Linux Deployment CA Digital Certificate Services

CA Digital Certificate Services

CA Certificate Authority digital Certificate Authority Center

Independent third-party institutions trusted by the parties to the communication

Responsible for certificate issuance, validation, revocation management, etc.

PKI public Key Infrastructure

A standard set of key management platforms

Digital certificate technology ensures information security through public key cryptography

The basic composition of PKI system

Authoritative Certification body (CA)

Digital certificate library, key backup and recovery system

Certificate revocation system, application interface

OpenSSL encryption/Decryption tool

Symmetric encryption:

-enc algorithm-e-in input file-out output file #加密

-enc algorithm-d-in input file-out output file #解密

[email protected] ~]# which OpenSSL

/usr/bin/openssl

[Email protected] ~]# Rpm-qf/usr/bin/openssl

Openssl-1.0.1e-42.el7_1.9.x86_64

[Email protected] ~]# vim F1.txt

[email protected] ~]# OpenSSL enc-des3-e-in f1.txt-out F1.txt.enc

Enter DES-EDE3-CBC encryption Password:

Verifying-enter DES-EDE3-CBC Encryption Password:

[[email protected] ~]# ls f1*

F1.txt F1.txt.enc

[Email protected] ~]# RM-RF f1.txt

[email protected] ~]# OpenSSL enc-des3-d-in f1.txt.enc-out f1.txt

Enter DES-EDE3-CBC decryption Password:

[[email protected] ~]# ls f1*

F1.txt F1.txt.enc

Deploying the CA Server

First step: Configure the CA signing environment

[Email protected] ~]# ls/etc/pki/ca/#工作目录

Certs CRL Newcerts Private

[Email protected] ~]# ls/etc/pki/ca/certs/#存储签发的数字证书

[Email protected] ~]# touch/etc/pki/ca/index.txt#存储发放出去的数字证书信息

[Email protected] ~]# chmod 600/etc/pki/ca/index.txt

[Email protected] ~]# touch/etc/pki/ca/serial#证书编号文件

[Email protected] ~]# chmod 600/etc/pki/ca/serial

[Email protected] ca]# echo > serial

[email protected] ca]# cat serial

01

[Email protected] ~]# vim/etc/pki/tls/openssl.cnf #调整配置

/etc/pki/ca dir = #CA签署工作目录

certs = $dir/certs #用户证书存放路径

Crl_dir = $dir/CRL

/index.txt= $dir #存储发放出去的数字证书信息

Certificate = $dir/my-ca.crt #CA根证书文件名

Wuyi serial = $dir/serial #证书编号文件

Private_key = $dir/private/my-ca.key #CA私钥文件名

Countryname_default = CN

135 Stateorprovincename_default = Beijing

138 Localityname_default = Beijing

141 0.organizationname_default = Xuenqlve

148 Organizationalunitname_default = Ope

[Policy_match]#匹配策略

CountryName = match

Stateorprovincename = match

OrganizationName = match

Organizationalunitname = Optional

CommonName = Supplied

EmailAddress = Optional

Match must be matched

Optional Optional

Supplied Ignore

Step two: Generate a private key for the CA

[Email protected] ~]# cd/etc/pki/ca/private/

[email protected] private]# OpenSSL genrsa-des3 2048 > My-ca.key

Generating RSA private key, 2048 bit long modulus

.....................................................................+++

.. +++

E is 65537 (0x10001)

Enter Pass phrase:#设私钥口令

Verifying-enter Pass phrase:#重复私钥口令

[[email protected] private]# ls

My-ca.key

[Email protected] private]# chmod My-ca.key

Step three: Create a root certificate for the CA server

-new New file

Layout of the-x509 certificate

./private/my-ca.key private Key file name

-day 365 Effective Date

[Email protected] private]# CD.

[email protected] ca]# OpenSSL req-new-x509-key./private/my-ca.key-days 365 > MY-CA.CRT

Enter pass phrase for./private/my-ca.key:

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [CN]:

State or province name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [Xuenqlve]:

Organizational Unit Name (eg, section) [Ope]:

Common name (eg, your name or your server ' s hostname) []:xuenqlve.ca.com

Email Address []:[email protected]

Fourth step: Publish the root certificate

Can be published by WEB,FTP and other means

[Email protected] ~]# yum-y install httpd

[Email protected] ~]# Systemctl stop Firewalld

[Email protected] ~]# Setenforce 0

[Email protected] ~]# systemctl restart httpd

[Email protected] ~]# Systemctl enable Httpd.service

[Email protected] ~]# MKDIR/VAR/WWW/HTML/CA

[Email protected] ~]# cp/etc/pki/ca/my-ca.crt/var/www/html/ca/

Client Download App

[Email protected] ~]# wget HTTP://192.168.4.2/CA/MY-CA.CRT

--2018-01-04 20:27:49--HTTP://192.168.4.2/CA/MY-CA.CRT

Connecting 192.168.4.2:80 ... is connected.

An HTTP request has been made and is waiting for a response ... OK

Length: 1399 (1.4K)

Saving to: "MY-CA.CRT"

100%[======================================>] 1,399--.-k/s spents 0s

2018-01-04 20:27:49 (141 MB/s)-Saved "MY-CA.CRT" [1399/1399])

[[email protected] ~]# Firefox

Go to Firefox browser and click on the right side of the browser to open menu-click Preferences

Then click Advanced---> Click certificates---> Click to view Certificates

Click Certificate authority---> click Import

Locate the MY-CA.CRT certificate that you just downloaded on your computer---> click Open

Tick Trust---> click OK

And then we can see the certificate information we built ourselves.

Linux Deployment CA Digital Certificate Services