Establish a CA through OpenSSL

Source: Internet
Author: User
Tags modulus

1 CA Introduction

Ca is the certificate issuing authority and is the core of PKI. Ca is the authority responsible for issuing certificates, certification certificates, and managing issued certificates. It requires policies and specific steps to verify and identify user identities, and sign user certificates to ensure the identity andPublic Key. For example, Alice communicates with Bob. In the event of intercommunication being monitored by hacker C, impersonate Alice and Bob, the information will be leaked. At this time, CA is used to verify the authenticity of the identities of both parties. Certificate content includes 1, certificate holder information 2, Ca Information 3, certificate usage 4, Public Key Information PKI-Public Key instruction Public Key Infrastructure: the core is ca.

2 ca creation steps

1), OpenSSL creates a private ca, including generating a key; self-signed certificate

2), the node needs to: generate a key pair; generate a Certificate Signing Request; send the request to the CA

3), CA: verifies the information of the requester, signs the certificate, and sends the signed certificate to the requester.

3. Experiment steps

1. Create a CA server and generate a key. The file must have 400 or 600 permissions.

[[Email protected] private] # (umask 077; OpenSSL genrsa-out/etc/pki/CA/private/ccc. pem 2048)

Generating RSA private key, 2048 bit long Modulus

........................................ ........................................ ................ ++

... + +

E is 65537 (0x10001)

[[Email protected] private] # ls

Cakey. pem CCC. pem

The cakey. pem file must be generated in the/etc/pki/CA/private directory. The CCC. pem file is used this time.


2 Req: generate a Certificate Signing Request

-X509 generate and sign the certificate

-Day X valid X days

-New mood

-Key/path/to/Keyfile: Specifies the private key file.

-Out/path/to/somefile specifies the file name to be saved after encryption.

Self-signed certificate

[[Email protected] private] # OpenSSL req-New-X509-key/etc/pki/CA/private/CCC. PEM-out/etc/pki/CA/cace. PEM-days 30

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a distinguished name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country name (2 letter code) [XX]: CN

State or province name (full name) []: Ha

Locality name (eg, city) [Default City]: ZZ

Organization Name (eg, company) [Default Company Ltd]: zzc

Organizational unit name (eg, section) []: Si

Common name (eg, your name or your server's hostname) []: localhost. localdomain

Email Address []: cc.ccc.com

[[Email protected] private] # ls

Cakey. pem CCC. pem

3. We need to initialize the environment.

[[Email protected] private] # Touch/etc/pki/CA/protected index1.txt, serial1}

[[Email protected] private] # echo 01>/etc/pki/CA/serial1

4. the node applies for a certificate.

1) generate a key pair

[[Email protected] SSL] # (umask 077; OpenSSL genrsa-out/etc/httpd/SSL/htt. Key 2048)

Generating RSA private key, 2048 bit long Modulus

... + +

... + +

E is 65537 (0x10001)

In this case, the generated key pair is created on another host.

2) generate a Certificate Signing Request

[[Email protected] SSL] # (umask 077; OpenSSL genrsa-out/etc/httpd/SSL/htt. Key 2048)

Generating RSA private key, 2048 bit long Modulus

... + +

... + +

E is 65537 (0x10001)

[[Email protected] SSL] # OpenSSL req-New-key/etc/httpd/SSL/htt. Key-out/etc/httpd/SSL/htt. CSR

Country name (2 letter code) [XX]: CN

State or province name (full name) []: Ha

Locality name (eg, city) [Default City]: ZZ

Organization Name (eg, company) [Default Company Ltd]: zzx

Organizational unit name (eg, section) []: localhost. localdomain

Common name (eg, your name or your server's hostname) []: cc.ccc.com

Email Address []:


Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:


3) Send the signing request to the CA Server

[[Email protected] SSL] # SCP htt. CSR 172.16.249.55:/etc/pki/CA/CSR/

[Email protected]'s password:

Htt. CSR 100% 1009 1.0kb/s


5 CA sign the certificate

[[Email protected] CA] # OpenSSL ca-in CSR/htt. CSR-out CSR/htt. CRT-days 30

Using configuration from/etc/pki/tls/OpenSSL. CNF

Check that the request matches the signature

Signature OK

The stateorprovincename field needed to be the same in

CA certificate (Henan) and the request (HA) are not signed if they are inconsistent, therefore, we need to generate an OpenSSL req-New-key/etc/httpd/SSL/htt. key-out/etc/httpd/SSL/htt. CSR


[[Email protected] CA] # OpenSSL ca-in CSR/htt. CSR-out CSR/htt. CRT-days 30

Using configuration from/etc/pki/tls/OpenSSL. CNF

Check that the request matches the signature

Signature OK

Certificate details:

Serial number: 2 (0x2)

Validity

Not before: Aug 1 05:37:57 2014 GMT

Not after: Aug 31 05:37:57 2014 GMT

Subject:

Countryname = Cn

Stateorprovincename = Henan

Organizationname = mageedu

Organizationalunitname = Ops

CommonName = localhost. localdomain

X509v3 extensions:

X509v3 basic constraints:

CA: false

Netscape comment:

OpenSSL generated Certificate

X509v3 Subject Key Identifier:

90: AB: 55: BA: 57: 63: 2E: 06: 93: FD: Ea: 50: 4b: 9e: 5b: 40: C1: 56: 43: 6e

X509v3 Authority Key Identifier:

Keyid: 59: 50: 01: C7: 01: 0a: 49: 70: 21: 71: AE: A4: 26: 94: 25: 78: 1A: Ea: 35: 14


Certificate is to be certified until Aug 31 05:37:57 2014 GMT (30 days)

Sign the certificate? [Y/n]:


3 send to the requester

[[Email protected] CA] # scp csr/htt. CRT 172.16.31.1:/root

[Email protected]'s password:

Htt. CRT 100% 4556 4.5kb/s


[[Email protected] ~] # Put the MV htt. CRT/etc/httpd/SSL verification server certificate in the/etc/httpd/SSL directory.



Once your ca visa is complete, I wish you success ~~~


This article is from the "Linux" blog, please be sure to keep this source http://clarence.blog.51cto.com/8161461/1534949

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.