Openssl is an open-source implementation of SSL (applications can be downloaded for free). It is a secure and confidential program that is mainly used to improve the security of remote login access. It is also one of the tools currently used in encryption algorithms and has powerful functions.
Openssl provides a security protocol for network communication security and data integrity, including key algorithms, common key and certificate encapsulation management functions (CA), and SSL protocols, it also provides a wide range of applications for testing or other purposes. For example, we will use Openssl to implement private CA and issue certificates.
- OpenSSL: open-source implementation of SSL
- Libcrypto: A common encryption library that provides various encryption functions
- Libssl: Implements TLS/SSL protocols. It is a session-based TLS/SSL library that implements identity authentication, data confidentiality, and session integrity.
- Openssl: A Multi-Purpose command line tool that implements private certificate authority, that is, identity authentication within the company;
SSL: (Secure Socket Layer) Secure Socket Layer, which provides key transmission over the Internet. Its main goal is to ensure the confidentiality and reliability of the communication data between two applications. It is an encryption algorithm that can be supported at the same time on the server side and the client side. Currently, SSLV2 and SSLV3 are mainstream versions ).
The following figure shows how to implement the SSL function. Before introducing it, let's talk about what functions SSL provides:
- 1. Data Confidentiality: Data Confidentiality is achieved through symmetric encryption algorithms.
- 2. Data Integrity: one-way encryption algorithm is used to ensure data integrity.
- 3. Identity Security Authentication: provides the identity of the Data sender.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U541D04-0.png "/>
Describe the SSL session process:
- Note: If the server generates a pair of keys locally through asymmetric encryption algorithms, and sends the public key information to the CA certificate authority, the CA issues a digital certificate to the server, and send the certificate to the server.
- SSL session creation process:
- Step 1: The client establishes a connection request (TCP/IP) to the server)
- Step 2: After the TCP/IP is established, the client and server negotiate with each other which encryption algorithm is used, for example, TSLv1/SSLv2/SSLv3 ).
- Step 3: After the negotiation is completed, the server sends the public key to the client and the client receives the public key information.
- Step 4: the client downloads the CA Public key information from the CA certificate authority and verifies the certificate sent by the server.
- Step 5: Then, the client generates a key through the symmetric encryption algorithm locally, and then encrypts the key with the public key sent by the server, and sends it to the server, ensuring the confidentiality of the data.
- Step 6: The server uses its own private key to decrypt the data, obtain the key, and then encrypt the client request data and send it to the client.
- Step 7: The client receives a response and uses the secret key to obtain data.
- Step 8: disconnect the session channel (TCP/IP) after the communication ends)
Then, how to build a private CA through Openssl? Before configuration, let's introduce the basic usage of Openssl:
- OpenSSL: open-source implementation of SSL
- Libcrypto: A common encryption library that provides various encryption functions
- Libssl: Implements TLS/SSL protocols. It is a session-based TLS/SSL library that implements identity authentication, data confidentiality, and session integrity.
- Openssl: A Multi-Purpose command line tool that implements private certificate authority, that is, identity authentication within the company;
- Openssl:
- Genrsa: generate a key (private key and Public Key) through the RSA algorithm)
- Req: apply for and generate a certificate
- -New: generate a new certificate
- -X509: A Common Internet standard
- -In: Certificate location (Certificate Signing and certificate requests are often used)
- -Out: Certificate storage location
- -Days: Validity Period of the certificate
Create a private CA Based on Openssl and complete the SSL/TLS confidential mechanism:
Configuration environment: Three VMS
172.16.88.1/16)CA Certificate AuthorityAnd provides HTTP functions-Linux
Test end (192.168.0.203/24) -- Windows xp
Seq1: Use Openssl to generate a pair of private keys and public keys at the CA certificate authority)
- # Cd/etc/pki/CA
- # (Umask 077; openssl genrsa-out private/cakey. pem 2048) # create a private key and change the permission to 600
Seq2: edit the main Openssl configuration file:
# Vim/etc/pki/tls/openssl. conf
650) this. width = 650; "border =" 0 "alt =" "src =" http://img1.51cto.com/attachment/201304/212154177.png "/>
Seq3: The certificate is signed for the CA itself:
- # Openssl req-new-x509-key-in private/cakey. pem-out cacert. pem-days 365 # generate a self-signed certificate
650) this. width = 650; "border =" 0 "alt =" "src =" http://img1.51cto.com/attachment/201304/215208359.png "/>
Seq4: Prepare directories and files for CA
- # Cd/etc/pki/CA
- # Mkdir certs crl newcerts # related certificate storage directory
- # Touch index.txt # Certificate Information
- # Echo "01"> serial # sequence of issued certificates
Seq5: Configure and install the HTTP service and install the mod_ssl module to provide TLS/SSL Functions
- # Yum install httpd mod_ssl-y
- # Vim/etc/httpd. conf # Add the following content to the last line and comment out the DocumentRoot "/var/www/html" line, which is about 281 lines.
- <VirtualHost 172.16.88.1: 80>
- DocumentRoot "/www/example.com"
- ServerName www.example.com
- </VirtualHost>
-
- # Service httpd restart & chkconfig httpd on
- # Echo "
Seq6: perform a simple test:
Nniiijj: 650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U5415126-3.png "/>
OK !! The HTTP service works normally.
Seq7: configure the key for the HTTP server and send a certificate issuing request to the CA
- # mkdir /etc/httpd/ssl
- # cd /etc/httpd/ssl
- #(umask 077; openssl genrsa -out httpd.key 1024)
- # openssl req -new -key -in httpd.key -out httpd.csr -days 3650
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U5415956-4.png "/>
Seq8: CA issues a digital certificate for the HTTP service:
- # cd /etc/httpd/ssl # openssl ca -in httpd.csr -out httpd.crt -days 3650
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U541Ib-5.png "/>
Seq9: view the certificate information issued by the CA:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U5411029-6.png "/>
Seq10: Master configuration file for configuring SSL (/etc/httpd/conf. d/ssl. conf)
- # Vim/etc/httpd/conf. d/ssl. conf
- Add the following content after line 81:
- <VirtualHost 172.16.88.1: 443>
- DocumentRoot "/www/example.com"
- ServerName www.example.com
- Modify the following content in rows 114 and 121:
- 114 SSLCertificateFile/etc/httpd/ssl/httpd. crt
- 121 SSLCertificateKeyFile/etc/httpd/ssl/httpd. key
Seq11: Start the httpd service and check whether port 443 is enabled.
# Service httpd restart # re-read the configuration file
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U541EU-7.png "/>
Seq12: Download the CA Public key information to the windows client, rename it as cacert. crt, install the certificate, and then test.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U5415B1-8.png "/>
Then useWhether the https://www.example.com can be accessed normally:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U541A07-9.png "/>
This article is from the "See you next year CA" blog, please be sure to keep this source http://guodayong.blog.51cto.com/263451/1181059