How to issue certificates in Linux: Learn How to Build a CA using OpenSSL

Source: Internet
Author: User
Tags fully qualified domain name
I learned how to use OpenSSL in Linux. OpenSSL is an open-source encryption tool. In Linux, we can use it to build a CA to issue certificates, encryption tools that can be used within an enterprise. Before introducing OpenSSL, first describe how to implement "Identity Authentication + Data Encryption. OpenSSL is an open-source encryption tool. In a Linux environment, we can use it to build a CA to issue certificates, which can be used for encryption tools within the enterprise. Before introducing OpenSSL, first describe how to implement "Identity Authentication + Data Encryption.


For how to implement "Authentication + Data Encryption", please refer to the following flowchart (self-drawn, relatively simple)

The entire encryption process:

Sender: Calculate the data feature value ----> use the private key to encrypt the feature value ---> randomly generate a password symmetric encryption of the entire data ---> use the recipient's public key to encrypt the password
Receiver: Use the private key to decrypt the password ----> decrypt the entire data ----> use the public key to authenticate the identity ----> compare the data feature value

However, there is a problem: who manages the public key? Any data transmitted over the Internet is insecure, not to mention passing the public key. If it is tampered with, it will not be able to authenticate its identity, therefore, it is impossible for users to issue public keys themselves.

At this time, a credible intermediary organization is required to do the job, namely CA, which raises two concepts:

CA: Certificate Authority

PKI: public key infrastructure and public key infrastructure

Certificate: It stores all kinds of user information. The core part is the public key.

But there is another problem: who will issue the public key to the CA? The solution is that the CA issues the public key to itself...


The following is a powerful OpenSSL tool. In Linux, a CA is built to implement certificate management. We use a web server as the client for certificates.

1. First, we will generate a private key for the CA.

Switch to the/etc/pki/CA/directory and use opensslCommandGenerate a private key for yourself

  1. Root@www.linuxIdC.com openssl] #Cd/Etc/pki/CA/
  2. [Root@www.linuxidc.com CA] #Ls
  3. Private
  4. [Root@www.linuxidc.com CA] # (umak 66; openssl genrsa 2046>Private/Cakey. pem)
  5. -Bash: umak: command not found
  6. Generating RSAPrivateKey, 2046 bitLongMoDuLus
  7. ......................++
  8. ... ++
  9. E is 65537 (0x10001)

2. CA needs a self-signed certificate, so we use the openssl command to generate a self-signed certificate for it.

  1. [Root@www.linuxidc.com CA] # openssl req-New-X509-keyPrivate/Cakey. pem-out cacert. pem
  2. You are about to be askEdTo enter infoRmAtion that will be INcOrporated
  3. Into your certifiCatE request.
  4. What you are about to enter is what is called a Distinguished Name or a DN.
  5. There are quite a few fields but you can leave some blank
  6. For some fields there will beDefaultValue,
  7. If you enter'.', The field will be left blank.
  8. -----
  9. CounTrY Name (2 letter code) [GB]: CN # Enter your information, country, province or State, region, company, organization, domain Name, email address
  10. State or Province Name (full name) [Berkshire]: Henan
  11. Locality Name (eg, city) [Newbury]: Zhengzhou
  12. Organization Name (eg, company) [My Company Ltd]: LINUX
  13. Organizational Unit Name (eg, section) []: Tech
  14. Common Name (eg, your name or your server's hostname) []: www.rhce.com # note that this domain Name is FQDN (fully qualified domain name)
  15. EmailDdRess []: ca@rhce.com
  16. Root@www.linuxidc.com CA # ls
  17. Cacert. pemPrivate

3. Edit the CA configuration file, which is located in etc/pki/tls/openssl. cnf. It specifies the directory of your CA and changes the default attribute value.

  1. [Root@www.linuxidc.com CA] # vim/etc/pki/tls/openssl. cnf
  2. [CA_default]
  3. Dir = http://www.linuxidc.com/CA # Where everything is kept *************** CA path, change to absolute path
  4. Certs = $ dir/certs # Where the isSuEd certs are certificates sent to other persons by kept ××××××. This directory must be manually created.
  5. Crl_dir = $ dir/crl # Where the issued crl are kept ××××× Certificate Revocation List is not a required directory
  6. Database = $ dir/indEx. Txt # database indexFile. ****************** Store the files that need to be manually created to generate the Certificate file index
  7. #UniqUe_subject = no # Set to 'no' to allow creation
  8. # Several ctificates with same subject.
  9. New_certs_dir = $ dir/neWcErts #DefaultPlaceFor NewYou must manually create a new certificate storage location for certs. ×××××××××x.
  10. Certificate = $ dir/cacert. pem # The CA certificate
  11. Serial = $ dir/serial # The current serial number × serial number. You must create a serial number for each certificate and specify The start time.
  12. CrLnUmber = $ dir/crlnumber # the current crl number
  13. # Must be commented out to leave a V1 CRL
  14. Crl = $ dir/crl. pem # The current CRL
  15. Private_key = $ dir/Private/Cakey. pem #PrivateKey
  16. RANDFILE = $ dir/Private/. Rand #PrivateRandom number file
  17. X509_extensions = usr_cert # The extentions to add to the cert
  18. # Req_extensions = v3_req # The extensions to add to a certificate request
  19. ######### Modify the CSR of a certificate to match your own CSR.
  20. [Req_distinguished_name]
  21. CountryName = Country Name (2 letter code)
  22. CountryName_default = CN # I changed it to the corresponding self-Visa document of CN and CA
  23. CountryName_min = 2
  24. CountryName_max = 2
  25. StatEOrProvinceName = State or Province Name (full name)
  26. StateOrProvinceName_default = Henan # Same as above
  27. LocalityName = Locality Name (eg, city)
  28. LocalityName_default = Zhengzhou # Same as above
  29. 0. organizationName = Organization Name (eg, company)
  30. 0. organizationName_default = Tech # Same as above

4. Create the relevant directories and files of the CA, and specify the start Number of the serial number. As described in the previous step, they are created in the directory where the CA is located.

  1. Root@www.linuxidc.com ~ # Cd/etc/pki/CA/
  2. [Root@www.linuxidc.com CA] #MkdirCerts crl newcerts
  3. Root@www.linuxidc.com CA # ls
  4. Cacert. pem certs crl newcertsPrivate
  5. [Root@www.linuxidc.com CA] #TouchIndex.txt serial
  6. [Root@www.linuxidc.com CA] # echo 01> serial
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.