How to issue certificates in Linux: Learn How to Build a ca using OpenSSL

I learned how to use OpenSSL in Linux over the past two days. OpenSSL is an open-source encryption tool. In Linux, we can use it to build a CA to issue certificates, encryption tools that can be used within an enterprise. Before introducing OpenSSL, first describe how to implement "Identity Authentication + Data Encryption.

For how to implement "Authentication + Data Encryption", please refer to the following flowchart (self-drawn, relatively simple)

The entire encryption process:

Sender: Calculate the data feature value ----> use the private key to encrypt the feature value ---> randomly generate a password symmetric encryption of the entire data ---> use the recipient's public key to encrypt the password
Receiver: Use the private key to decrypt the password ----> decrypt the entire data ----> use the public key to authenticate the identity ----> compare the data feature value

However, there is a problem: who manages the public key? Any data transmitted over the Internet is insecure, not to mention passing the public key. If it is tampered with, it will not be able to authenticate its identity, therefore, it is impossible for users to issue public keys themselves.

At this time, a credible intermediary organization is required to do the job, namely Ca, which raises two concepts:

CA: Certificate Authority

PKI: public key infrastructure and public key infrastructure

Certificate: It stores all kinds of user information. The core part is the public key.

But there is another problem: who will issue the public key to the CA? The solution is that the CA issues the public key to itself...

The following is a powerful OpenSSL tool. In Linux, a CA is built to implement certificate management. We use a web server as the client for certificates.

1. First, we will generate a private key for the CA.

Switch to the/etc/pki/CA/directory and use the OpenSSL command to generate a private key for yourself.

[root@server56 openssl]# cd /etc/pki/CA/[root@server56 CA]# lsprivate[root@server56 CA]# (umak 66;openssl genrsa 2046 > private/cakey.pem)-bash: umak: command not foundGenerating RSA private key, 2046 bit long modulus.............................+++..+++e is 65537 (0x10001)

2. CA needs a self-signed certificate, so we use the OpenSSL command to generate a self-signed certificate for it.

[Root @ server56 Ca] # OpenSSL req-New-X509-key private/cakey. PEM-out cacert. pemyou are about to be asked to enter information that will be inreceivatedinto your certificate request. what you are about to enter is what is called a distinguished name or a DN. there are quite a few fields but you can leave some blankfor some fields there will be a default value, if you enter '. ', the field will be left blank. ----- country name (2 letter code) [GB]: CN # Enter your information, country, province or State, region, company, unit, domain name, email address State or province name (full name) [Berkshire]: Henan locality name (eg, city) [Newbury]: zhengzhouorganization name (eg, company) [My Company Ltd]: linuxorganizational unit name (eg, section) []: techcommon name (eg, your name or your server's hostname) []: www.rhce.com # note that, this domain name is FQDN (Fully Qualified Domain Name) Email Address []: ca@rhce.com [root @ server56 Ca] # lscacert. PEM private

3. Edit the CA configuration file, which is located in etc/pki/tls/OpenSSL. CNF. It specifies the directory of your CA and changes the default attribute value.

[Root @ server56 Ca] # Vim/etc/pki/tls/OpenSSL. CNF [ca_default] dir = .. /.. /CA # where everything is kept **************** ca path, change to the absolute path certs = $ DIR/certs # Where the issued certs are the certificates sent to other people by kept ××××××, this directory needs to be manually created crl_dir = $ DIR/CRL # Where the issued CRL are kept ××××× Certificate Revocation List does not belong to the required directory database = $ DIR/index.txt # database index file. * ***************** stores the files to be manually created to generate the Certificate file index # unique_subject = No # Set to 'no' to allow Creation of # several ctificates with same subject. new_certs_dir = $ DIR/newcerts # default place for new certs. you need to manually create a certificate = $ DIR/cacert for the newly generated certificate storage location. PEM # The ca certificateserial = $ DIR/serial # The current serial number ××××× serial number. You must create a serial number for each certificate, and specify the Starting number of crlnumber = $ DIR/crlnumber # The current CRL number # Must be commented out to leave a V1 crlcrl = $ DIR/CRl. PEM # The current crlprivate_key = $ DIR/private/cakey. PEM # The Private keyrandfile = $ DIR/private /. rand # private random number filex509_extensions = usr_cert # The Extentions to add to the CERT # req_extensions = v3_req # the extensions to add to a certificate request ######## modify a certificate CSR matches with your own [req_distinguished_name] countryname = Country name (2 letter code) countryname_default = cn # countryname_min = 2countryname_max = 2 stateorprovincename = state or province name (full name) stateorprovincename_default = Henan # Same as localityname = locality name (eg, city) localityname_default = Zhengzhou # Same as above 0. organizationname = Organization Name (eg, company) 0. organizationname_default = tech # Same as above

4. Create the relevant directories and files of the CA, and specify the start Number of the serial number. As described in the previous step, they are created in the directory where the CA is located.

[root@server56 ~]# cd /etc/pki/CA/[root@server56 CA]# mkdir certs crl newcerts[root@server56 CA]# lscacert.pem  certs  crl  newcerts  private[root@server56 CA]# touch index.txt serial[root@server56 CA]# echo 01 > serial

5. Create the private key of the Web server. Because it is an experiment, you do not need to install the Web server. You can create an SSL directory. Assume that it is a web server.

[root@server56 CA]# cd /etc/httpd/[root@server56 httpd]# mkdir ssl[root@server56 httpd]# cd ssl/[root@server56 ssl]# (umask 66;openssl genrsa 2048 > web.key)Generating RSA private key, 2048 bit long modulus

6. The client (Web Server) requests to obtain the certificate. If the client wants to apply for the certificate, it needs to create an application certificate and pass it to the CA.

[Root @ server56 SSL] # OpenSSL req-New-key web. key-out web. csryou are about to be asked to enter information that will be inreceivatedinto your certificate request. what you are about to enter is what is called a distinguished name or a DN. there are quite a few fields but you can leave some blankfor some fields there will be a default value, if you enter '. ', the field will be left blank. ----- country name (2 letter code) [CN]: State or province name (full name) [Henan]: locality name (eg, city) [Zhengzhou]: Organization Name (eg, company) [rhce]: organizational unit name (eg, section) [tech]: common name (eg, your name or your server's hostname) []: www.web.com Email Address []: www@web.comPlease enter the following 'extra 'attributesto be sent with your certificate requesta challenge password []: # The request certificate must be transmitted over the network, so encryption prevents others from spying, leave it blank because we only want to experiment with an optional company name []:

7. issue a certificate to the client on the CA side and use the OpenSSL command

[Root @ server56 SSL] # OpenSSL ca-in web. CSR-out web. CRT # after this command is executed, the information in the request certificate using configuration from/etc/pki/tls/OpenSSL is displayed. cnfcheck that the request matches the signaturesignature okcertificate details: serial number: 1 (0x1) validity Not before: Aug 9 04:46:25 2011 GMT not after: Aug 8 04:46:25 2012 GMT subject: countryname = cn stateorprovincename = Henan organizationname = rhce organizationalu Nitname = tech CommonName = www.web.com emailaddress = www@web.com x509v3 extensions: x509v3 basic constraints: CA: false Netscape comment: OpenSSL generated certificate initialize Subject Key Identifier: B6: 52: 27: 11: 5b: BA: 84: C8: 56: 4d: 67: D7: B9: 7A: CB: Fe: 45: Cf: 5A: 02 x509v3 Authority Key Identifier: keyid: 5C: 4A: a2: EB: DD: 3f: BB: 08: 41: A2: 02: 3f: 98: A4: 59: 8B: 78: 47: AF: 4 fcertificate is to be certified until Aug 8 04:46:25 2012 GMT (365 days) sign the certificate? [Y/n]: y # Do you agree with the client of this request and grant the certificate 1 out of 1 certificate requests certified, commit? [Y/n] y # upgrade certificate database write out database with 1 new entriesdata base updated

Now, let's take a look at our certificate! Is the file ending with. CRT.

[root@server56 ssl]# lsserver.key  web.crt  web.csr  web.key