Create a simple digital certificate Center

Source: Internet
Author: User
Tags ldap openssl api openldap

We have briefly introduced the digital certificate and digital certificate authentication center. The CA center is the core component of PKI and the digital certificate is also the basis of PKI. So we will first implement a simple digital certificate authentication center, because I have not created a specific CA center, and I have built a theoretical foundation for future research, I can only understand and familiarize myself with the CA center process.
In this simple digital certificate Center, there are three main parts:
RA: The Registration Center builds a website (built by Apache + modssl) through web server to provide interactive services for customers. It mainly forms, installs root certificates, queries and downloads User Certificates, and other functions.
CA: The authentication center. It uses OpenSSL APIs to write various certificates and programs generated by CRL, and receives requests from Ra through CGI for various processing. Certificate generation, CRL generation, data archiving, and private key archiving.
LDAP server, which stores user certificates and CRL and can process requests from RA (such as querying and downloading certificates)
Next we will install the necessary software (this should be implemented in Linux. After all, Linux provides better support for the following software, but for convenience, here we will discuss it in windows, but the efficiency and security should be worse ):

1. There is nothing to say about OpenSSL installation. Follow the OpenSSL installation manual in Windows to pull it step by step. The main steps are as follows:
1. Install ActivePerl
2, extract the openssl-097D to drive C
3. Decompress vc60ssl097.tar to the OpenSSL directory.
4, C:/OpenSSL> Perl configure VC-WIN32
MS/d0_ms.bat
6, Perl msvc097/doinc. pl
7. Open OpenSSL. DSW in msvc097
8. Build-> batch build-> build all;

Ii. Installation of Apache + PHP
1, install the apache_1.3.31-win32-x86-no_src to drive C, modify httpd. conf, replace DocumentRoot with the directory to store the web page, save and restart apache service.
2, extract the php-5.0.2-Win32 to C:/PhP5, PHP under the PHP Directory. the ini-recommed file is renamed to PhP. INI and copy it. /Under the Apache directory, there are several changes to be made here.
Extension_dir =./to extension_dir = C:/PhP5
Doc_root = to doc_root = D:/www
Session. save_path =/tmp to session. save_path = C:/winnt/temp
; Upload_tmp_dir = changed to upload_tmp_dir = C:/winnt/temp.
; Default_charset = iso-8859-1 changed to default_charset = ??????
3. Modify PHP. after INI, run php5ts in the PHP Directory. copy the DLL file to the C:/winnt/system32 directory and copy php5apache2. DLL. in/Apache/modules, assume that apache1.xx is used. copy php5apache. DLL.
4. Modify the httpd. conf file of Apache and add the following at the end of the file:
Loadmodule php3_module modules/php5apache2. dll (modules/php5apache. dll)
Addtype application/X-httpd-PHP. php
Search for the directoryindex index.html line and add index. php to the front of index.html. There must be spaces between the two lines, and then you can save and restart the test.
In Windows, it is very troublesome to import modssl and PHP to Apache in modular form (no problem in Linux), so we can only save modssl, this will not be easy to implement the HTTPS service in the future (it seems that it is still good for Linux ). We recommend that you do not change PHP's register_globals = off by using $ _ post, $ _ get, or other methods.

Iii. OpenLDAP Installation
1. Install openldap-2_000029-1-win32.exe and pull it all the way to next.
2. Modify slapd. conf and add:
Include "D:/OpenLDAP/etc/Schema/cosine. schema"
Include "D:/OpenLDAP/etc/Schema/inetorgperson. schema"
Allow bind_v2
Change suffix, rootdn, rootpw, etc.
3. Add the following section to inetorgperson. schema, which is equivalent to defining the new objectclass.
Objectclass
(2.16.840.1.113730.3.2.3
Name 'guestcertificate'
Desc 'guestcertificate'
Sup top
Structural
May
(
Mail $ usercertificate $ CN $ C $ ST $ L $ o $ ou $ userpkcs12)
)

4. Add the root DN
Write an ldif file containing the following statement
DN: DC = sage, Dc = com
Objectclass: dcobject
Objectclass: Organization
O: Sage
DC: Sage

Specific implementation:
RA: For certificate requests, revocation, verification, and other operations, you can send a request to the CA authentication center through CGI (no review is required here, download and access the LDAP server through PHP (this article has been introduced)
CA: This part mainly uses the OpenSSL API to implement various functions (see generating certificates using the OpenSSL API)
LDAP part: Save the certificate generated by the CA part to LDAP, and query and download the certificate (in the LDAP related article)

This simple CA center only demonstrates the process, so forgive me for being immature and incorrect. We recommend that you establish an HTTPS connection in Linux when accessing a webpage.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.