1 CA Introduction
Ca is the certificate issuing authority and is the core of PKI. Ca is the authority responsible for issuing certificates, certification certificates, and managing issued certificates. It requires policies and specific steps to verify and identify user identities, and sign user certificates to ensure the identity andPublic Key. For example, Alice communicates with Bob. In the event of intercommunication being monitored by hacker C, impersonate Alice and Bob, the information will be leaked. At this time, CA is used to verify the authenticity of the identities of both parties. Certificate content includes 1, certificate holder information 2, Ca Information 3, certificate usage 4, Public Key Information PKI-Public Key instruction Public Key Infrastructure: the core is ca.
2 ca creation steps
1), OpenSSL creates a private ca, including generating a key; self-signed certificate
2), the node needs to: generate a key pair; generate a Certificate Signing Request; send the request to the CA
3), CA: verifies the information of the requester, signs the certificate, and sends the signed certificate to the requester.
3. Experiment steps
1. Create a CA server and generate a key. The file must have 400 or 600 permissions.
[[Email protected] private] # (umask 077; OpenSSL genrsa-out/etc/pki/CA/private/ccc. pem 2048)
Generating RSA private key, 2048 bit long Modulus
........................................ ........................................ ................ ++
... + +
E is 65537 (0x10001)
[[Email protected] private] # ls
Cakey. pem CCC. pem
The cakey. pem file must be generated in the/etc/pki/CA/private directory. The CCC. pem file is used this time.
2 Req: generate a Certificate Signing Request
-X509 generate and sign the certificate
-Day X valid X days
-New mood
-Key/path/to/Keyfile: Specifies the private key file.
-Out/path/to/somefile specifies the file name to be saved after encryption.
Self-signed certificate
[[Email protected] private] # OpenSSL req-New-X509-key/etc/pki/CA/private/CCC. PEM-out/etc/pki/CA/cace. PEM-days 30
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [XX]: CN
State or province name (full name) []: Ha
Locality name (eg, city) [Default City]: ZZ
Organization Name (eg, company) [Default Company Ltd]: zzc
Organizational unit name (eg, section) []: Si
Common name (eg, your name or your server's hostname) []: localhost. localdomain
Email Address []: cc.ccc.com
[[Email protected] private] # ls
Cakey. pem CCC. pem
3. We need to initialize the environment.
[[Email protected] private] # Touch/etc/pki/CA/protected index1.txt, serial1}
[[Email protected] private] # echo 01>/etc/pki/CA/serial1
4. the node applies for a certificate.
1) generate a key pair
[[Email protected] SSL] # (umask 077; OpenSSL genrsa-out/etc/httpd/SSL/htt. Key 2048)
Generating RSA private key, 2048 bit long Modulus
... + +
... + +
E is 65537 (0x10001)
In this case, the generated key pair is created on another host.
2) generate a Certificate Signing Request
[[Email protected] SSL] # (umask 077; OpenSSL genrsa-out/etc/httpd/SSL/htt. Key 2048)
Generating RSA private key, 2048 bit long Modulus
... + +
... + +
E is 65537 (0x10001)
[[Email protected] SSL] # OpenSSL req-New-key/etc/httpd/SSL/htt. Key-out/etc/httpd/SSL/htt. CSR
Country name (2 letter code) [XX]: CN
State or province name (full name) []: Ha
Locality name (eg, city) [Default City]: ZZ
Organization Name (eg, company) [Default Company Ltd]: zzx
Organizational unit name (eg, section) []: localhost. localdomain
Common name (eg, your name or your server's hostname) []: cc.ccc.com
Email Address []:
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
3) Send the signing request to the CA Server
[[Email protected] SSL] # SCP htt. CSR 172.16.249.55:/etc/pki/CA/CSR/
[Email protected]'s password:
Htt. CSR 100% 1009 1.0kb/s
5 CA sign the certificate
[[Email protected] CA] # OpenSSL ca-in CSR/htt. CSR-out CSR/htt. CRT-days 30
Using configuration from/etc/pki/tls/OpenSSL. CNF
Check that the request matches the signature
Signature OK
The stateorprovincename field needed to be the same in
CA certificate (Henan) and the request (HA) are not signed if they are inconsistent, therefore, we need to generate an OpenSSL req-New-key/etc/httpd/SSL/htt. key-out/etc/httpd/SSL/htt. CSR
[[Email protected] CA] # OpenSSL ca-in CSR/htt. CSR-out CSR/htt. CRT-days 30
Using configuration from/etc/pki/tls/OpenSSL. CNF
Check that the request matches the signature
Signature OK
Certificate details:
Serial number: 2 (0x2)
Validity
Not before: Aug 1 05:37:57 2014 GMT
Not after: Aug 31 05:37:57 2014 GMT
Subject:
Countryname = Cn
Stateorprovincename = Henan
Organizationname = mageedu
Organizationalunitname = Ops
CommonName = localhost. localdomain
X509v3 extensions:
X509v3 basic constraints:
CA: false
Netscape comment:
OpenSSL generated Certificate
X509v3 Subject Key Identifier:
90: AB: 55: BA: 57: 63: 2E: 06: 93: FD: Ea: 50: 4b: 9e: 5b: 40: C1: 56: 43: 6e
X509v3 Authority Key Identifier:
Keyid: 59: 50: 01: C7: 01: 0a: 49: 70: 21: 71: AE: A4: 26: 94: 25: 78: 1A: Ea: 35: 14
Certificate is to be certified until Aug 31 05:37:57 2014 GMT (30 days)
Sign the certificate? [Y/n]:
3 send to the requester
[[Email protected] CA] # scp csr/htt. CRT 172.16.31.1:/root
[Email protected]'s password:
Htt. CRT 100% 4556 4.5kb/s
[[Email protected] ~] # Put the MV htt. CRT/etc/httpd/SSL verification server certificate in the/etc/httpd/SSL directory.
Once your ca visa is complete, I wish you success ~~~
This article is from the "Linux" blog, please be sure to keep this source http://clarence.blog.51cto.com/8161461/1534949