OpenSSL self-signed certificate generation and single-way verification

What is CA:

CA (Certificate authority) is the abbreviation of digital Certificate Certification Center, refers to the issuing, management, abolition of digital certificate institutions.

The role of a CA is to check the legitimacy of the identity of the certificate holder and issue a certificate (signed on the certificate) to prevent the certificate from being forged or tampered with, and to manage the certificate and key. the structure of the DN (distiguish name) distinguished name in the SSL certificate:

Following the X.500 standard, the purpose of the identity name is to provide a unique name for each network entity. To achieve this, the DN has a hierarchical structure. A DN consists of some columns of RDN (Relative distinguished name, relative identity name).

The RDN of this structure are:

C = US, ST = BEIJING, L = BEIJING, O = RTFM, OU = Consulting, CN = Eric

(C->country, st-> State or provice name, l->locality name, O->organization, Ou->organization Unit, CN-> Common Name)

steps to generate a self-signed certificate: first, establish CA: 1. Create a folder in any directory, any folder name

/home/gouxu/gx/key/ 2. Go to the newly created folder key

cd/home/gouxu/gx/key/ 3. Generate CA Private key

OpenSSL genrsa-out Ca.key 2048

Parameter description:

GENRSA: Generate RSA secret key;

The key file generated by-out Ca.key is Ca.key;

2048: Secret key length is 2048. 4. Generating a CA's certificate with the CA private key

OpenSSL req-new-x509-days 36500-key ca.key-out ca.crt-subj "/c=cn/st=beijing/l=beijing/o=teamsun/ou=teamsun"

(The-x509 option generates a self-signed certificate.) ) 5. Establish the appropriate directory for the CA

Go to the key folder to execute the following command:

mkdir Democa

CD democa/

mkdir Newcerts

Touch Index.txt

echo ' Serial ' > II, Generate server-side certificate 1. Enter the key folder

CD key/ 2. Generating the server private key

OpenSSL genrsa-out server.key 2048 3. Generate a server-side certificate request file using the server private key

OpenSSL req-new-key server.key-out server.csr-subj "/c=cn/st=beijing/l=beijing/o=teamsun/ou=guoxu/cn=guoxu"

(A certificate request file is generated without the-x509 option.) 4. Use the server certificate request file to generate a self-signed certificate from the CA

OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key 5. Verifying the server certificate

gouxu@gouxu-pc:~/gx/key$ OpenSSL verify-cafile ca.crt server.crt

Server.crt:OK

gouxu@gouxu-pc:~/gx/key$

three, two-way authentication needs to generate client certificate 1. Go to the key folder

CD key/ 2. Generate Client private key

OpenSSL genrsa-out client.key 2048 3. Generate client-side certificate request file using client private key

OpenSSL req-new-key client.key-out client.csr-subj "/c=cn/st=beijing/l=beijing/o=teamsun/ou=guog/cn=guog"

Note If the following error occurs, you need to change the OU domain with the CN domain to regenerate the certificate request file.

Sign the certificate? [Y/n]:y

Failed to update database

txt_db Error number 2 4. Generate a self-signed certificate using the client certificate request file

OpenSSL ca-in client.csr-out client.crt-cert ca.crt-keyfile ca.key 5. Verifying Client Certificates

gouxu@gouxu-pc:~/gx/test$ OpenSSL verify-cafile ca.crt client.crt

Client.crt:OK

gouxu@gouxu-pc:~/gx/test$

Iv. Testing 4.1 Testing one-way authentication with the server certificate 1. Open windows 1 start server

gouxu@gouxu-pc:~/gx/test$ OpenSSL s_server-accept 10001-key server.key-cert server.crt

Using Default Temp DH parameters

Using Default Temp ECDH parameters

ACCEPT

2. Open windows 2 to start the client

gouxu@gouxu-pc:~$ OpenSSL S_client-connect localhost:10001

CONNECTED (00000003)

... ...

(The command should be written in OpenSSL S_client-connect localhost:10001-cafile/tmp/key/ca.crt, if you do not pour the CA certificate, although it does not affect the SSL channel setup process, However, there will be an error in the process of verify the server certificate, and the error message disappears after the CA certificate has been added. 3. When the connection succeeds, the input string in either window is transmitted to another window echo. 4.2 Two-way test using server certificate and client certificate 1. Open windows 1 start server. (with verify parameter, mandatory client certificate required)

gouxu@gouxu-pc:~/gx/test$ OpenSSL s_server-accept 10001-key server.key-cert server.crt-verify 5 2. Open windows 2 Start client

gouxu@gouxu-pc:~/gx/test$ OpenSSL s_client-connect localhost:10001-cert client.crt-key client.key 3. If the two-way certificate is correct, the connection is successful. Otherwise, the connection fails. 4. You can send messages in two directions through the console.