A preliminary understanding of OpenSSL principles and the establishment of private ca servers

Encryption algorithms include symmetric encryption algorithms and symmetric encryption algorithms.

I. Principle of symmetric encryption algorithm: the algorithm that uses the same key for encryption is symmetric encryption algorithm.
Encryption process (content --> symmetric encryption --> encrypted content)
Decryption process (encrypted content --> symmetric encryption method -- decrypted content)
Advantages and features: Fast Block Encryption is relatively secure and compact; its disadvantage is that it cannot be used for large-scale use and will store and manage the image key as the number of participants increases, digital signatures and non-repudiation are not supported

Ii. Principles of non-heap encryption: asymmetric algorithms require each participant to generate a pair of keys and share the public key to the server, ensuring the security of the private key.
Encryption and decryption process: generate a key pair --> encrypt through the Public Key/private key --> encrypt content --> decrypt through the private key/Public Key --> decrypted content
Advantage: you do not need to send a key to the recipient. The number of keys is the same as that of the participants. There is no complicated key distribution problem. You do not need to establish a trust relationship in advance when you exchange public key money.
Disadvantage: the encryption speed is slow, leading to ciphertext much greater than the length before encryption.

3. One-way encryption process: (sender = a receiver = B transmission content = O)
1. A uses an algorithm to generate its own digital signature, encrypt the digital signature with its own private key, and package it with C
2. A uses algorithms to generate random symmetric keys to encrypt the entire data and generate data C1
3. A uses the public key of B to encrypt the random symmetric key and generate the final data CC.
4. B first uses its own private key to access the CC secret to obtain the generated random symmetric key.
5. B uses the public key of a to decrypt the number encrypted with the private key of.
6. Compare the digital signature to determine whether the package is sent by.



4. Certificate generation process:
1. The client can download the CA Public Key over the Internet to verify the server identity.
2. The server generates a pair of keys through the encryption algorithm, and sends the public key to the CA for digital certificate.
3. Ca encrypts the server public key with its own private key and adds its own digital signature to send the generated digital certificate to the server
4. The client and server establish a connection through the TCP three-way handshake
5. The client sends an HTTP packet request and negotiates with the server which algorithm is used for encryption.
6. The server responds to the message and sends the Public Key (CA certificate) to the client.
7. The client can use the CA Public Key to decrypt the CA certificate and obtain the public key and digital signature of the server. The client uses the hash function to calculate
Server Public Key digital signature is compared with the obtained digital signature to verify the server identity, verify the success and send data requests
8. The server processes the request and accesses relevant resources based on the resource type of the client request to make response packets and record the logs.
9. The client and server are disconnected by four waves over TCP, and the communication is complete.

 

5. Create a CA Certificate Signing Server

(1) Ca servers

1. Generate a key pair

650) This. width = 650; "Title =" ca1.png "src =" http://s3.51cto.com/wyfs02/M02/43/D7/wKioL1PdycXBFBx2AACo2vQBxBE179.jpg "alt =" wkiol1pdycxbfbx2aaco2vqbxbe179.jpg "/>

2. generate self-signed certificate

650) This. width = 650; "Title =" ca2.png "src =" http://s3.51cto.com/wyfs02/M02/43/D6/wKiom1PdyLvxLlACAAHprclskwo579.jpg "alt =" wkiom1pdylvxllacaahprclskwo579.jpg "/>

3. initialize the Work Environment

# Touch/etc/pki/CA/ingress index.txt, serial}

# Echio 01> index.txt

(2) The Node generates a request for signing the certificate (HTTP service is used as an example here)

1. Generate a key pair

650) This. width = 650; "Title =" jiedian1.png "src =" http://s3.51cto.com/wyfs02/M00/43/D6/wKiom1PdyYbTCSVGAADDrnFUmN4427.jpg "alt =" wkiom1pdyybtcsvgaaddrnfumn4427.jpg "/>

2. Generate a signing request

650) This. width = 650; "Title =" jiedian2.png "src =" http://s3.51cto.com/wyfs02/M00/43/D7/wKioL1Pdyq_Q59Z9AAInU0Ttxew705.jpg "alt =" wkiol1pdyq_q59z9aainu0ttxew705.jpg "/>

3. Send the signing request to the CA server using SCP.

 

(3) Ca signs certificates for nodes

1. verify the authenticity of the certificate information

2. Sign the certificate

650) This. width = 650; "Title =" qianshou.png "src =" http://s3.51cto.com/wyfs02/M00/43/D7/wKioL1PdyvGDGqZlAAJVxVGAqfc105.jpg "alt =" wkiol1pdyvgdgqzlaajvxvgaqfc105.jpg "/>

3. Send the certificate to the node

# SCP Certificate Name Server IP Address

(4) Certificate Revocation

1. After the node, go to the serial and subject information in the certificate and send the information to the CA server.

# OpenSSL X509-in/path/to/certificate_file.crt-noout-serial-Subject

2. CA Server comparison and verification of the certificate to be revoked

3. revoke the certificate

# OpenSSL ca-Revoke/etc/pki/CA/newcerts/serial. pem

 

4. Generate a revocation list

# Echo 00>/etc/pki/CA/crlnumber

 

5. Update the Certificate Revocation List
# Cd/etc/pki/CA/CRL/
# OpenSSL ca-gencrl-out thisca. CRL

 

If necessary, view the contents of the CRL file:
# OpenSSL CRL-in/path/to/crlfile. CRL-noout-Text

 

Note: For detailed usage of each OpenSSL sub-command, use # Man OpenSSL

This article is from the "journey forward by cainiao" blog and will not be reposted!