Implementing a CA in a Linux system

Objective

The CA is the issuing authority for the certificate, which is the core of the PKI. CA is the authority responsible for issuing certificates, certifying certificates, and administering issued certificates.

It is to develop policies and specific steps to verify, identify, and sign user certificates to ensure that the identity of the certificate holder and

Ownership of the public key.

The CA also has a certificate (public key included) and a private key. Public users on the Internet trust the CA by verifying the CA's signature, allowing

The CA's certificate, including the public key, can be obtained by anyone to verify the certificate it has issued.

If a user wants a certificate that belongs to him, he should apply to the CA first. After the CA has identified the applicant, he will be

With a public key, and the CA binds the public key to the applicant's identity and signs it, the certificate is issued to the application

Stakeholders If a user wants to identify the authenticity of another certificate, he uses the CA's public key to verify the signature on that certificate,

The certificate is considered to be valid.

One, CA-side

recognize CA profiles:/etc/pki/ca

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M01/06/37/wKiom1mz-uLiSVHeAAAbGd1SSXo317.png "title=" 123 " alt= "Wkiom1mz-ulisvheaaabgd1ssxo317.png"/>

Wherecerts represents the storage signing certificate, theCRL represents the certificate revocation list, andprivate represents the location of the private key store. Newcerts We are

When you create a key pair, the system automatically generates a list of certificates that are stored in the Newcerts directory.

1. Create the required files:

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/06/37/wKiom1mz-1TiXqrQAAAzVCI9yJM575.png "title=" 1231 " alt= "Wkiom1mz-1tixqrqaaazvci9yjm575.png"/>

Where Index.txt represents the generation of the certificate index database file; Serial represents the next serial number for the certificate issued, and 01 indicates the

The first ordinal number is 01.

2. CA generate self-signed certificate

To generate a key pair:

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/06/37/wKiom1mz-6eA8HYGAABE-N3BTdo315.png "title=" 123 " alt= "Wkiom1mz-6ea8hygaabe-n3btdo315.png"/>

Generate a self-visa book:

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M01/A4/E8/wKioL1mz-7uxsjQ3AACHYT1iuSE059.png "title=" 123 " alt= "Wkiol1mz-7uxsjq3aachyt1iuse059.png"/>

Where-new: Represents the generation of a new certificate signing request;

-x509: Indicates that the self-signed certificate is generated specifically for the CA;

-key: The private key file used to generate a new certificate signing request;

-days: Indicates the validity period of the certificate, the default unit: year;

-out: Represents the location where the generated signing certificate is saved;

We can export the certificate to look in Windows.

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M01/06/37/wKiom1mz_cvhYgUQAACx63q_w_8255.png "title=" 123 " alt= "Wkiom1mz_cvhyguqaacx63q_w_8255.png"/>

Second, Ca-client end

Recognize CA profiles:/etc/pki/tls , the files in this directory are roughly the same as in /etc/pki/ca , except that the latter is used as a

When someone signs a document, the former is the document that holds the application for the request from the visa.

1. Generate the private key file

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/A4/E8/wKioL1mz_3-whsSLAAAf1Zt3y1c049.png "title=" 123 " alt= "Wkiol1mz_3-whsslaaaf1zt3y1c049.png"/>

This time we chose not to encrypt the private key file, removing the-DES3 option .

2. Generate Certificate Request file

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/06/37/wKiom1m0AA-RjUqEAAB9pqA2SBw920.png "title=" 123 " alt= "Wkiom1m0aa-rjuqeaab9pqa2sbw920.png"/>

The above generated certificate signing request we can not specify the validity period of the certificate, because it is issued to you by the CA, the time is determined by the CA, so I

There is no valid date written here; second, there is no x509 option because it is not a self-signed certificate.

3. Transfer the certificate signing request file to the CA

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/A4/E9/wKioL1m0AF_ScG-7AAAQuqx88Is658.png "title=" 123 " alt= "Wkiol1m0af_scg-7aaaquqx88is658.png"/>

For remote replication using the SCP command, you must ensure that both hosts have the SCP service installed, and that if one is not installed, replication will lose

Defeat. SCP Service Package is OpenSSH package, installed with yum-y install openssh-client , if no Yum silo is configured

Library, please read the blog: http://vinsent.blog.51cto.com/13116656/1962172

CA signed certificate and sent to Ca-client

Before the Ca-client certificate request was routed to the CA, the CA then signed the certificate and stamped it.

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/A4/E9/wKioL1m0AlCD8jU9AACdrxrqBTE854.png "title=" 123 " alt= "Wkiol1m0alcd8ju9aacdrxrqbte854.png"/>

Please read the contents of the certificate carefully, the key place is marked out, if there is no problem then the Ca-client certificate request will be signed

Success. You can view the file Index.txt to see its information:

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M01/06/37/wKiom1m0Aw3xkUdJAAAqwItfdyo887.png "title=" 123 " alt= "Wkiom1m0aw3xkudjaaaqwitfdyo887.png"/>

Copy the certificate to Ca-client

[[email protected] CA] #scp certs/app.crt 172.18.252.50:/etc/pki/tls/certs

Iv. Revocation of certificates

The certificate information is stored in the Index.txt file, where we want to revoke the certificate, first we need to create the number of the revocation list:

echo >/etc/pki/ca/crlnumber . Then use the OpenSSL command to add the certificate (the certificate is stored in the/etc/pki/ca

/NEWCERTS/01.PEM) to revoke the list. For example:OpenSSL ca revoke/etc/pki/ca/nercerts/01.pem

However, we do not have to revoke the certificate, it must be published to the CRL to inform other users that the certificate has been invalidated. Using commands

OpenSSL Ca-gencrl-out/etc/pki/ca/crl/crl.pem Update the revocation list. You can export the file to Windows

View its revocation list.

V. Supplementary

If you want to request a certificate for another service, you can generate the application certificate directly, because the key pair was generated before.

[[email protected] TLS]#OpenSSL req-new-key private/app.key-out APP2.CSR; Then repeat the steps above,

be signed once again. Here are a few commands to view the certificate information:

OpenSSL x509-in/etc/pki/ca/crts/app.crt-noout-text|issuer|subject|serial|dates

If you still have a host, you want to use the above ca-client to continue signing certificates for other hosts, the general steps with the above process

However, it is worth noting that when you generate the certificate SUBCA.CSR you are not signing it yourself (that is, there is no x509 option) and you need a root

The CA signed for you.

To this we will complete the signing of the CA certificate, of course, this is just to implement the CA's creation and signing, and not to use if you have

Related services, such as: http. Thank you for reading ~

This article from "Vinsent" blog, reproduced please contact the author!

Implementing a CA in a Linux system