Building a private CA
We use the OpenSSL software to achieve
So first, let's look at the configuration file for the software.
Implementing the Environment CentOS 7.2
[[email protected] ~]# RPM-QC OpenSSL//can see that the command does not have any output, we can think of the package there are other support packages [[email protected] ~]# Rpm-qa | grep "OpenSSL"//sure enough we can see the existence of the Libs pack Openssl-libs-1.0.1e-42.el7.9.x86_64openssl-1.0.1e-42.el7.9.x86_64[[email Protected] ~]# RPM-QC OPENSSL-LIBS/ETC/PKI/TLS/OPENSSL.CNF//finally found the configuration file
650) this.width=650; "src=" Http://i.imgur.com/bus2Oq3.png "style=" margin:0px;padding:0px;border:0px; "alt=" Bus2oq3.png "/>
View the configuration file
[Email protected] ~]# CAT/ETC/PKI/TLS/OPENSSL.CNF
We focus primarily on [CA] Paragraphs
650) this.width=650; "src=" Http://i.imgur.com/mEaa1YE.png "style=" margin:0px;padding:0px;border:0px; "alt=" Meaa1ye.png "/>
(1) Self-built CA; requires a private key//private key must be in a specific directory, and must be named as the CAKEY.PEM configuration file defined by the
[[Email protected] ~]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 2048) (Executing the command in a child shell Umask 077 does not affect the current SH ell umask) generating RSA private key, 2048 bit long modulus....................+++..................+++e is 65537 ( 0x10001) [[email protected] ~]# LL/ETC/PKI/CA/PRIVATE/CAKEY.PEM//generated private key file-RW-------. 1 root root 1675 Sep 16:57/etc/pki/ca/private/cakey.pem
(2) generated from the visa book//specific directory under the specific file name profile already defined
[[email protected] ~]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 365//Output Out omitted
650) this.width=650; "src=" Http://i.imgur.com/jt3glZm.png "style=" margin:0px;padding:0px;border:0px; "alt=" Jt3glzm.png "/>
[[email protected] ~]# LL/ETC/PKI/CA/CACERT.PEM//Our CA certificate-rw-r--r--. 1 root root 1302 Sep 17:08/etc/pki/ca/cacert.pem
(3) Provide the required directory and file//presence for CA to be ignored
[Email protected] ~]# mkdir/etc/pki/ca/{certs,crl,newcerts}[[email protected] ~]# touch/etc/pki/ca/{serial, Index.txt}[[email protected] ~]# echo >/etc/pki/ca/serial[[email protected] ~]# TREE/ETC/PKI/CA/ETC/PKI/CA├──CAC Ert.pem├──certs├──crl├──index.txt├──newcerts├──private│└──cakey.pem└──serial4 directories, 4 files
650) this.width=650; "src=" Http://i.imgur.com/fxLy29j.png "style=" margin:0px;padding:0px;border:0px; "alt=" Fxly29j.png "/>
At this point: our CA server has been configured to complete
Suppose a server wants to use a certificate for secure communication, it needs to request a signing certificate from the CA (at this point we change the CentOS 6.8 host)
We take httpd service as an example
Ensure HTTPD service is installed
[Email protected] ~]# Mkdir/etc/httpd/ssl
(1) Generate private key
[[Email protected] ~]# (umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048) generating RSA private key, 2048 bit Long modulus...........................................................................+++ ... .... +++e is 65537 (0x10001) [[email protected] ~]# ll/etc/, ........... ..... .....-----------------[E] [E]. HTTPD/SSL/HTTPD.KEY-RW-------. 1 root root 1679 Sep 7 02:55/etc/httpd/ssl/httpd.key
(2) Generate certificate signing request
[email protected] ~]# OpenSSL req-new-key/etc/httpd/ssl/httpd.key-out/etc/httpd/ssl/httpd.csr-days 365
650) this.width=650; "src=" Http://i.imgur.com/ImH0aez.png "style=" margin:0px;padding:0px;border:0px; "alt=" Imh0aez.png "/>
This is the same as the figure three information may fail to sign (due to self-built private CA)
(3) Send the request to the CA host in a reliable manner
Here we are using the SCP command to implement
[Email protected] ~]# SCP/ETC/HTTPD/SSL/HTTPD.CSR [email protected]:/tmp//Copy the local HTTPD.CSR file to the/tmp directory of the 10.1.0.111 host
Here we switch to the CA server that is CentOS 7
Signing a certificate on the CA host
[email protected] ~]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365httpd.crt is the htt on the CENTOS6 Certificates for PD
650) this.width=650; "src=" Http://i.imgur.com/SO8Mb8a.png "style=" margin:0px;padding:0px;border:0px; "alt=" So8mb8a.png "/>
To view the information in the certificate:
[email protected] ~]# OpenSSL x509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subjectserial=01subject=/C=CN/ST= Beijing/o=sxj/ou=si/cn=asher.com
There are also corresponding records in the data block
[Email protected] ~]# CAT/ETC/PKI/CA/INDEX.TXTV 170911110034Z unknown/c=cn/st=beijing/o=sxj/ou=si/cn=asher. Com
This article is from the "Homecoming" blog, make sure to keep this source http://sixijie123.blog.51cto.com/11880770/1879880
Building a private CA