Implementing CA certification under Linux

We know that when a client establishes a session with the server, the client first sends the request, then tpc/ip the three handshake, and the client establishes an SSL session with the server side.

The session process is as follows :

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-67216e55243d62ce.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

In short, it is:

The first step: the client and the server to discuss what encryption algorithm to use, how to encrypt and so on. The second step: The client sends the certificate to the server in order to make the server believe him. Step three: The server trusts, generates a symmetric key, and sends the request page to the client. Finally, the client responds to the server with the encryption of the key sent by the server.

In this process, because the server to verify the authenticity of the client identity, so, the need to introduce a third-party authoritative authority, that is, the CA, you can send certificates to the client. The server trusts the CA, so the client has the CA's certificate so that the client can access the service side.

Next, we will implement the authentication of the private CA certificate.

Preparation : Two hosts, Centos7 do CA certificate, centos6 do Web server

Step : First, the production of CA certificate (CENTOS7)

1. Check if the OpenSSL software is installed

# Rpm-qa OpenSSL

2. Generate self-signed certificate

"Complete in/etc/pki/ca directory"

(1) Create a certificate index database and specify the first certificate issuing serial number

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-35f8109a679e67ef.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-b015ecbb4ccd8200.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

(2) Generate private key

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-6427619b1dc8693a.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

Add: Extract the public key from the private key (the public key is extracted from the private key)

OpenSSL genrsa-in/etc/pki/ca/private/cakey.pem-pubout

(3) generated from the Visa book "Edit/etc/pki/tls/openssl.cnf"

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-9817de6b50ea54b0.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

Supplemental: Private CA configuration file/etc/pki/tls/openssl.conf, contents are:

Here are some of the things we need:

[Ca_default]

Dir =/etc/pki/ca #定义默认CA目录

certs = $dir/certs #客户端证书路径

Crl_dir = $dir/crl #证书吊销列表的路径

Database = $dir/index.txt #保存已发出去的证书 due to retrieval

New_certs_dir = $dir/newcerts # Save the certificate you just generated

Certificate = $dir/CACERT.PEM # CA Own certificate

Serial = serial number of the $dir/serial # certificate, starting from 01 by default

Crlnumber = $dir/crlnumber #证书吊销列表的工作号

CRL = $dir/crl.pem # file for certificate revocation List

#证书吊销列表保存着曾经发出的证书, but not expired, but not used for some reason (security mechanism)

Private_key = $dir/private/cakey.pem # private key file

So we need to create the private key file in the/etc/pki/ca/directory, the CA certificate, cert, CRL, Newcerts directory, create serial and Index.txt files.

The CA certificate is then created to complete.

Ii. issuing certificates to clients (CENTOS6)

(1) Generate a private key and a certificate issuance request.

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-2340e0f8f2ea57a6.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-f36fca618bb2138c.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

(2) Copy the certificate issuance request to the CA server

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-48a2ecbb41c26196.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

2. Signing certificate

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-29032d5e49581056.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

3. Send the certificate to the client (CENTOS7)

650) this.width=650; "Src=" Http://upload-images.jianshu.io/upload_images/6908438-bc6239de16a7608b.jpg?imageMogr2 /auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; "alt=" 1240 "/>

Third, restart the Web server

#service httpd Restart

Iv. Viewing certificates

650) this.width=650; "Src=" http://upload-images.jianshu.io/upload_images/6908438-91731971e123f066. jpg?imagemogr2/auto-orient/strip%7cimageview2/2/w/1240 "style=" height:auto;vertical-align:middle;border:0px; " alt= "1240"/>

Over, a complete CA since the Visa certificate certification has been completed.

Summary: The whole process of creating a certificate:

1. Create a private key CA:

Create a pair of keys

Generate self-signed certificates

2, the client needs:

Create a pair of keys

Generate Issuance Certificate request (request file suffix to. crt)

Send request to CA

3. The CA signs the request, generates a certificate, and then passes it to the client

Implementing CA certification under Linux