Linux built for private CA based on OpenSSL

Objective

with the rapid development of Internet, network communication has become the main way to transmit information. While the communication of data transmission is mostly Ming wen Transmission, in the network of this insecure environment, if there is no set of data encryption mechanism, will lead to sensitive information and important data leakage, causing immeasurable loss. and OpenSSL just made up for this shortcoming, what is OpenSSL? OpenSSL is a powerful set of cryptographic components that contain libcrypto (public cryptographic libraries), LIBSSL (Implementation of SSL protocol), and OpenSSL (multi-function command tools), which are now widely used in data communication cryptography because of their open source ideas. OpenSSL can also build a private CA within the LAN to achieve certificate authentication and authorization within the LAN, ensuring the security of data transmission. How do I build a private CA? This article describes in detail the implementation of a private CA build based on OpenSSL.

Data encryption and decryption process

The functions that data encryption needs to implement: data privacy, data integrity, identity authentication and key exchange.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/5D/12/wKioL1UhNSHSu49nAAGtv9OgDAc907.jpg "title=" 01.jpg "alt=" Wkiol1uhnshsu49naagtv9ogdac907.jpg "/>

Encryption type and function: One-way encryption: Extract data signature, achieve data integrity authentication symmetric encryption: Data encryption, data privacy Public key cryptography: Using the other public key encryption, to achieve the secret key exchange using their own private key encryption, to achieve the authentication

Public keys cannot guarantee credibility, are vulnerable to theft or disguise in the course of a network transmission, so we need a trusted third-party organization (CA)

CA Work Flow

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5D/17/wKiom1UhQB6SvZ6fAAFtj1aJO8g538.jpg "title=" 02.jpg "alt=" Wkiom1uhqb6svz6faaftj1ajo8g538.jpg "/>

#A和B各自用CA的公钥解密对方证书, completing the authentication

because CA support on the Internet is expensive, so in the enterprise, do not involve outside network communication premise, completely self-built a local area network private CAs within the.

Implementing CA Build

OpenSSL can build a private CA for small and midsize businesses, and if you need to build a CA in a large enterprise, you can use OpenCA, you can do it by yourself, because OpenSSL is enough to meet most needs.

Establishing a CA server

Generate secret Key

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5D/12/wKioL1UhK2vighXBAAEfeIsqwqM261.jpg "title=" 1.jpg " alt= "Wkiol1uhk2vighxbaaefeisqwqm261.jpg"/>

Command details: Umask 077: Guarantee Key file Other people do not have read and write permissions, execute within (), only valid for the current child shell-out/path/to/somefile: Specify the key generator location 2048: Key length, customizable #openssl rsa-in Private/cakey.pem-pubout-text Extract Public key

Self-signed certificate

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5D/16/wKiom1UhKkqggqGCAAJaf7CZFq8951.jpg "title=" 2.jpg " alt= "Wkiom1uhkkqggqgcaajaf7czfq8951.jpg"/>

Command details:req:  generate certificate signing request      -news:  new request      -key / path/to/keyfile:  Specify the private key file      -out /path/to/somefile:  Specify the build certificate location       -x509:  generate self-signed certificates      -days n:  effective days        #Country  Name  (2 letter code)  [XX]:CN                             #国家 (capital abbreviation) #State  or Province Name  (full name)  []:Shandong                  #省份或洲 #locality  name  (eg, city)  [Default City]:Qingdao                 #城市 #organization name  (eg, company)  [default  company ltd]:scholar  #公司 #organizational unit name  (eg, section)  []:Tech                  #部门 #common name  (eg,  Your name or your server ' S hostname)  []:ca.scholar.com# must be consistent with the name that the certificate owner can resolve to, Otherwise, you will not be able to verify #email address []:[email protected]                                  #邮箱 # The above operation default option can be modified by modifying the configuration file (/ETC/PKI/TLS/OPENSSL.CNF)

Initializing the Working environment

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/5D/12/wKioL1UhK7DTZMOIAACW1LCDgMo210.jpg "title=" 3.jpg " alt= "Wkiol1uhk7dtzmoiaacw1lcdgmo210.jpg"/>

Command details: Index.txt: Certificate Microcosm database serial: Signing the certificate number file echo > serial #设定编号初始值

Client Request Certificate

Generate key

#我们给web服务生成请求用于https, create a directory in its profile directory to hold the private key and certificate

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5D/12/wKioL1UhQ9uyXeJ-AAD_MsmX-h0923.jpg "title=" 4.jpg " alt= "Wkiol1uhq9uyxej-aad_msmx-h0923.jpg"/>

Generate a Certificate signing request

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5D/12/wKioL1UhK-mSx2J2AAKAgJzojOY479.jpg "title=" 5.jpg " alt= "Wkiol1uhk-msx2j2aakagjzojoy479.jpg"/>

#A Challenge Password []: #证书请求需要加密存放, if you add a password, you need to send the password to Ca#an optional company name []:

Send the signing request file to the CA server

#CA服务器工作目录下, manually create a directory to hold the certificate request (please feel free to store the directory)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5D/16/wKiom1UhKtngZwBmAABoYCLh2aQ260.jpg "title=" 6.jpg " alt= "Wkiom1uhktngzwbmaaboyclh2aq260.jpg"/>

CA Sign Certificate

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5D/16/wKiom1UhKvfB84JSAAMLWRfqpAg917.jpg "title=" 7.jpg " alt= "Wkiom1uhkvfb84jsaamlwrfqpag917.jpg"/>

Send the signed certificate to the requestor

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/5D/12/wKioL1UhLHCTNzjDAACO6yYHIgk310.jpg "title=" 8.jpg " alt= "Wkiol1uhlhctnzjdaaco6yyhigk310.jpg"/>

This allows the client to configure a certificate that is signed with the CA for encrypted communication. What if the client's private key is inadvertently lost, or the certificate expires? Now let's see how the certificate is revoked.

Certificate revocation

The client obtains the certificate serial

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/5D/16/wKiom1UhK1Oxa11lAACJiHbuWzA333.jpg "title=" 9.jpg " alt= "Wkiom1uhk1oxa11laacjihbuwza333.jpg"/>

CA Authentication Information

Verify that the information in the Index.txt file is consistent according to the serial and subject information submitted by the node

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5D/12/wKioL1UhLK3D78P8AAB4ZgTFq4I099.jpg "title=" 10.jpg "alt=" Wkiol1uhlk3d78p8aab4zgtfq4i099.jpg "/>

CA Revocation Certificate

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5D/12/wKioL1UhLL2g2HsKAAEQYLhL_uk947.jpg "title=" 11.jpg "alt=" Wkiol1uhll2g2hskaaeqylhl_uk947.jpg "/>

CA generates revocation certificate number (first revocation)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5D/16/wKiom1UhK4nj7Ia5AAAiIg9VCks136.jpg "title=" 12.jpg "alt=" Wkiom1uhk4nj7ia5aaaiig9vcks136.jpg "/>

CA Update certificate Revocation list

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/5D/12/wKioL1UhLNyCd9DeAABlxiCdUh0750.jpg "title=" 13.jpg "alt=" Wkiol1uhlnycd9deaablxicduh0750.jpg "/>

#如果有需要 to view the contents of the CRL file #openssl crl-in/path/to/crlfile.crl-noout-text

OK, the certificate has been successfully revoked and can be re-applied.

The end

The above is the process of building a private CA based on OpenSSL, the actual effect please self-test, here I do not do analytic test. Only for individual learning to organize, if there are mistakes, big God do not spray ~ ~ ~

This article is from the "North Scholar" blog, please make sure to keep this source http://scholar.blog.51cto.com/9985645/1629145

Linux built for private CA based on OpenSSL