Creation of OpenSSL and private CAs

SSL Chinese name Secure Sockets Layer is a security protocol that provides security and data integrity for network communication. Its successor is the TLS Chinese name Transport Layer Security. SSL and TLS encrypt the network connection at the transport layer.

Encryption is primarily the three aspects of confidentiality, integrity, and usability. Confidentiality includes data confidentiality, privacy, integrity including data integrity, system integrity

Encryption algorithms and protocols have symmetric encryption, public key encryption, one-way encryption, authentication protocol

symmetric encryption: Encryption and decryption use the same key; common algorithms are Des,3des,aes,blowfish , etc.

Characteristics:

1, encryption, decryption using the same key;

2, the original data is divided into fixed-size blocks, one by one encryption;

Defects:

1, too many keys;

2, key distribution;

Public Key cryptography: The key is a pair of children appear

Public key: public to all;PubKey

private key: Keep it for yourself, must ensure its privacy;secret key

Features: Data encrypted with the public key can only be decrypted with the private key to which it is paired, and vice versa;

Features:

Digital signature: Mainly in order to let the receiver confirm the sender identity;

Key Exchange: The sender encrypts a symmetric key with the other's public key and sends it to the other party;

Data encryption:

algorithm: RSA, Dsa,elgamal

One-way encryption: can only decrypt, not decrypt; extract data fingerprints; Common algorithms:md5,sha1,sha256 , etc.

Now the common encryption process is all of the encryption protocols described above

For example: Two host communication between, first use a one-way encryption algorithm, extract the signature of the file data, and then use their own private key to encrypt the signature, and then appended to the file, and then use the symmetric key to encrypt all the data, and then with the other party's public key encryption of the private key appended to the file, Then the other party receives a layer of decryption. But this public key exchange is important, and this is done by a third-party certification authority.

The third party certification signature of one party, and then the two parties to start communication before the party first to the other party, and then the other party to the certification body to verify the credibility of the signature, if no problem, the verification passed, the signature contains the other party's public key, which realizes the exchange of the public key.

but you have to get the third party's public key to decrypt the other's signature, how to determine that this is the third party's public key, which requires PKI to implement.

PKI:

Visa Authorities Ca

Registration Authority: Ra

certificate Revocation list: Crl

Certificate Access Library

the current standard specification for certificates is The

The structure of the certificate and the standard of the authentication protocol are defined

Version number

Serial Number

Signature Algorithm Id

Issuer Name

Validity period

Principal Name

Principal public Key

Issuer Unique Identity

the unique identity of the subject

Extended

Issuer Signature

OpenSSL is an SSL-implemented software under Linux that consists of three components:

OpenSSL: Multi-purpose command-line tool;libcrypto: Public encrypted library;Libssl: library for SSL and TLS

OpenSSL command: Contains three types of standard commands, message digest commands, cryptographic commands, specific usage, not detailed introduction, mainly used in the following several:

Generate random Number:

OpenSSL Rand-base64|-hex NUM

NUM: represents the number of bytes,-hex, 4 bits per character , the number of characters appearing is num*2;

To generate a key pair:

OpenSSL Genrsa-out/path/to/privatekey. FILE num_bits

Example: (umask077; OpenSSL genrsa-out key.pri 2048) the command is to use umask077 in a child shell to let other users not have permission to view, and then create a pair of keys,

Extract the Public key:

OpenSSL Rsa-in/path/from/privatekey. File-pubout

Establish Private Ca:

Tools: OpenCA OpenSSL

Certificate Application and signing procedure:

1. Generate application request;

2,RA nuclear inspection;

3,CA sign;

4, obtain the certificate;

The following is a private CA created with OpenSSL, as well as a certificate request and request,

OpenSSL configuration file in:/etc/pki/tls/openssl.cnf modify as needed, or do not modify the line

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/6A/wKiom1X86T-jw9y4AANud5xxbO8232.jpg "title=" image 000. PNG "alt=" wkiom1x86t-jw9y4aanud5xxbo8232.jpg "/>

Configuration file, this section contains the CA configuration, dir This line defines the working directory of the CA and so on, you can see the note behind the # to see what the bank is defined

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/6B/wKiom1X9Ek2QpI5aAADnbGE3Prs508.jpg "title=" image 020. PNG "alt=" wkiom1x9ek2qpi5aaadnbge3prs508.jpg "/>

(1) Create the required file and give the serial number to send a number

Touch Index.txt

echo > Serial

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/6B/wKiom1X9FEKT1n05AACH5848t4Q241.jpg "title=" image 001. PNG "alt=" wkiom1x9fekt1n05aach5848t4q241.jpg "/>

(2) CA self-signed certificate

First create the key and then give yourself a previous certificate

(Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/69/wKioL1X9GIPxxQm8AAIPFiqy6yw845.jpg "title=" image 002. PNG "alt=" wkiol1x9gipxxqm8aaipfiqy6yw845.jpg "/>

OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.epm-days 7300-out/etc/pki/ca/cacert.pem

-new: Generate a new certificate signing request;

-x509: Dedicated to CA generate self-signed certificate;

-key: The private key file used to generate the request;

-days N: Validity period of the certificate;

-out/path/to/somecertfile: The path to save the certificate;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/69/wKioL1X9GwiwfRWbAAPRzQXfgFU104.jpg "title=" image 024. PNG "alt=" wkiol1x9gwiwfrwbaaprzqxfgfu104.jpg "/>

So that your own certificate will be done, you can give others a certificate

(3) Issuing certificates

(a) Generate a certificate request from the host using the certificate;

# (Umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)

# OpenSSL Req-new-key/etc/httpd/ssl/httpd.key-days 365-OUT/ETC/HTTPD/SSL/HTTPD.CSR

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/6B/wKiom1X9GcujFn1GAANX1PkfFPA424.jpg "title=" image 003. PNG "alt=" wkiom1x9gcujfn1gaanx1pkffpa424.jpg "/>

(b) Transfer the request file to the CA;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/6B/wKiom1X9GefjIEryAAG4dTRXqqc111.jpg "title=" image 027. PNG "alt=" wkiom1x9gefjieryaag4dtrxqqc111.jpg "/>

(c) The CA signs the certificate and sends the certificate back to the requestor;

OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/69/wKioL1X9HEiCRuW8AAPa2sLHCro902.jpg "title=" image 028. PNG "alt=" wkiol1x9heicruw8aapa2slhcro902.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/69/wKioL1X9HOLhsywNAAGWotqQdho276.jpg "title=" image 029. PNG "alt=" wkiol1x9holhsywnaagwotqqdho276.jpg "/>

To view the information in the certificate:

OpenSSL x509-in/path/from/cert_file-noout-text|-subject|-serial

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/6B/wKiom1X9G9Cjjbk7AAN10mA-NA4162.jpg "title=" image 005. PNG "alt=" wkiom1x9g9cjjbk7aan10ma-na4162.jpg "/> Such a private CA is created and can send certificates to others

This article is from the "10520982" blog, please be sure to keep this source http://10530982.blog.51cto.com/10520982/1696317

Creation of OpenSSL and private CAs