CA Digital Certificate Services
CA Certificate Authority digital Certificate Authority Center
Independent third-party institutions trusted by the parties to the communication
Responsible for certificate issuance, validation, revocation management, etc.
PKI public Key Infrastructure
A standard set of key management platforms
Digital certificate technology ensures information security through public key cryptography
The basic composition of PKI system
Authoritative Certification body (CA)
Digital certificate library, key backup and recovery system
Certificate revocation system, application interface
OpenSSL encryption/Decryption tool
Symmetric encryption:
-enc algorithm-e-in input file-out output file #加密
-enc algorithm-d-in input file-out output file #解密
[email protected] ~]# which OpenSSL
/usr/bin/openssl
[Email protected] ~]# Rpm-qf/usr/bin/openssl
Openssl-1.0.1e-42.el7_1.9.x86_64
[Email protected] ~]# vim F1.txt
[email protected] ~]# OpenSSL enc-des3-e-in f1.txt-out F1.txt.enc
Enter DES-EDE3-CBC encryption Password:
Verifying-enter DES-EDE3-CBC Encryption Password:
[[email protected] ~]# ls f1*
F1.txt F1.txt.enc
[Email protected] ~]# RM-RF f1.txt
[email protected] ~]# OpenSSL enc-des3-d-in f1.txt.enc-out f1.txt
Enter DES-EDE3-CBC decryption Password:
[[email protected] ~]# ls f1*
F1.txt F1.txt.enc
Deploying the CA Server
First step: Configure the CA signing environment
[Email protected] ~]# ls/etc/pki/ca/#工作目录
Certs CRL Newcerts Private
[Email protected] ~]# ls/etc/pki/ca/certs/#存储签发的数字证书
[Email protected] ~]# touch/etc/pki/ca/index.txt#存储发放出去的数字证书信息
[Email protected] ~]# chmod 600/etc/pki/ca/index.txt
[Email protected] ~]# touch/etc/pki/ca/serial#证书编号文件
[Email protected] ~]# chmod 600/etc/pki/ca/serial
[Email protected] ca]# echo > serial
[email protected] ca]# cat serial
01
[Email protected] ~]# vim/etc/pki/tls/openssl.cnf #调整配置
/etc/pki/ca dir = #CA签署工作目录
certs = $dir/certs #用户证书存放路径
Crl_dir = $dir/CRL
/index.txt= $dir #存储发放出去的数字证书信息
Certificate = $dir/my-ca.crt #CA根证书文件名
Wuyi serial = $dir/serial #证书编号文件
Private_key = $dir/private/my-ca.key #CA私钥文件名
Countryname_default = CN
135 Stateorprovincename_default = Beijing
138 Localityname_default = Beijing
141 0.organizationname_default = Xuenqlve
148 Organizationalunitname_default = Ope
[Policy_match]#匹配策略
CountryName = match
Stateorprovincename = match
OrganizationName = match
Organizationalunitname = Optional
CommonName = Supplied
EmailAddress = Optional
Match must be matched
Optional Optional
Supplied Ignore
Step two: Generate a private key for the CA
[Email protected] ~]# cd/etc/pki/ca/private/
[email protected] private]# OpenSSL genrsa-des3 2048 > My-ca.key
Generating RSA private key, 2048 bit long modulus
.....................................................................+++
.. +++
E is 65537 (0x10001)
Enter Pass phrase:#设私钥口令
Verifying-enter Pass phrase:#重复私钥口令
[[email protected] private]# ls
My-ca.key
[Email protected] private]# chmod My-ca.key
Step three: Create a root certificate for the CA server
-new New file
Layout of the-x509 certificate
./private/my-ca.key private Key file name
-day 365 Effective Date
[Email protected] private]# CD.
[email protected] ca]# OpenSSL req-new-x509-key./private/my-ca.key-days 365 > MY-CA.CRT
Enter pass phrase for./private/my-ca.key:
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [Xuenqlve]:
Organizational Unit Name (eg, section) [Ope]:
Common name (eg, your name or your server ' s hostname) []:xuenqlve.ca.com
Email Address []:[email protected]
Fourth step: Publish the root certificate
Can be published by WEB,FTP and other means
[Email protected] ~]# yum-y install httpd
[Email protected] ~]# Systemctl stop Firewalld
[Email protected] ~]# Setenforce 0
[Email protected] ~]# systemctl restart httpd
[Email protected] ~]# Systemctl enable Httpd.service
[Email protected] ~]# MKDIR/VAR/WWW/HTML/CA
[Email protected] ~]# cp/etc/pki/ca/my-ca.crt/var/www/html/ca/
Client Download App
[Email protected] ~]# wget HTTP://192.168.4.2/CA/MY-CA.CRT
--2018-01-04 20:27:49--HTTP://192.168.4.2/CA/MY-CA.CRT
Connecting 192.168.4.2:80 ... is connected.
An HTTP request has been made and is waiting for a response ... OK
Length: 1399 (1.4K)
Saving to: "MY-CA.CRT"
100%[======================================>] 1,399--.-k/s spents 0s
2018-01-04 20:27:49 (141 MB/s)-Saved "MY-CA.CRT" [1399/1399])
[[email protected] ~]# Firefox
Go to Firefox browser and click on the right side of the browser to open menu-click Preferences
Then click Advanced---> Click certificates---> Click to view Certificates
Click Certificate authority---> click Import
Locate the MY-CA.CRT certificate that you just downloaded on your computer---> click Open
Tick Trust---> click OK
And then we can see the certificate information we built ourselves.
Linux Deployment CA Digital Certificate Services