SSL protocol and self-built CA Server

SSLIs the abbreviation of Secure Sockets Layer (Secure Sockets Layer Protocol). It can provide confidential transmission over the Internet. Wangjing

Netscape introduced the first web browser and put forward the SSL protocol standard. The goal is to ensure the confidentiality and reliability of communications between two applications, and support can be achieved at the same time on the server side and the client side. It has become an industrial standard for secure communication on the Internet.
The Secure Sockets Layer Protocol keeps the communication between users and server applications from being eavesdropped by attackers, and always authenticates the server. You can also choose to authenticate the user. The SSL protocol must be built on a reliable transport layer protocol (TCP. The advantage of the SSL protocol is that it is independent from the application layer protocol. The High-level application layer protocol (such as HTTP, FTP, and telnet) can be transparently built on the SSL protocol. The SSL protocol has completed encryption algorithms, communication key negotiation, and server authentication before the application layer protocol communication. After that, the data transmitted by the application layer protocol will be encrypted to ensure the privacy of the communication.
The SSL protocol has three features:
Data confidentiality, data integrity, and security verification
OpenSSL contains a command line tool to complete all functions in the OpenSSL library.

There are several cryptographic algorithms:
1. symmetric encryption 2. Public Key Encryption
3. One-way encryption 3. Authentication Protocol
Symmetric encryption algorithms include des 3DES AES (128,192,256, etc.) blowfish twofish idea ...... It is characterized by the use of the same password for encryption and decryption. It separates plaintext into fixed blocks and encrypts them one by one. There are also risks such as excessive keys and transmission.
Public key encryption: Asymmetric (key) encryption refers to an encryption method consisting of a pair of unique keys (public keys and private keys.
Common algorithms include RSA and DSA.

One-way encryption: non-reversible encryption, cannot be decrypted.
 OpenSSL, an encryption tool in Linux
OpenSSL: A Multi-Purpose command tool. Each function is implemented using sub-commands. Libcrypto, public encryption library, libssl, SSL Association

Implementation.
Symmetric encryption:
# OpenSSL ENC-des3-a-salt-in/path/from/somefile-out/path/to/somecipherfile
ENC encryption tool-des3 encryption algorithm-in output file-out encrypted file location
Unidirectional encryption
# OpenSSL DGST [-MD5 |-sha1] [-out/path/to/filename]/path/from/somefile
Generate random number: OpenSSL rand-base64 |-hex num (number of digits)
Generate a key: # (umask 077; OpenSSL genrsa-out/path/to/Keyfile numberofbits)
Public Key: # OpenSSL RSA-in/path/from/private_key_file-pubout

How to build a CA Server

1. Create a CA Server

1. Generate a key

650) This. width = 650; "Title =" generate key "alt =" wkiom1pd2nbys6m0aaauff7sike676.png "src =" http://s3.51cto.com/wyfs02/M00/43/D7/wKiom1Pd2NbyS6m0AAAUFF7SIkE676.png "/>

2. Self-signed documents

650) This. width = 650; "Title =" ziqianzhengshu. PNG "alt =" wkiol1pd2iswza9baaas0tbwcbu906.png "src =" http://s3.51cto.com/wyfs02/M01/43/D8/wKioL1Pd2iSwzA9BAAAs0TbWCBU906.png "/>

Req: generate a Certificate Signing Request

-News: new request-key/path/to/Keyfile: Specify the private key file-out/path/to/somefile: output file-X509: generate self-signed certificate-days n: valid days

Country name (2 letter code) [XX]: CN -------- country
State or province name (full name) []: Ning --------- Province
Locality name (eg, city) [defaultcity]: Ning -------------- region name
Organization Name (eg, company) [Default Company Ltd]: Ning ------ company name
Organizational unit name (eg, section) []: Ning ----- Department
Common name (eg, your name or yourserver's hostname) []: wukui ---- CA Host Name
Email Address []: --------- email

3. initialize the Work Environment

650) This. width = 650; "Title =" initialize work environment. PNG "src =" http://s3.51cto.com/wyfs02/M00/43/D7/wKiom1Pd2W6zDg6pAAAOjA-ywTA197.png "alt =" wKiom1Pd2W6zDg6pAAAOjA-ywTA197.png "/>

Ii. node Certificate Application

1. Generate a key pair

650) This. width = 650; "Title =" generate key pair. PNG "src =" http://s3.51cto.com/wyfs02/M01/43/D9/wKioL1Pd2yjwtBhUAAASL7Rxhos446.png "alt =" wkiol1pd2y1_tbhuaaasl7rxhos446.png "/>

2. Generate a Certificate Signing Request

650) This. width = 650; "Title =" generate Certificate Signing Request. PNG "src =" http://s3.51cto.com/wyfs02/M02/43/D9/wKioL1Pd20iyO2LmAABENLjUsMo692.png "alt =" wkiol1pd20iyo2lmaabenljusmo692.png "/>

3. Send the signing request file to CA Service 650) This. width = 650; "Title =" Send the signing request file to the CA Service. PNG "src =" http://s3.51cto.com/wyfs02/M00/43/D8/wKiom1Pd2oCQ3AWTAAAOnTG-sWk655.png "alt =" wKiom1Pd2oCQ3AWTAAAOnTG-sWk655.png "/>