Create a private CA server and a private ca Server

Create a private CA server and a private ca Server
What is a certificate?

It is used to prove that something is indeed something. In general, certificates are like official seals. The official seal proves that the relevant documents are indeed issued by the corresponding company.

In theory, everyone can find a certificate tool and create a certificate by themselves.

What is CA?

CA stands for Certificate Authority, also known as "Certificate authorization center ". It is a third-party organization responsible for managing and issuing certificates.

What is a CA certificate?

A ca certificate is a certificate issued by a CA.

As mentioned above, everyone can find a tool to create a certificate. However, the certificate is useless because it is not authoritative.

Certificate issuance process

A. The service provider S submits the public key, organization information, personal information (Domain Name) and other information to the third-party CA and applies for authentication.

B. CA verifies the authenticity of information provided by the applicant, such as whether the organization exists, whether the enterprise is legal, and whether it owns the domain name through online, offline, and other means.

C. If the information is approved, the CA will issue an authentication document-certificate to the applicant.

The certificate contains the following information: requester's public key, requester's organization information and personal information, issuer's CA information, validity period, certificate serial number, and other information in plain text. It also contains a signature

Signature generation algorithm: first, the hash function is used to calculate the summary of Public plaintext information, and then the private key of CA is used to encrypt the information digest. The ciphertext is the signature.

D. When client C sends a request to server S, S returns the Certificate file

E. client C reads the relevant plaintext information in the certificate and uses the same hash function to calculate the information digest. Then, it decrypts the signature data using the corresponding CA Public Key and compares the certificate information digest, if they are consistent, you can confirm the validity of the certificate, that is, the Public Key is legal;

F. The client then verifies the certificate-related domain name information, validity period, and other information.

G. The client will trust the certificate information (including the public key) of the CA. If the CA is not trusted, the certificate of the corresponding CA cannot be found, and the certificate will be determined invalid.

Notes in this process

1. You do not need to provide a private key when applying for a certificate. Make sure that the private key is always available to the server.

2. The validity of the certificate is still dependent on the asymmetric encryption algorithm. The certificate mainly adds server information and signature.

3. The certificate corresponding to the built-in CA is called the root certificate. The issuer and the user are the same and self-signed, that is, the self-signed certificate.

Certificate = Public Key + requester and issuer information + Signature

CA certificates are commonly used for https (SSL encryption)

 

 

Centos 7 is a server

Centos 6 is the Client requesting the CA certificate

1. Set up a CA Server

CA certificate root directory/etc/pki/CA

1. Generate a private key

() Indicates running in the subbash to avoid changing the umask value in the current Shell.

Generate a private key using genrsa

-Out: the private key storage path cakey. pem must be the same as the key name in the configuration file.

2048 Key Length

2. Self-signed documents

Req generate a Certificate Signing Request

-X509: generate self-signed certificate

-Days n valid days of the certificate

-New request

-Key/path/to/keyfile: Specify the private key file

-Out/path/to/somefile output file location

3. create files required for the CA Server

Touch/etc/pki/CA/index.txt generate certificate index database file

Echo 01>/etc/pki/CA/serial specifies the serial number of the first issued certificate

 

Ii. Client Certificate Application

1. Generate a private key

2. Generate a certificate request

 

The three highlighted items must be the same as those of the CA server.

General csr for Certificate Application

3. Send the signing request file to the CA Server

 

Iii. CA server signing Certificate

1. Sign the certificate on the CA Server

2. Send to client applicant

 

Iv. revoke a certificate

(1) node request revocation

1. Get the certificate serial

X509 Certificate Format

-In certificate to be revoked

-Noout: no additional information is output.

-Serial: displays the serial number.

-Subject: displays subject information.

(2) CA verification information

1. confirm that the submitted serialand subjectinformation is consistent with the information in the index.txt file.

2. revoke the certificate

-Revoke: delete a certificate

View the list of revoked certificates

3. Specify the Certificate Revocation number (if it is the first revocation)

4. Update the Certificate Revocation List

-Gencrl: generate a Certificate Revocation List

5. view the crl File Content

-Text is displayed as text