [[email protected] ssl]# (umask 077;openssl genrsa-out Key1.pem) #生成私钥 [[Email  protected] ssl]# OpenSSL req-x509-new-key key1.pem-out req2.crt-config ssl.conf-days 365 #请求和签名一起生成 [ [email protected] ssl]# OpenSSL x509-noout-dates-in req2.crt Notbefore=nov 03:28:31 22 03:  28:31 gmt[[email protected] ssl]# lltotal 44drwxr-xr-x 2 root root 4096 Nov 09:05 certsdrwxr-xr-x 2 root root 4096 09:05 db-rw-r--r--1 root root 912 Nov 10:57 key1.pem-rw-------1 root root 887 Nov 11:26 KEY2.PEMDRW x------2 root root 4096 09:05 private -rw-r--r--1 root root 3272 Nov 10:52   PRIVATE.PEM -rw-r--r--1 root root 826 Nov 10:58 req1.crt-rw-r--r--1 root root 688 Nov 10:57 req1.csr-rw-r--r--1 ro  OT root 709 11:28 req2.crt-rw-r--r--1 root root 1753 Nov 10:52 req.crt-rw-r--r--1 root root 1580 Nov 22 10:51 Ssl.conf 

>> fully Step-by <<

[[email protected] ssl]# RM-RF key* req* private.pem[[email protected] ssl]# (umask 077;openssl genrsa-out KEY.PEM 1024) 　　　　　　 #生成私钥 [[email protected] ssl]# OpenSSL req-new    -key key.pem   -out req.csr-config   ssl.conf　　#生成请求证书 [[email protected] ssl]# OpenSSL req-x509   -key key.pem   -in req.csr    -out req.crt-days   365 #自签名 [[email protected] ssl]# OpenSSL x509-noout-dates-in Req.crtnotbefore=nov 04:29:21 Gmtnotafter=nov 22 04:29 : Gmt[[email protected] ssl]# lltotal 28drwxr-xr-x 2 root root 4096 Nov 09:05 certsdrwxr-xr-x 2 root root 4096 N OV 09:05 db-rw-------1 root root  887 Nov 12:28 key.pemdrwx------2 root root 4096 Nov 09:05 private-rw-r--r- -1 root root  826 Nov 12:29 req.crt-rw-r--r--1 root root  688 Nov 12:28 req.csr-rw-r--r--1 root root 1580 N OV 10:51 ssl.conf

At the beginning of this section , a private key is required to create a certificate request, which is intended to provide a public key .

Here is the validation.

/* Extract the public key from the private key KEY.PEM to the Key.pub file */[[email protected] ssl]# OpenSSL rsa-in key.pem-pubout-out key.pub #从私钥中 Extract public key 
/* The public key part of the output certificate request REQ.CSR */[[email protected] ssl]# OpenSSL req-noout-pubkey-in REQ.CSR #输出证书请求中的 Public key-----BEGIN publicly key-----migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqc+ybnelybh+ozwpiypqiqhosu5d8il6uf7hi3ngex/ 6vtcismp7gxpxuv1tdglcctpofchcezeo0gvky21luendsl/ac2lrasijpl41+rt4mknrcydpzw4ig44+ Vlhfghb3wjhbbbk0aw51dmxuat8fhclhu7nx+du637udlwdeqidaqab-----END Public KEY-----
/* Looking at key.pub, you can see that the public key in the REQ.CSR is the same as the */[[email protected] ssl]# cat key.pub #查看从私钥中提取出来的公钥, can be seen with the from please Look in the certificate exactly as-----BEGIN public KEY-----migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqc+ybnelybh+ ozwpiypqiqhosu5d8il6uf7hi3ngex/6vtcismp7gxpxuv1tdglcctpofchcezeo0gvky21luendsl/ac2lrasijpl41+ Rt4mknrcydpzw4ig44+vlhfghb3wjhbbbk0aw51dmxuat8fhclhu7nx+du637udlwdeqidaqab-----END Public KEY-----

Although a public key is used to create a certificate request, but you cannot specify the public key using the-key option, you can only specify the private key, because the req-new or-newkey option invokes the OpenSSL RSA command to extract the public key, and the call will fail to execute if the public key is specified.

2.2 Creating a CA using the X509 pseudo-command

The request file needs to be provided using the X509 Pseudo-command, so the certificate request file needs to be created first. Since the X509 pseudo command signature does not read the configuration file, so do not need to set the configuration file, if you need an option, just use the corresponding option in x509 to achieve.

The following x509-req are for self-signed and require-signkey to provide the private key KEY.PEM required for signing.

[[email protected] ssl]# OpenSSL req-new    -keyout key.pem    -out req.csr   -config ssl.conf       #私钥和请求证书一同生成 [[ Email protected] ssl]# OpenSSL x509   -req-in req.csr-signkey key.pem-out    x509.crt #使用x509自签名

2.3 Creating a CA using CA pseudo-commands

using the CA pseudo-command to self-sign reads the CA portion of the configuration file, so the directories and file structures required in the configuration file need to be created, including directory db, Private, certs, file Db/index, db/serial, and write a serial number to serial .

Because it is self-signed, you can specify the private key file yourself, so the CA private key file required for signing requires no placement in the private directory (if the certificate is signed for another request, the signed certificate is generated by default in the private directory).

[[email protected] ssl]# Touch Db/{serial,index}[[email protected] ssl]# echo "" > Db/serial[[email protected] ssl]#  OpenSSL req-new  -keyout key.pem    -out req.csr    -config ssl.conf #私钥和请求证书一同生成 [[email protected] ssl]# OpenSSL CA  -selfsign  -keyfile key.pem   -in req.csr  -config ssl.conf #自签名

There are two queries during this signature process, as follows:

Certificate is to be certified until Nov 06:34:41 2026 GMT (3650 days) sign the Certificate? [Y/n]:y1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entriesdata Base Updated

to have no interaction, use-batch to enter batch mode .

[[email protected] ssl]# OpenSSL CA   -selfsign   -keyfile key.pem   -in req.csr-config   ssl.conf    -batch

1.2 Requesting a signature for another certificate

When a CA signs another request or certificate, the file that needs to be used is: its own CA certificate and its own private key file. These two files are therefore required for the signature process.

(1). Request a signature for another certificate using the CA pseudo-command

After using the CA pseudo-command to build the root CA, the directory structure is as follows:

[Email protected] ssl]# Tree-r-c             ├──certs│ └──01.pem├──db│ ├──index│ ├──index.attr│   ├──inde x.old│   ├──serial│   └──serial.old├──key.pem├──private├──req.csr└──ssl.conf

Where 01.pem is the root CA certificate, KEY.PEM is the root CA private key .

Now to request a signature for another certificate, first create another request certificate to be signed, assuming that the request file is/TMP/REQ.CSR.

[email protected] ssl]# OpenSSL req-new    -keyout/tmp/key.pem    -out/tmp/req.csr   -config ssl.conf #私钥和请求证书 Build together

Use root certificate 01.pem to sign/TMP/REQ.CSR.

[[email protected] ssl]# OpenSSL CA   -in/tmp/req.csr   -keyfile key.pem   -cert Certs/01.pem   -config ssl.conf   -batch       #签名

This is a hassle, because every time you sign someone to specify-cert and-keyfile, you can move the CA's certificate (01.PEM) and the CA's private key (KEY.PEM) to the path specified in the configuration file:

Certificate = $home/$name. CRT Private_key = $home/private/$name. Key

[[Email protected] ssl]# mv Certs/01.pem root-ca.crt[[email protected] ssl]# mv Key.pem Private/root-ca.key

You can use the default values when you use the CA signature again.

[[email protected] ssl]# OpenSSL CA    -in/tmp/req.csr    -config ssl.conf    -batch

(2). Request a signature for another certificate using the x509 Pseudo-command

The private key for the root CA certificate Root-ca.crt,ca is now Private/root-ca.key.

The following uses the X509 Pseudo-command to implement the signature. Since X509 does not read the configuration file, it needs to provide the serial number of the signature, which can be created automatically when there is no serial number file-cacreateserial .

Because the input file specified by the X509 default-in is a certificate file, to sign the request file, you need to use-req to represent the input file as the request file.

[email protected] ssl]# OpenSSL x509-req   -in/tmp/req.csr    -ca root-ca.crt   -cakey Private/root-ca.key   -out x509.crt    -cacreateserial

2. How to implement the default configuration file/etc/pki/tls/openssl.cnf

This is the recommended approach because it is easy to manage, but with the default profile, some initialization actions are required.

due to the full adoption of the/ETC/PKI/TLS/OPENSSL.CNF configuration, the relevant files should be established .

Procedures for self-built CAS:

[Email protected] tmp]# touch/etc/pki/ca/index.txt [[email protected] tmp]# echo ">/etc/pki/ca/serial[[email Pro" Tected] tmp]# OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem                     -out rootca.csr   # Create a CA to be self-signed certificate request file [[ Email protected] tmp]# OpenSSL ca-selfsign-in ROOTCA.CSR                                   # Self-signed [[email protected] tmp]# cp/etc/pki/ca/newcerts/01.pe M/etc/pki/ca/cacert.pem                 # Copy the self-signed certificate to the specified location according to the configuration file configuration

The process of issuing certificates to others:

[email protected] tmp]# OpenSSL ca-in YOUWANT1.CSR

Upon successful signing, the certificate is located in the/etc/pki/ca/newcert directory and the newly generated certificate file is sent to the requester.

(a) Multiple implementations of OpenSSL signing and self-signed certificates