What is CA:
CA (Certificate authority) is the abbreviation of digital Certificate Certification Center, refers to the issuing, management, abolition of digital certificate institutions.
The role of a CA is to check the legitimacy of the identity of the certificate holder and issue a certificate (signed on the certificate) to prevent the certificate from being forged or tampered with, and to manage the certificate and key. the structure of the DN (distiguish name) distinguished name in the SSL certificate:
Following the X.500 standard, the purpose of the identity name is to provide a unique name for each network entity. To achieve this, the DN has a hierarchical structure. A DN consists of some columns of RDN (Relative distinguished name, relative identity name).
The RDN of this structure are:
C = US, ST = BEIJING, L = BEIJING, O = RTFM, OU = Consulting, CN = Eric
(C->country, st-> State or provice name, l->locality name, O->organization, Ou->organization Unit, CN-> Common Name)
steps to generate a self-signed certificate: first, establish CA: 1. Create a folder in any directory, any folder name
/home/gouxu/gx/key/ 2. Go to the newly created folder key
cd/home/gouxu/gx/key/ 3. Generate CA Private key
OpenSSL genrsa-out Ca.key 2048
Parameter description:
GENRSA: Generate RSA secret key;
The key file generated by-out Ca.key is Ca.key;
2048: Secret key length is 2048. 4. Generating a CA's certificate with the CA private key
OpenSSL req-new-x509-days 36500-key ca.key-out ca.crt-subj "/c=cn/st=beijing/l=beijing/o=teamsun/ou=teamsun"
(The-x509 option generates a self-signed certificate.) ) 5. Establish the appropriate directory for the CA
Go to the key folder to execute the following command:
mkdir Democa
CD democa/
mkdir Newcerts
Touch Index.txt
echo ' Serial ' > II, Generate server-side certificate 1. Enter the key folder
CD key/ 2. Generating the server private key
OpenSSL genrsa-out server.key 2048 3. Generate a server-side certificate request file using the server private key
OpenSSL req-new-key server.key-out server.csr-subj "/c=cn/st=beijing/l=beijing/o=teamsun/ou=guoxu/cn=guoxu"
(A certificate request file is generated without the-x509 option.) 4. Use the server certificate request file to generate a self-signed certificate from the CA
OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key 5. Verifying the server certificate
gouxu@gouxu-pc:~/gx/key$ OpenSSL verify-cafile ca.crt server.crt
Server.crt:OK
gouxu@gouxu-pc:~/gx/key$
three, two-way authentication needs to generate client certificate 1. Go to the key folder
CD key/ 2. Generate Client private key
OpenSSL genrsa-out client.key 2048 3. Generate client-side certificate request file using client private key
OpenSSL req-new-key client.key-out client.csr-subj "/c=cn/st=beijing/l=beijing/o=teamsun/ou=guog/cn=guog"
Note If the following error occurs, you need to change the OU domain with the CN domain to regenerate the certificate request file.
Sign the certificate? [Y/n]:y
Failed to update database
txt_db Error number 2 4. Generate a self-signed certificate using the client certificate request file
OpenSSL ca-in client.csr-out client.crt-cert ca.crt-keyfile ca.key 5. Verifying Client Certificates
gouxu@gouxu-pc:~/gx/test$ OpenSSL verify-cafile ca.crt client.crt
Client.crt:OK
gouxu@gouxu-pc:~/gx/test$
Iv. Testing 4.1 Testing one-way authentication with the server certificate 1. Open windows 1 start server
gouxu@gouxu-pc:~/gx/test$ OpenSSL s_server-accept 10001-key server.key-cert server.crt
Using Default Temp DH parameters
Using Default Temp ECDH parameters
ACCEPT
2. Open windows 2 to start the client
gouxu@gouxu-pc:~$ OpenSSL S_client-connect localhost:10001
CONNECTED (00000003)
... ...
(The command should be written in OpenSSL S_client-connect localhost:10001-cafile/tmp/key/ca.crt, if you do not pour the CA certificate, although it does not affect the SSL channel setup process, However, there will be an error in the process of verify the server certificate, and the error message disappears after the CA certificate has been added. 3. When the connection succeeds, the input string in either window is transmitted to another window echo. 4.2 Two-way test using server certificate and client certificate 1. Open windows 1 start server. (with verify parameter, mandatory client certificate required)
gouxu@gouxu-pc:~/gx/test$ OpenSSL s_server-accept 10001-key server.key-cert server.crt-verify 5 2. Open windows 2 Start client
gouxu@gouxu-pc:~/gx/test$ OpenSSL s_client-connect localhost:10001-cert client.crt-key client.key 3. If the two-way certificate is correct, the connection is successful. Otherwise, the connection fails. 4. You can send messages in two directions through the console.