Describe how to create a private CA with OpenSSL

In this blog I talk about the principle of encryption and decryption and related algorithms and implementation: http://starli.blog.51cto.com/8813574/1671408

What is a CA? Why do I need a CA? First look at the following Internet Security communication model!

Now the most commonly used security communication models on the Internet:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6F/6B/wKiom1Wbj03zPkvAAACz-_IZLNA961.jpg "title=" 8.png " alt= "Wkiom1wbj03zpkvaaacz-_izlna961.jpg"/>

The following steps are performed by the sender when sending the data (corresponding to the sender's 1, 2, and 3, respectively):

1, the sender will need to carry out secure transmission of data on the Internet using a one-way encryption algorithm to extract the characteristics of the data, and then use their own private key to encrypt the feature code in the tail of the data;

2, the sender generates a one-time symmetric encryption algorithm secret key, and then uses the symmetric encryption algorithm and the generated secret key to encrypt the data and the encrypted signature code to generate ciphertext;

3, the secret key used in the previous step symmetric encryption is encrypted with the public key of the receiving party and placed behind the cipher, and then the data can be placed on the internet for transmission.

The following steps are performed by the receiving party after receiving the data (corresponding to 1, 2, 3 of the receiver, respectively):

1. After receiving the data, the receiving party decrypts the secret key of the encrypted symmetric encryption algorithm with its own private key. ( can verify the confidentiality of the data if it can decrypt )

3, the receiver uses the same one-way encryption algorithm with the sender to extract the decrypted data signature, and then use the sender's public key to decrypt the encrypted data from the previous step of the signature ( if you can decrypt, you can send the identity of the receiver ), and compare whether the two signatures are consistent. ( if consistent, you can verify the integrity of the data ).

in the above communication process, because the public key is public, anyone can get and use. So in the process of secure communication on the Internet, how can both parties reliably get the public key of each other? This requires a means to achieve. A CA is a means of achieving a reliable access to the public key for both sides of the communication. The CA is implemented by issuing certificates to the communicator, the current common certificate format is X509, and the basic format of the certificate is as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6F/69/wKioL1WbmQ-g9rjVAADrUqTggqg256.jpg "title=" 9.png " alt= "Wkiol1wbmq-g9rjvaadruqtggqg256.jpg"/>

If you want to use a certificate for secure communication on the Internet, you need to build a private CA and a process for issuing the certificate, with the following procedures and steps:

To establish a private CA server:

1. Generate the private key for the CA itself

2. Then extract the public key from the CA's private key to issue a self-signed certificate to itself

3. Initializing CA Working environment

Client Request Certificate

1. Generate a certificate signing request locally

2. Copy the request to the CA server

3. CA Sign Certificate

4. Pass the certificate to the client

With the CA-issued certificate, the communication process is as follows (this process is also known as the process of SSL session setup):

To be continued .....

This article is from "Chalet Technology" blog, please make sure to keep this source http://starli.blog.51cto.com/8813574/1671772

Describe how to create a private CA with OpenSSL