openssl& Building a private CA

Source: Internet
Author: User
Tags openssl enc openssl rsa rfc asymmetric encryption

TLS:Transport Layer Security, as well as the predecessor Secure Sockets Layer (secure Sockets layer, SSL), is a security protocol designed to provide security and data integrity assurance for Internet communications. Netscape (Netscape) launched the first version of the Web browser in 1994, Netscape Navigator, introduced the HTTPS protocol, encrypted with SSL, which is the origin of SSL. The IETF standardizes SSL, releasing the first version of the TLS standard file in 1999. Subsequently, RFC 5246 (August 2008) and RFC 6176 (March 2011) were released. Both TLS and SSL can be supported at the same time on both the server and the client, and it is now an industry standard for secure communication on the Internet.

The TLS protocol is optional, so if you need to configure both the client and the server, there are two main ways to accomplish this: one is to use the Unified TLS protocol port number (for example, port 443 for HTTPS) Another is when a client requests a server to connect to TLS using a specific protocol mechanism (for example: Mail, News protocol, and STARTTLS). Once both the client and the server agree to use the TLS protocol, they negotiate a stateful connection to transfer the data by using a handshake process. By shaking hands, the client and server negotiate various parameters for creating a secure connection:

When a client connects to a server that supports the TLS protocol, it requires the creation of a secure connection and lists the supported password combination handshake to start.

The server determines the encryption and hashing functions from this list, and notifies the client.

The server sends back its digital certificate, which typically contains the name of the server, the trusted certification authority (CA), and the public key of the server.

The client confirms the validity of the certificate it issued.

In order to generate a session key for a secure connection, the client encrypts the randomly generated key using the server's public key and sends it to the server, only the server can decrypt it with its own private key.

Using random numbers, both sides generate symmetric keys for encryption and decryption. This is the handshake of the TLS protocol, and the connection after the handshake is secure until the connection is closed.

If any one of these steps fails, the TLS handshake process fails and all connections are disconnected.

Cryptographic algorithms and protocols:

    • Public key private key asymmetric secret key secrecy system: RSA,DIFFIE-HELLMAN,DSA

    • Symmetric secret key secrecy system: Rc2,rc4,idea,des,triple Des,aes

    • One-way hash function: MD5,SHA1, and SHA256

Symmetric encryption: Encryption and decryption use the same key, and security depends on the secret key, not the algorithm.

Asymmetric encryption: The public key is extracted from the private key, and data encrypted with the public key can only be decrypted with the private key that is paired with the public key, and vice versa. Its role:

    • Identity authentication: The private key owner uses its own private key to encrypt the data, as long as its public key can be decrypted, can authenticate its identity;

    • Key exchange: Before communicating with the communication, first obtain the other party's public key, generate an encrypted password, encrypted with the other's public key, and sent to each other.

    • Data encryption.

Features of Asymmetric encryption:

    • Large key lengths, e.g. 512bits, 2048bits, 4096bits

    • Encryption and decryption are used in relation to the keys in the key pair, respectively.

    • Commonly used for digital signatures and key exchange

One-way encryption: The characteristic code of the data is presented through a one-way hash function. Its usefulness is to ensure the integrity of the data. It is characterized by:

    • Fixed-length output: No matter how large the original data is, its encryption results in the same length

    • Avalanche effect: Small changes in raw data can lead to dramatic changes in results

    • Non-reversible

Digital signature (also known as public key digital signature, electronic seal) is a kind of common physical signature written on paper, but it uses the technology of public key cryptography to identify the digital information method. A set of digital signatures typically defines two complementary operations, one for signing and the other for validation. Digital signature, is only the sender of information can be produced by others can not forge a string of numbers, this string is also the sender of information to send information authenticity of a valid proof.

The digital certificate is a serial number that marks the identity of the communication parties in the Internet communication, and provides a way to verify the identity of the communication entity on the Internet. A digital certificate is an authoritative electronic document that can be issued by an authoritative and impartial third-party organization, such as a CA (for example, a CA company in various locations in China), or by an enterprise CA system.

Digital certificate Issuance: The digital certificate issuance process is generally: the user first produces their own key pair, and the public key and some personally identifiable information to the certification center. Certification Center after verifying the identity, the necessary steps will be taken to make sure that the request is actually sent by the user, and then the certificate authority will send the user a digital certificate containing the user's personal information and his public key information, along with the signature information of the certificate authority. Users can use their own digital certificates for various activities related to them. Digital certificates are issued by a separate certificate issuer. Digital certificates vary, and each certificate can provide different levels of confidence. You can obtain your own digital certificate from the certificate issuer.

The authority of the digital certificate: the CA institution, also known as the Certificate Grant (Certificate Authority) center, as a trusted third party in e-commerce transactions, undertakes the responsibility of verifying the legitimacy of public key in public key system. The CA center issues a digital certificate for each user who uses the public key, and the role of the digital certificate is to certify that the user listed in the certificate has a legitimate public key listed in the certificate. The digital signature of the CA institution allows an attacker to forge and tamper with the certificate. It is responsible for generating, distributing and managing the digital certificates required by all individuals involved in online transactions, and is therefore a central part of secure electronic transactions.


Next we use OPENSS to encrypt the file.

650) this.width=650; "src=" "title=" 00.png "alt=" Wkiom1yfba3if2sfaaih_hsfoce677.jpg "/>

These are the basic commands, algorithms and tools of OpenSSL.

Example 1: Encrypting a/etc/passwd file using OpenSSL

650) this.width=650; "src=" "title=" 01.png "alt=" Wkiol1yfbbsit4r3aaq4bluhuli377.jpg "/>

[Email protected] ~]openssl ENC-E-des-ede3-a-salt-in/etc/passwd-out/etc/passwd.code

Parameter Description:-e Specifies the encrypted cipher,-A for the text output,-salt to add to the system randomly generated things,-in represents the file to be encrypted,-out the file path of the output after encryption.

Example 2. Decryption

650) this.width=650; "src=" "title=" 02.png "alt=" Wkiol1yfbjeasq5eaal00_apxtu196.jpg "/>

Generate User password:

[Email protected] ~]openssl passwd-1-salt 8



[[Email protected] ~]

Generate random Number:

[Email protected] ~]OPENSSL Rand-base64 8


Public Key cryptography:

Generate key pair: # OpenSSL Genrsa-out/path/to/private_keyfile num_bits

650) this.width=650; "src=" "title=" 03.png "alt=" Wkiom1yfez6xge8maasxencppdy047.jpg "/>

Note: Commands placed in parentheses on the bash command line are actually performed by opening a child shell process;

To manually extract the public key from the private key: # OpenSSL Rsa-in/path/from/private_key_file-pubout

650) this.width=650; "src=" "title=" 04.png "alt=" Wkiom1yfes_gqzaoaaed4smtst4985.jpg "/>

Random number generator:

/dev/random: Only random numbers are returned from the entropy pool, and when the random number in the entropy pool is exhausted, the process of taking the random number is blocked

/dev/urandom: Random numbers are taken from the entropy pool, and random numbers are generated by pseudo-random number generators when random depletion in the entropy pool

This article is from the "Genius from Repetition" blog, please be sure to keep this source

openssl& Building a private CA

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.