I. Brief Introduction to OpenSSL is a powerful Secure Socket Layer password library, which includes the main cryptographic algorithms, common keys, certificate encapsulation management functions, and SSL protocols, and provides a wide range of applications for testing or other purposes. SSL is the abbreviation of SecureSocketsLayer (Secure Sockets Layer Protocol). It can provide confidential transmission over the Internet. SSL allows users/server applications to communicate with each other without being eavesdropped by attackers, and always authenticates the server.
I. Brief Introduction to OpenSSL
OpenSSL is a powerful secure socket-layer cryptographic library that includes major cryptographic algorithms, common keys, certificate encapsulation management functions, and SSL protocols, and provides a wide range of applications for testing or other purposes.
SSL is the abbreviation of Secure Sockets Layer (Secure Sockets Layer Protocol). It can provide confidential transmission over the Internet. SSL allows users/server applications to communicate with each other without being eavesdropped by attackers, and always authenticates the server. Users can also be authenticated. The SSL protocol must be built on a reliable transport layer protocol (TCP.
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission http://www.linuxidc.com/Linux/2013-05/84986.htm
Use OpenSSL to generate certificate http://www.linuxidc.com/Linux/2015-05/117034.htm in Linux
Sign a multi-domain certificate http://www.linuxidc.com/Linux/2014-10/108222.htm with OpenSSL
Add a custom encryption algorithm http://www.linuxidc.com/Linux/2015-08/121749.htm to OpenSSL
2. Install the corresponding software package
$ Sudo apt-get install apache2 # install Apache
$ Sudo apt-get install openssl # install openssl
$ Sudo apt-get install libssl-dev # install the openssl Development Library
$ Sudo apt-get install bless # The editor uses the bless hexadecimal Editor, which must be installed in advance.
Iii. Simple interpretation of openssl. cnf
$ Vi/usr/lib/ssl/openssl. cnf
127 [req_distinguished_name]
128 countryName = Country Name (2 letter code) # Country Name, 2 letter code abbreviation
129 countryName_default = CN # CN in China
130 countryName_min = 2
131 countryName_max = 2
132
133 stateOrProvinceName = State or Province Name (full name) # Name of the State or Province
134 stateOrProvinceName_default = beijing
135
136 localityName = Locality Name (eg, city) # local city Name
137 localityName_default = beijing
138 0. organizationName = Organization Name (eg, company) # Organization (company) Name
139 0. organizationName_default = beijing www company
140
145 organizationalUnitName = Organizational Unit Name (eg, section) # Name of an Organizational Unit (Department)
146 organizationalUnitName_default = www
147
148 commonName = Common Name (e. g. server FQDN or YOUR name) # server Domain Name
149 commonName = www.baidu.com
150 commonName_max = 64
151
152 # emailAddress = Email Address # Email Address
153 emailAddress = admin@baidu.com
154 emailAddress_max = 64
155
156 # SET-ex3 = SET extension number 3
157
158 [req_attributes]
159 # challengePassword = A challenge password # change the password
160 challengePassword =
161
163 challengePassword_min = 4
164 challengePassword_max = 20
4. Become a digital certificate authority (CA) and generate a certificate for the CA
① Copy the openssl. cnf configuration file to the current directory and create the following subfolders specified in the configuration file
$ Sudo ln/usr/lib/ssl/openssl. cnf.
$ Mkdir demoCA
$ Cd demoCA
$ Mkdir certs crl newcerts
$ Touch index.txt serial special parameters index.txt is empty;
# Serial must be a number in string format (for example, 1111) written into the content)
After these settings, you can now create and publish certificates.
② Generate a self-signed certificate for your CA, which means the CA is trusted and its certificate will be used as the root certificate.
$ Openssl req-new-x509-keyout ca. key-out ca. crt-config openssl. cnf
Note: Remember the password you entered. The command output file is stored in ca. key and ca. crt. The ca. key file includes the private key of the CA, and ca. crt contains the Public key Certificate.
5. Generate a certificate for the customer
Now we are the root CA. You can sign the digital certificate for the customer. The customer is www.baidu.com.
① Generate public/private key pairs
$ Openssl genrsa-des3-out server. key 1024
Note: You must provide a password to protect your key. The key will be stored in the server. key File.
② Generate a Certificate Signature request. Once the company has a key file, it should generate a Certificate Signature request (CSR ). The CSR will be sent to the CA, And the CA will generate a certificate for the request (usually after confirming that the identity information in the CSR matches ).
$ Openssl req-new-key server. key-out server. csr-config openssl. cnf
Note: Remember your input.
③ Generate a certificate. The CSR file must have a CA signature to form a certificate (in the real world, the CSR file is often sent to a trusted CA signature ). Enter the CA key and use our own CA to generate the certificate:
$ Openssl ca-in server. csr-out server. crt-cert ca. crt-keyfile ca. key-config openssl. cnf