How Linux creates private CAs and requests certificates

OpenSSL configuration file:/etc/pki/tls/openssl.cnf

Three strategies: matching, support, and optional. Match: The information required to fill in the request must be consistent with the CA setup information; Support: means the application information must be filled in; optional: means dispensable.

Experimental environment: Requires two hosts, I here with Host a (centos6:ip for 172.17.250.83) to create a CA and to other hosts to provide CA services; host B (centos7:ip is 172.17.253.204) is a httpd server used to request certificates.

1. First look at the contents of the configuration file, where the following content must be written when the CA is created:

dir             = /etc/pki/ca            # Where everything is  keptcerts           =  $dir/certs             # where the issued certs are  keptcrl_dir         =  $dir/crl               # Where the issued crl  are keptdatabase        =  $dir/index.txt         # database index file. #unique_subject  = no                     #  Set to  ' No '  to allow creation of                                          # several ctificates with same  subject.new_certs_dir   =  $dir/newcerts          # default place for new certs.certificate     =   $dir/cacert.pem       # the ca certificateserial           =  $dir/serial            # The current serial numbercrlnumber        =  $dir/crlnumber        # the current  crl number                                          # must be commented out to leave a V1  crlcrl             =  $dir/crl.pem           # The current CRLprivate_key      =  $dir/private/cakey.pem  # the private key

2. Create the necessary files according to the needs of the configuration files.

[[Email protected] ~] #touch/etc/pki/ca/index.txt #生成证书索引数据库的文件 [[email protected] ~] #echo >/etc/pki/ca/serial #指定 The first serial number that issued the certificate [[email protected] ~] #tree/etc/pki/ca//etc/pki/ca/├──certs├──crl├──index.txt├──newcerts├──private└── Serial4 directories, 2 files

Note: The two files created, including the one created in the next experiment, must be the same as the file name in the configuration file.

3. Create the CA service on Host a (CENTOS6) and self-sign the certificate

(1) Generate private key

[[Email protected] ~]# (umask 066;openssl genrsa-out private/cakey.pem-des3 4096) #-des3 is encrypting files

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/07/43/wKiom1nGH-XC0x6BAAAzS8BSZYI316.png "title=" Picture 1.png "alt=" Wkiom1ngh-xc0x6baaazs8bszyi316.png "/>

Note: The parentheses are used to indicate that the command inside the child shell is in parentheses and does not affect the parent Shell's settings The umask is set to 066 to prevent others from having permission to view and modify the generated private key , and to encrypt the private key before 4096, such as Des3, RSA, and so on, this example uses DES3 encryption .

You can look at some of the text after the encryption:

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/07/43/wKiom1nGIBHx0fTJAAEZlBERHfM508.png "title=" Picture 2.png "alt=" Wkiom1ngibhx0ftjaaezlberhfm508.png "/>

(2) Generate self-signed certificate

[[Email protected] ~] #openssl req-new-x509-key private/cakey.pem-days 3650-out Cacert.pem

Where:-new: Generate a new certificate signing request

-x509: Dedicated to CA generate self-signed certificate

-key: The private key file used to generate the request

-days N: Validity period of the certificate

-out/path/to/somecertfile: Save path to Certificate

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/A5/F4/wKioL1nGIALTsdqTAACDKwYoFtU103.png "title=" Picture 3.png "alt=" Wkiol1ngialtsdqtaacdkwyoftu103.png "/>

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/07/43/wKiom1nGIEvR4PSkAAAi_-zrTf0764.png "title=" Picture 4.png "alt=" Wkiom1ngievr4pskaaai_-zrtf0764.png "/>

Look at some of the encrypted text for the certificate:

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/07/43/ Wkiom1ngif-sondoaae2rjrgio0964.png "title=" image 5.png "alt=" Wkiom1ngif-sondoaae2rjrgio0964.png "/>

(3) Transfer the Cacert.pem file to Windows, because the . Pem suffix text is not recognized on Windows , so here we'll change the text to . cer For the suffix text, the modified file icon is 650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/A5/F4/ Wkiol1ngifkcpbdyaaabh0vmjss001.png "title=" Picture 6.png "alt=" Wkiol1ngifkcpbdyaaabh0vmjss001.png "/>.

Open the certificate on Windows and look at it.

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/A5/F4/wKioL1nGISmiGB6qAADBioFeU3M056.png "title=" Picture 7.png "alt=" Wkiol1ngismigb6qaadbiofeu3m056.png "/>

4 . In the host that needs to use the certificate B (CENTOS7) To generate a certificate request on

(1) to httpd service Generation private key

[Email protected] ~]# (umask 066;openssl genrsa-out/etc/pki/tls/private/test.key-des3 4096) generating RSA private key, 4096 bit long modulus..........................................................++ ......................................................................................................................... ..... ..... ..... ..... ..... ............... ......... ..... ..... ..... ..... ..... ............. .......... ++e is 65537 ( 0x10001) Enter pass phrase for/etc/pki/tls/private/test.key:verifying-enter pass phrase for/etc/pki/tls/private/ Test.key:

(2) Generate certificate request file

[[Email protected] ~] #openssl req-new-key/etc/pki/tls/private/test.key-days 3650-OUT/ETC/PKI/TLS/TEST.PEM

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/07/43/wKiom1nGIYeBSlejAAeHCoykxRA155.png "title=" Picture 8.png "alt=" Wkiom1ngiyebslejaaehcoykxra155.png "/>

(3) transfer the certificate request file to the CA

[[email protected] ~] #scp  /etc/pki/tls/test.pem @ 172.17.250.83:/etc/pki/tls/the authenticity of host  ' 172.17.250.83  (172.17.250.83) '  can ' t be established. Rsa key fingerprint is 09:52:06:53:a1:13:99:f3:b9:5c:5f:0a:c4:b6:1c:ed. are you sure you want to continue connecting  (yes/no)?  yesWarning : permanently added  ' 172.17.250.83 '   (RSA)  to the list of known  hosts. [email protected] ' s password: test.pem                                         100% 1736      1.7kb/s   00:00 

5. in the main Machine A ( Centos6) sign the certificate and issue it to the certificate requester (host B)

(1) Signing certificate

[[email protected] ~] #openssl  ca -in /etc/pki/tls/test.pem -out /etc/pki/ca /certs/test.crt -days 3650using configuration from /etc/pki/tls/openssl.cnfenter  pass phrase for /etc/pki/CA/private/cakey.pem:Check that the request  matches the signaturesignature okcertificate details:         Serial Number: 1  (0x1)         validity             not before: sep 12  23:04:23 2017 gmt            not  After : Sep 10 23:04:23 2027 GMT         Subject:            countryName                = cn             stateOrProvinceName       = HeNan             organizationName           = Linuxca.org             organizationalUnitName    = dev             commonName                 = linuxca             emailaddress              = [ email protected]        x509v3 extensions:             x509v3 basic constraints:                  CA:FALSE             Netscape Comment:                  OpenSSL Generated Certificate             X509v3 Subject Key Identifier:                  97:b6:0a:0a:70 :c6:fb:29:bb:b9:4a:26:98:3e:73:8b:20:f4:37:5e             X509v3 Authority Key Identifier:                  keyid:73:e2:de:70:0b:9e:6b:fa:dd:5f:16:d5:0b:38:d2:a5:a0 : 2E:B4:D6 CERTIFICATE IS&Nbsp;to be certified until sep 10 23:04:23 2027 gmt  (3650  Days) sign the certificate? [y/n]:y1 out of 1 certificate requests  certified, commit? [y/n]yWrite out database with 1 new  entriesdata base updated

(2) send the certificate to the host B ( centos7

[[email protected] ca] #scp  certs/test.crt @ 172.17.253.204:/etc/pki/ca/the authenticity of host  ' 172.17.253.204  (172.17.253.204) '  can ' t be established. rsa key fingerprint is 91:d3:76:ba:60:12:0d:13:9b:93:6a:39:71:18:fe:65.are you  sure you want to continue connecting  (yes/no)?  yeswarning: permanently  added  ' 172.17.253.204 '   (RSA)  to the list of known hosts. [email protected] ' s password: test.crt                                         100% 7311      7.1kb/s   00:00 

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/07/43/wKiom1nGIaLyhQStAAAd_Mk8lMo880.png "title=" Picture 9.png "alt=" Wkiom1ngialyhqstaaad_mk8lmo880.png "/>

(3) on host B(Centos7) to view the information in the certificate,

OpenSSL x509-in/path/from/cert_file

-text|issuer|subject|serial|dates

Opensslca-status Serial View the certificate status for a specified number

[[email protected] CA] #openssl x509-in test.crt-text

At this point, the CA's creation and application, issuance is complete.

How Linux creates private CAs and requests certificates