How to issue certificates in Linux: Learn How to Build a CA using OpenSSL

Last Update:2017-11-04 Source: Internet

Author: User

Tags fully qualified domain name

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

I learned how to use OpenSSL in Linux. OpenSSL is an open-source encryption tool. In Linux, we can use it to build a CA to issue certificates, encryption tools that can be used within an enterprise. Before introducing OpenSSL, first describe how to implement "Identity Authentication + Data Encryption. OpenSSL is an open-source encryption tool. In a Linux environment, we can use it to build a CA to issue certificates, which can be used for encryption tools within the enterprise. Before introducing OpenSSL, first describe how to implement "Identity Authentication + Data Encryption.

For how to implement "Authentication + Data Encryption", please refer to the following flowchart (self-drawn, relatively simple)

The entire encryption process:

Sender: Calculate the data feature value ----> use the private key to encrypt the feature value ---> randomly generate a password symmetric encryption of the entire data ---> use the recipient's public key to encrypt the password
Receiver: Use the private key to decrypt the password ----> decrypt the entire data ----> use the public key to authenticate the identity ----> compare the data feature value

However, there is a problem: who manages the public key? Any data transmitted over the Internet is insecure, not to mention passing the public key. If it is tampered with, it will not be able to authenticate its identity, therefore, it is impossible for users to issue public keys themselves.

At this time, a credible intermediary organization is required to do the job, namely CA, which raises two concepts:

CA: Certificate Authority

PKI: public key infrastructure and public key infrastructure

Certificate: It stores all kinds of user information. The core part is the public key.

But there is another problem: who will issue the public key to the CA? The solution is that the CA issues the public key to itself...

The following is a powerful OpenSSL tool. In Linux, a CA is built to implement certificate management. We use a web server as the client for certificates.

1. First, we will generate a private key for the CA.

Switch to the/etc/pki/CA/directory and use opensslCommandGenerate a private key for yourself

Root@www.linuxIdC.com openssl] #Cd/Etc/pki/CA/
[Root@www.linuxidc.com CA] #Ls
Private
[Root@www.linuxidc.com CA] # (umak 66; openssl genrsa 2046>Private/Cakey. pem)
-Bash: umak: command not found
Generating RSAPrivateKey, 2046 bitLongMoDuLus
......................++
... ++
E is 65537 (0x10001)

2. CA needs a self-signed certificate, so we use the openssl command to generate a self-signed certificate for it.

[Root@www.linuxidc.com CA] # openssl req-New-X509-keyPrivate/Cakey. pem-out cacert. pem
You are about to be askEdTo enter infoRmAtion that will be INcOrporated
Into your certifiCatE request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will beDefaultValue,
If you enter'.', The field will be left blank.
-----
CounTrY Name (2 letter code) [GB]: CN # Enter your information, country, province or State, region, company, organization, domain Name, email address
State or Province Name (full name) [Berkshire]: Henan
Locality Name (eg, city) [Newbury]: Zhengzhou
Organization Name (eg, company) [My Company Ltd]: LINUX
Organizational Unit Name (eg, section) []: Tech
Common Name (eg, your name or your server's hostname) []: www.rhce.com # note that this domain Name is FQDN (fully qualified domain name)
EmailDdRess []: ca@rhce.com
Root@www.linuxidc.com CA # ls
Cacert. pemPrivate

3. Edit the CA configuration file, which is located in etc/pki/tls/openssl. cnf. It specifies the directory of your CA and changes the default attribute value.

[Root@www.linuxidc.com CA] # vim/etc/pki/tls/openssl. cnf
[CA_default]
Dir = http://www.linuxidc.com/CA # Where everything is kept *************** CA path, change to absolute path
Certs = $ dir/certs # Where the isSuEd certs are certificates sent to other persons by kept ××××××. This directory must be manually created.
Crl_dir = $ dir/crl # Where the issued crl are kept ××××× Certificate Revocation List is not a required directory
Database = $ dir/indEx. Txt # database indexFile. ****************** Store the files that need to be manually created to generate the Certificate file index
#UniqUe_subject = no # Set to 'no' to allow creation
# Several ctificates with same subject.
New_certs_dir = $ dir/neWcErts #DefaultPlaceFor NewYou must manually create a new certificate storage location for certs. ×××××××××x.
Certificate = $ dir/cacert. pem # The CA certificate
Serial = $ dir/serial # The current serial number × serial number. You must create a serial number for each certificate and specify The start time.
CrLnUmber = $ dir/crlnumber # the current crl number
# Must be commented out to leave a V1 CRL
Crl = $ dir/crl. pem # The current CRL
Private_key = $ dir/Private/Cakey. pem #PrivateKey
RANDFILE = $ dir/Private/. Rand #PrivateRandom number file
X509_extensions = usr_cert # The extentions to add to the cert
# Req_extensions = v3_req # The extensions to add to a certificate request
######### Modify the CSR of a certificate to match your own CSR.
[Req_distinguished_name]
CountryName = Country Name (2 letter code)
CountryName_default = CN # I changed it to the corresponding self-Visa document of CN and CA
CountryName_min = 2
CountryName_max = 2
StatEOrProvinceName = State or Province Name (full name)
StateOrProvinceName_default = Henan # Same as above
LocalityName = Locality Name (eg, city)
LocalityName_default = Zhengzhou # Same as above
0. organizationName = Organization Name (eg, company)
0. organizationName_default = Tech # Same as above

4. Create the relevant directories and files of the CA, and specify the start Number of the serial number. As described in the previous step, they are created in the directory where the CA is located.

Root@www.linuxidc.com ~ # Cd/etc/pki/CA/
[Root@www.linuxidc.com CA] #MkdirCerts crl newcerts
Root@www.linuxidc.com CA # ls
Cacert. pem certs crl newcertsPrivate
[Root@www.linuxidc.com CA] #TouchIndex.txt serial
[Root@www.linuxidc.com CA] # echo 01> serial

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More