How to Implement private CA through Openssl and provide TLS/SLL security mechanism for HTTP Services

Source: Internet
Author: User
Tags asymmetric encryption

Openssl is an open-source implementation of SSL (applications can be downloaded for free). It is a secure and confidential program that is mainly used to improve the security of remote login access. It is also one of the tools currently used in encryption algorithms and has powerful functions.
Openssl provides a security protocol for network communication security and data integrity, including key algorithms, common key and certificate encapsulation management functions (CA), and SSL protocols, it also provides a wide range of applications for testing or other purposes. For example, we will use Openssl to implement private CA and issue certificates.

 
 
  1. OpenSSL: open-source implementation of SSL
  2. Libcrypto: A common encryption library that provides various encryption functions
  3. Libssl: Implements TLS/SSL protocols. It is a session-based TLS/SSL library that implements identity authentication, data confidentiality, and session integrity.
  4. Openssl: A Multi-Purpose command line tool that implements private certificate authority, that is, identity authentication within the company;

SSL: (Secure Socket Layer) Secure Socket Layer, which provides key transmission over the Internet. Its main goal is to ensure the confidentiality and reliability of the communication data between two applications. It is an encryption algorithm that can be supported at the same time on the server side and the client side. Currently, SSLV2 and SSLV3 are mainstream versions ).

The following figure shows how to implement the SSL function. Before introducing it, let's talk about what functions SSL provides:

 
 
  1. 1. Data Confidentiality: Data Confidentiality is achieved through symmetric encryption algorithms.
  2. 2. Data Integrity: one-way encryption algorithm is used to ensure data integrity.
  3. 3. Identity Security Authentication: provides the identity of the Data sender.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U541D04-0.png "/>
Describe the SSL session process:

 
 
  1. Note: If the server generates a pair of keys locally through asymmetric encryption algorithms, and sends the public key information to the CA certificate authority, the CA issues a digital certificate to the server, and send the certificate to the server.
  2. SSL session creation process:
  3. Step 1: The client establishes a connection request (TCP/IP) to the server)
  4. Step 2: After the TCP/IP is established, the client and server negotiate with each other which encryption algorithm is used, for example, TSLv1/SSLv2/SSLv3 ).
  5. Step 3: After the negotiation is completed, the server sends the public key to the client and the client receives the public key information.
  6. Step 4: the client downloads the CA Public key information from the CA certificate authority and verifies the certificate sent by the server.
  7. Step 5: Then, the client generates a key through the symmetric encryption algorithm locally, and then encrypts the key with the public key sent by the server, and sends it to the server, ensuring the confidentiality of the data.
  8. Step 6: The server uses its own private key to decrypt the data, obtain the key, and then encrypt the client request data and send it to the client.
  9. Step 7: The client receives a response and uses the secret key to obtain data.
  10. Step 8: disconnect the session channel (TCP/IP) after the communication ends)

Then, how to build a private CA through Openssl? Before configuration, let's introduce the basic usage of Openssl:

 
 
  1. OpenSSL: open-source implementation of SSL
  2. Libcrypto: A common encryption library that provides various encryption functions
  3. Libssl: Implements TLS/SSL protocols. It is a session-based TLS/SSL library that implements identity authentication, data confidentiality, and session integrity.
  4. Openssl: A Multi-Purpose command line tool that implements private certificate authority, that is, identity authentication within the company;
  5. Openssl:
  6. Genrsa: generate a key (private key and Public Key) through the RSA algorithm)
  7. Req: apply for and generate a certificate
  8. -New: generate a new certificate
  9. -X509: A Common Internet standard
  10. -In: Certificate location (Certificate Signing and certificate requests are often used)
  11. -Out: Certificate storage location
  12. -Days: Validity Period of the certificate

Create a private CA Based on Openssl and complete the SSL/TLS confidential mechanism:
Configuration environment: Three VMS
172.16.88.1/16)CA Certificate AuthorityAnd provides HTTP functions-Linux
Test end (192.168.0.203/24) -- Windows xp

Seq1: Use Openssl to generate a pair of private keys and public keys at the CA certificate authority)

 
 
  1. # Cd/etc/pki/CA
  2. # (Umask 077; openssl genrsa-out private/cakey. pem 2048) # create a private key and change the permission to 600

Seq2: edit the main Openssl configuration file:
# Vim/etc/pki/tls/openssl. conf

650) this. width = 650; "border =" 0 "alt =" "src =" http://img1.51cto.com/attachment/201304/212154177.png "/>

Seq3: The certificate is signed for the CA itself:

 
 
  1. # Openssl req-new-x509-key-in private/cakey. pem-out cacert. pem-days 365 # generate a self-signed certificate

650) this. width = 650; "border =" 0 "alt =" "src =" http://img1.51cto.com/attachment/201304/215208359.png "/>

Seq4: Prepare directories and files for CA

 
 
  1. # Cd/etc/pki/CA
  2. # Mkdir certs crl newcerts # related certificate storage directory
  3. # Touch index.txt # Certificate Information
  4. # Echo "01"> serial # sequence of issued certificates

Seq5: Configure and install the HTTP service and install the mod_ssl module to provide TLS/SSL Functions

 
 
  1. # Yum install httpd mod_ssl-y
  2. # Vim/etc/httpd. conf # Add the following content to the last line and comment out the DocumentRoot "/var/www/html" line, which is about 281 lines.
  3. <VirtualHost 172.16.88.1: 80>
  4. DocumentRoot "/www/example.com"
  5. ServerName www.example.com
  6. </VirtualHost>
  7.  
  8. # Service httpd restart & chkconfig httpd on
  9. # Echo "

Seq6: perform a simple test:

Nniiijj: 650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U5415126-3.png "/>
OK !! The HTTP service works normally.

Seq7: configure the key for the HTTP server and send a certificate issuing request to the CA

 
 
  1. # mkdir /etc/httpd/ssl  
  2. # cd /etc/httpd/ssl  
  3. #(umask 077; openssl genrsa -out httpd.key 1024)  
  4. # openssl req -new -key -in httpd.key -out httpd.csr -days 3650 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U5415956-4.png "/>

Seq8: CA issues a digital certificate for the HTTP service:

 
 
  1. # cd /etc/httpd/ssl  # openssl ca -in httpd.csr -out httpd.crt -days 3650   

 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U541Ib-5.png "/>

Seq9: view the certificate information issued by the CA:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U5411029-6.png "/>

Seq10: Master configuration file for configuring SSL (/etc/httpd/conf. d/ssl. conf)

 
 
  1. # Vim/etc/httpd/conf. d/ssl. conf
  2. Add the following content after line 81:
  3. <VirtualHost 172.16.88.1: 443>
  4. DocumentRoot "/www/example.com"
  5. ServerName www.example.com
  6. Modify the following content in rows 114 and 121:
  7. 114 SSLCertificateFile/etc/httpd/ssl/httpd. crt
  8. 121 SSLCertificateKeyFile/etc/httpd/ssl/httpd. key

Seq11: Start the httpd service and check whether port 443 is enabled.
# Service httpd restart # re-read the configuration file

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U541EU-7.png "/>

Seq12: Download the CA Public key information to the windows client, rename it as cacert. crt, install the certificate, and then test.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U5415B1-8.png "/>

 Then useWhether the https://www.example.com can be accessed normally:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1U541A07-9.png "/>

 

This article is from the "See you next year CA" blog, please be sure to keep this source http://guodayong.blog.51cto.com/263451/1181059

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.