Building a private CA

Building a private CA

We use the OpenSSL software to achieve

So first, let's look at the configuration file for the software.

Implementing the Environment CentOS 7.2

[[email protected] ~]# RPM-QC OpenSSL//can see that the command does not have any output, we can think of the package there are other support packages [[email protected] ~]# Rpm-qa | grep "OpenSSL"//sure enough we can see the existence of the Libs pack Openssl-libs-1.0.1e-42.el7.9.x86_64openssl-1.0.1e-42.el7.9.x86_64[[email Protected] ~]# RPM-QC OPENSSL-LIBS/ETC/PKI/TLS/OPENSSL.CNF//finally found the configuration file

650) this.width=650; "src=" Http://i.imgur.com/bus2Oq3.png "style=" margin:0px;padding:0px;border:0px; "alt=" Bus2oq3.png "/>

View the configuration file

[Email protected] ~]# CAT/ETC/PKI/TLS/OPENSSL.CNF

We focus primarily on [CA] Paragraphs

650) this.width=650; "src=" Http://i.imgur.com/mEaa1YE.png "style=" margin:0px;padding:0px;border:0px; "alt=" Meaa1ye.png "/>

(1) Self-built CA; requires a private key//private key must be in a specific directory, and must be named as the CAKEY.PEM configuration file defined by the

[[Email protected] ~]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 2048) (Executing the command in a child shell Umask 077 does not affect the current SH ell umask) generating RSA private key, 2048 bit long modulus....................+++..................+++e is 65537 ( 0x10001) [[email protected] ~]# LL/ETC/PKI/CA/PRIVATE/CAKEY.PEM//generated private key file-RW-------. 1 root root 1675 Sep 16:57/etc/pki/ca/private/cakey.pem

(2) generated from the visa book//specific directory under the specific file name profile already defined

[[email protected] ~]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 365//Output Out omitted

650) this.width=650; "src=" Http://i.imgur.com/jt3glZm.png "style=" margin:0px;padding:0px;border:0px; "alt=" Jt3glzm.png "/>

[[email protected] ~]# LL/ETC/PKI/CA/CACERT.PEM//Our CA certificate-rw-r--r--. 1 root root 1302 Sep 17:08/etc/pki/ca/cacert.pem

(3) Provide the required directory and file//presence for CA to be ignored

[Email protected] ~]# mkdir/etc/pki/ca/{certs,crl,newcerts}[[email protected] ~]# touch/etc/pki/ca/{serial, Index.txt}[[email protected] ~]# echo >/etc/pki/ca/serial[[email protected] ~]# TREE/ETC/PKI/CA/ETC/PKI/CA├──CAC Ert.pem├──certs├──crl├──index.txt├──newcerts├──private│└──cakey.pem└──serial4 directories, 4 files

650) this.width=650; "src=" Http://i.imgur.com/fxLy29j.png "style=" margin:0px;padding:0px;border:0px; "alt=" Fxly29j.png "/>

At this point: our CA server has been configured to complete

Suppose a server wants to use a certificate for secure communication, it needs to request a signing certificate from the CA (at this point we change the CentOS 6.8 host)

We take httpd service as an example

Ensure HTTPD service is installed

[Email protected] ~]# Mkdir/etc/httpd/ssl

(1) Generate private key

[[Email protected] ~]# (umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048) generating RSA private key, 2048 bit Long modulus...........................................................................+++ ... .... +++e is 65537 (0x10001) [[email protected] ~]# ll/etc/, ........... ..... .....-----------------[E] [E]. HTTPD/SSL/HTTPD.KEY-RW-------. 1 root root 1679 Sep 7 02:55/etc/httpd/ssl/httpd.key

(2) Generate certificate signing request

[email protected] ~]# OpenSSL req-new-key/etc/httpd/ssl/httpd.key-out/etc/httpd/ssl/httpd.csr-days 365

650) this.width=650; "src=" Http://i.imgur.com/ImH0aez.png "style=" margin:0px;padding:0px;border:0px; "alt=" Imh0aez.png "/>

This is the same as the figure three information may fail to sign (due to self-built private CA)

(3) Send the request to the CA host in a reliable manner

Here we are using the SCP command to implement

[Email protected] ~]# SCP/ETC/HTTPD/SSL/HTTPD.CSR [email protected]:/tmp//Copy the local HTTPD.CSR file to the/tmp directory of the 10.1.0.111 host

Here we switch to the CA server that is CentOS 7

Signing a certificate on the CA host

[email protected] ~]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365httpd.crt is the htt on the CENTOS6 Certificates for PD

650) this.width=650; "src=" Http://i.imgur.com/SO8Mb8a.png "style=" margin:0px;padding:0px;border:0px; "alt=" So8mb8a.png "/>

To view the information in the certificate:

[email protected] ~]# OpenSSL x509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subjectserial=01subject=/C=CN/ST= Beijing/o=sxj/ou=si/cn=asher.com

There are also corresponding records in the data block

[Email protected] ~]# CAT/ETC/PKI/CA/INDEX.TXTV 170911110034Z unknown/c=cn/st=beijing/o=sxj/ou=si/cn=asher. Com

This article is from the "Homecoming" blog, make sure to keep this source http://sixijie123.blog.51cto.com/11880770/1879880

Building a private CA