I. Theoretical knowledge
What is ca?
Ca is short for Certificate Authority. It is usually translated into an authentication authority or a certification center. It is mainly used to issue digital certificates to users. This digital certificate contains part of the user's identity information and the public key held by the user. At the same time, the private key of the CA is used to add a digital signature to the digital certificate. If other users can verify that the certificate is true, in addition, if you trust the certification center that issues the certificate, you can confirm your identity and complete the authentication.
The trusted CA center issues a digital certificate to each user who uses the public key. The role of the digital certificate is to prove that the user name listed in the certificate corresponds to the public key listed in the certificate. The digital signature of the CA prevents the attacker from forging or tampering with the digital certificate.
Why use ca?
To make PKI services widely used, a basic and key issue is public key distribution and management. This leads to the question of who a public key belongs to. It must be authenticated by an authority trusted by the public. Otherwise, a fatal security vulnerability will occur in the entire business system. At present, a common solution in the world is to establish a certificate and visa authority (CA), where ca uniformly manages the public key and distributes the public key in the form of a public key certificate.
What are the functions of CA?
Refer to tongca functions for Region
1. Generate, cancel, and update a certificate.
2. issue the certificate and blacklist to the Directory Server.
3. Maintain certificates and blacklist databases.
4. generate and maintain your own key: for the sake of security, the current key (?) of the CA (?) Is generated by the CA and encrypted and saved to a directory with super user permissions.
5. Maintain audit logs.
6. add or delete a local RA: this is done by the CA operator.
7. Ensure consistency of CA, Ra, and directory server data.
In summary, the Certification Center (CA) has the following functions: certificate issuance, certificate update, certificate revocation, and certificate verification. The core function of CA is to issue and manage digital certificates, which are described as follows:
(1) receive an application to verify the digital certificate of the end user.
(2) determine whether to accept the application for Digital Certificate of the end user-certificate approval.
(3) Issue or reject the issuance of a digital certificate-certificate to the applicant.
(4) receive and process the digital certificate update request of the end user-certificate update.
(5) receive the query and revocation of the digital certificate of the end user.
(6) Generate and publish a certificate abolition list (CRL ).
(7) archiving digital certificates.
(8) Key archiving.
(9) archiving historical data.
To implement its functions, the certification center consists of the following three parts:
Server Registration: A website established through web server can provide customers with 24 hours a day. Therefore, the customer can submit a certificate application online and fill in the corresponding certificate application form at their convenience, saving the trouble of waiting in line.
Certificate Application handling and review institutions: apply for and review certificates. Its main function is to accept and review client certificate applications.
Authentication center server: A running entity for digital certificate generation and issuance. It also provides services such as certificate issuance management and certificate abolition list (CRL) Generation and processing.
What are the components of the current CA authentication system? What functions does each part have?
At present, the CA authentication system consists of the following three parts: a digital certificate application, query, and download system for certificate users on the client; the certificate authorization system on which the RA Administrator approves the certificate application; The certificate issuing system that issues the user certificate on the CA console.
Ii. Apply for a CA certificate
1. Generate a private key;
[[email protected] ~]# clear[[email protected] ~]# (umask 077;openssl genrsa -out ./key.pri 2048)Generating RSA private key, 2048 bit long modulus...................+++.........................................................+++e is 65537 (0x10001)
2. Create a Certificate Signing Request;
[[email protected] ~]# openssl req -new -key ./key.pri -out ./myreq.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:GuangzhouLocality Name (eg, city) [Default City]:ShenzhenOrganization Name (eg, company) [Default Company Ltd]:www.magine356wj.comOrganizational Unit Name (eg, section) []:sectionEmail Address []:[email protected]Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:redhatAn optional company name []:redhat
Note: Organization Name (eg, company) [Default Company Ltd]: Fill in FQDN if the certificate is used for HTTP.
3. the CA signs the certificate
Submit a written application in this step, skipped here
Self-built CA:
[[email protected] ~]# cd /etc/pki/CA/[[email protected] CA]# (umask 077;openssl gensa -out private/cakey.pem 2048)[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus......+++..................+++e is 65537 (0x10001)[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out ccerts/ crl/ [[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:GuangzhouLocality Name (eg, city) [Default City]:ShenzhenOrganization Name (eg, company) [Default Company Ltd]:magine356wj.CA Organizational Unit Name (eg, section) []:sectionCommon Name (eg, your name or your server‘s hostname) []:CAEmail Address []:[email protected]
[[email protected] CA]# ls -lhtotal 20K-rw-r--r--. 1 root root 1.5K Jul 13 12:40 cacert.pemdrwxr-xr-x. 2 root root 4.0K Feb 21 2013 certsdrwxr-xr-x. 2 root root 4.0K Feb 21 2013 crldrwxr-xr-x. 2 root root 4.0K Feb 21 2013 newcertsdrwx------. 2 root root 4.0K Jul 13 12:36 private[[email protected] CA]# touch serial index.txt[[email protected] CA]# echo 01 >serial [[email protected] CA]# vim serial[[email protected] CA]# openssl ca -in myreq.csr -out mycert.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfmyreq.csr: No such file or directory140178715932488:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen(‘myreq.csr‘,‘r‘)140178715932488:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:[[email protected] CA]# cat serial 01
Note:
Sign the certificate:
# OpenSSL Ca IN/path/to/certreq. CSR-out/path/to/certifile. CRT-days 365
You can modify the default configuration in/etc/pki/OpenSSL. conf.
Dedicated client test tool:
# OpenSSL s_client-Connect Host: Port-cafile/path/to/cacertfile |-capath/path/to/cacertfile-DIR/-ssl2 |-ssl3 |-TLS
Summary:
OpenSSL
Encryption and decryption: ENC
Information Abstract: DGST
Generate a private key and extract the Public Key: genrsa
Create a Certificate Signing Request, self-built CA: req
Sign certificate: CA