OpenSSL encryption and decryption and CA self-signed certificate issued under CentOS6.5

Source: Internet
Author: User
Tags openssl enc openssl rsa asymmetric encryption
Preface openSSL is a powerful encryption tool. many of us are already using openSSL to create RSA private key or certificate signature requests. However, you can use openSSL to test the computer. speed? You can also use it to encrypt files or messages. Openssl is a suite of open-source programs. it consists of three parts: libcryto, which has

OpenSSL is a powerful encryption tool. many of us are already using openSSL to create RSA private keys or certificate signature requests. However, you may know that you can use openSSL to test computer speed.? You can also use it to encrypt files or messages.


Openssl is a suite of open-source programs. it consists of three parts: libcryto, a general-purpose encryption library, which implements a large number of encryption libraries, and libssl. this implements the ssl mechanism. it is used to implement the TLS/SSL function. The third is openssl, which is a multi-function command line tool. it can implement encryption and decryption, or even become a CA. to use, you can create a certificate, revoke the certificate, here we use openssl enc to encrypt a file look:
# Openssl enc-des3-a-salt-in/etc/fstab-out/tmp/fstab. cipher encryption
# Cat/tmp/fstab. cipher
# Openssl enc-d-des3-a-salt-in/tmp/fstab. cipher-out/path/to/fstab. cipher decryption

Digital certificate:
The certificate format is usually x509 digital certificate format, and other formats such as pkcs.
What are the content of the x509 certificate:
1. the public key is also the validity period.
2. the registrant's personal legal identity information may be a company, an individual, or a host name.
3. certificate usage, for example, used for inter-host authentication.
4. CA (Certificate Authority) information
5. digital signature of CA and self-signed certificate of CA

Public key encryption, also called asymmetric encryption
The biggest feature of public key encryption is key pair. The public key is called public key (pkey) and the private key is called secret key (skey) in general, the public key is used for encryption, and the private key is used for decryption. to implement electronic signatures, the private key is used for encryption, and the public key is used for decryption. you have to save it yourself; public key encryption is generally not used for data encryption, because its encryption speed is slow, three orders of magnitude slower than symmetric encryption (one order of magnitude is 10 times, three is 1000 times) so public key encryption is usually used for key exchange (IKE) and identity authentication.
Common algorithms include RSA and EIGamal. Currently, RSA is a widely used encryption Algorithm, while Digital Signature Algorithm can only be used for Signature but not encryption.
This tool is usually used: gpg, openssl rsautl

One-Way encryption (also called hash algorithm)
If no data fingerprint is generated, it is also called the data digest algorithm, the output is fixed length, the MD5 is 128-bit fixed-length output, and the SHA1 fixed-length output is 160-bit, its feature is not collision every data, as long as there is a difference, will produce a huge change, we call this as an avalanche effect, commonly used algorithms MD5, SHA1, SHA512, commonly used tools include sha2sum, md5sum, cksum, openssl dgst.
# Sha1sum fstab
# Openssl dgst-sha1 fstab

Summary code:
MAC (Message Authentication Code ): generally, it is used to ensure the integrity of transmitted data in network communication. The basic method is to obtain the fixed-length output by using a one-way encryption algorithm based on the data to be communicated by MAC. provides a safe and reliable mechanism for sending data to the receiver. In short, when we send data to the server, the client will calculate the data signature and send the data to the server. however, this pattern cannot be transmitted in this way. it is based on MAC, calls one-way encryption to calculate the pattern, and then sends the encrypted result to the server, so that the pattern will not be modified, this is an implementation of one-way encryption and an extended application;
Common algorithms include CBC-MAC and HMAC.
For openssl, if you are a client, he can help us generate a key pair, help us generate a certificate application, if it is the issuing authority, he can help the issuing authority self-visa, you can also sign you can also generate a revocation list and use openCA globally.
Next, we will use openssl to generate, sign, issue, and revoke certificates:


First, you have to have a certificate. First, you need to sign a certificate and use openssl to implement private CA. the CA working directory is under/etc/pki/CA, and the CA configuration file in/etc/pki/tls/openssl. cnf file.

Generate the CA private key. Note that the public key is extracted from the private key in a certain format. The public key and the private key are paired. the generated private key also has the public key:
# (Umask 077; openssl genrsa-out private/cakey. pem2048)

In the current shell, run the () command to indicate that the command in parentheses should be executed in the sub-shell, 2048 indicates the length of the key, and-out indicates the path for generating the key file to be saved, the permissions for the generated file are 666, and this file cannot be accessed by others, and the permission 600 is obtained in 666-077:
This is not a necessary step to view or extract a public key:
# Openssl rsa-in private/cakey. pem-pubout-text

Generate a self-signed certificate, use the req command in openssl, and call it a certificate request:

# Openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 3650
Create two files in the CA Directory:
# Touch index.txt serial

OK, the CA certificate is available, and the next step is to sign the certificate for the customer; I am here to use another host as a customer and apply to the CA for signing. if you want to use the server, you must be consistent with your server name. here we use web servers, therefore, the generated private key must also be placed in the server directory. here, we use httpd as an example:
Generate a key pair and create a directory to store it:
# Mkdir/etc/httpd/ssl
# (Umask 077; openssl genrsa-out httpd. key 1024)

The client generates a certificate signing request:
# Openssl req-new-key httpd. key-out httpd. csr

Then send httpd. csr to the CA of the remote host.
# Scp httpd. csr

Switch to/tmp on the remote host to see if there is a file named httpd. csr:

So we can sign the CA after checking the information:
# Openssl ca-in/tmp/httpd. csr-out/tmp/httpd. crt-days 3655

Then, send the signed certificate back to the client host:
# Scp httpd. crt

After sending it to the client host, we can check it:
# Ls-l/etc/httpd/ssl

So we can configure the certificate signed by CA on the client host.

If the certificate expires, how can we revoke it? (revoke it on the CA host)
# Openssl ca-revoke httpd. crt

After the certificate is created, we can install it in windows:

Step 1:


Step 2:


Step 3:


Step 4:

Step 5:


Step 6:

OK, the above is the process of making the certificate and installing the certificate in windows, but in the URL path must be to enter the will see the certificate effect, here I am the host name of I have used the experiment. I will not perform the parsing test here. if you are interested, please pay attention to the later articles. if there is something wrong with maxcompute, please point it out. thank you!

This article from "I take youth wine money" blog, please be sure to keep this source

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.