Create a CA (Certificate authority)
There are 2 main storage formats for CAS: X509 and PKCS12
X509 is currently the most mainstream CA storage format, in the X509 format of the certificate, the content is mainly stored:
Certificate's public key and lifespan
The legal possession of the certificate
How the certificate is used
Information about the CA
Check code for CA signature
By default, the TCP/IP model and the OSI model do not implement data encryption, and to achieve data encryption requires the use of the TLS/SSL protocol, TLS and SSL are implemented on some Linux versions of the same mechanism, so here we introduce the SSL protocol
SSL (Secure Socket Layer) protocol is actually a library file, which contains a variety of encryption algorithms, so when the application layer of data to the transport layer, if you want to implement data encryption, it will call the SSL library file, so that the data encryption function.
SSL is also available in version, with Sslv1,sslv2,sslv3, now the mainstream is SSLv2 and SSLv3. SSLV1 now basically no one is used, because it encrypts the data is not * * * full.
Here is an example of HTTP, which describes how SSL works, the whole process is as follows:
650) this.width=650; "title=" Ssl.png "alt=" wkiol1pvz8udsc6raahgzcg1uv0854.jpg "src=" http://s3.51cto.com/wyfs02/M02 /46/39/wkiol1pvz8udsc6raahgzcg1uv0854.jpg "/>
Since SSL is a protocol that you want to implement, I can use the OpenSSL command, OpenSSL is an open source implementation of SSL, and OpenSSL consists of 2 library files:
Libcrpto: This is a generic cryptographic library file that contains various cryptographic algorithms. Our data is through the algorithms in this
Data encryption is implemented.
Libssl: This library file is the implementation of TLS/SSL, which is session-based, identity authentication, data confidentiality, and session integrity
The TLS/SSL Library
So OpenSSL is a very powerful command.
The following describes the use of OpenSSL and how to create a CA using OpenSSL.
OpenSSL is a multipurpose command-line tool that contains various cryptographic algorithms and can also create a private key CA, although a common private key CA can only be used within a company.
OpenSSL: can display standard commands for OpenSSL and various encryption protocols
OpenSSL speed [cryptographic algorithm]: Test OpenSSL for various cryptographic algorithms
OpenSSL rand-base64 numbits: A random password used to generate a specified number of digits
OpenSSL passwd-1 {passwd}: Password encryption for a user's account
OpenSSL dgst-sha1 FILENAME: Generate a checksum for a file
SHA1 FILENAME: You can also generate a check code for a file
OpenSSL version: View the currently used OpenSSL release number
OpenSSL can also encrypt a file
OpenSSL enc-des3-salt-a-e-in inputfile-o outputfile
-E: Indicates encryption
-D: Means decryption
-in: Files to encrypt
-out: Encrypted File
Create a private key CA using OpenSSL
There are 2 steps to creating a private CA:
1. Generate a pair of keys
To create a private key:
(umask 077;openssl Genrsa-out/path/to/cakey.pem numbits)
using (), the command will execute in the child shell and exit the child shell after execution, because the key file needs to be
This will create a private key file with the permissions specified as 600;
-out Cakey.pem is the file of the private key. The file here is to be the same as the private key file in/etc/pki/tls/openssl.cnf
Numbits is the length of the key.
Extract the public key from the private key (the public key is extracted from the private key)
OpenSSL genrsa-in/path/to/cakey.pem-pubout
The public key is used to generate the certificate, and the private key is to encrypt the data
2. Generate self-visa book
OpenSSL Req-new-x509-key/path/to/keyfile.pem-out/path/to/certifcate.crt-day 365
Use the OpenSSL x509-text-in/path/to/certifcate.crt to view the contents of this certificate
With these two steps, you can manually create a CA. However, the CA that is created will not be able to issue certificates, and the corresponding files are required to issue certificates to customers, which we can create manually based on the configuration file/etc/pki/tls/openssl.conf of the private ca.
The configuration file for the private CA,/etc/pki/tls/openssl.conf, contains:
Here's what we need to introduce
[Ca_default]
Dir =/etc/pki/ca #定义默认CA目录
certs = $dir/certs #客户端证书路径
Crl_dir = $dir/crl #证书吊销列表的路径
Database = $dir/index.txt #保存已发出去的证书 due to retrieval
New_certs_dir = $dir/newcerts # Save the certificate you just generated
Certificate = $dir/CACERT.PEM # CA Own certificate
Serial = serial number of the $dir/serial # certificate, starting from 01 by default
Crlnumber = $dir/crlnumber #证书吊销列表的工作号
CRL = $dir/crl.pem # file for certificate revocation List
#证书吊销列表保存着曾经发出的证书, but not expired, but not used for some reason (security mechanism)
Private_key = $dir/private/cakey.pem # private key file
So we need to create the private key file in the/etc/pki/ca/directory, the CA certificate, cert, CRL, Newcerts directory, create serial and Index.txt files
Issuing certificates to clients
First, the client to generate a certificate for a program or service, it is best to create a certificate in the corresponding program directory, such as HTTP, for example, create the following file in the/etc/httpd/ssl directory:
1. You need to create a private key locally on the client
OpenSSL genrsa-out keyfile 10244
2. Generate the issuing certificate request file and pass it to the CA
OpenSSL Req-new-key keyfile-out keyfile.csr (request file suffix must be. CSR)
3. CA Sign Request File
OpenSSL ca-in keyfile.csr-out certificate.crt-days 365 ( valid for 3,365 days )
4, after signing the completion of the production of a certificate, and the certificate passed to the client.
The/etc/pki/ca/index.txt and/etc/pki/ca/serial files change at the same time.
Note: Because the entire process is done on the same computer, the client-generated certificate request does not need to be passed to the CA, and the CA-signed certificate is not passed to the client. Because the CA and the client use the same host.
Summary: The whole process of creating a certificate
1. Create a private key CA
Create a pair of keys
Generate self-signed certificates
2, the client needs:
Create a pair of keys
Generate issued certificate request (request file suffix. CSR)
Send request to CA
3. The CA signs the request, generates a certificate, and passes it to the client
This article from the "Linux Learning Path" blog, declined reprint!