Linux Learning path to create a private key CA and to use a CA to issue certificates to clients

Create a CA (Certificate authority)

There are 2 main storage formats for CAS: X509 and PKCS12

X509 is currently the most mainstream CA storage format, in the X509 format of the certificate, the content is mainly stored:

Certificate's public key and lifespan

The legal possession of the certificate

How the certificate is used

Information about the CA

Check code for CA signature

By default, the TCP/IP model and the OSI model do not implement data encryption, and to achieve data encryption requires the use of the TLS/SSL protocol, TLS and SSL are implemented on some Linux versions of the same mechanism, so here we introduce the SSL protocol

SSL (Secure Socket Layer) protocol is actually a library file, which contains a variety of encryption algorithms, so when the application layer of data to the transport layer, if you want to implement data encryption, it will call the SSL library file, so that the data encryption function.

SSL is also available in version, with Sslv1,sslv2,sslv3, now the mainstream is SSLv2 and SSLv3. SSLV1 now basically no one is used, because it encrypts the data is not * * * full.

Here is an example of HTTP, which describes how SSL works, the whole process is as follows:

650) this.width=650; "title=" Ssl.png "alt=" wkiol1pvz8udsc6raahgzcg1uv0854.jpg "src=" http://s3.51cto.com/wyfs02/M02 /46/39/wkiol1pvz8udsc6raahgzcg1uv0854.jpg "/>

Since SSL is a protocol that you want to implement, I can use the OpenSSL command, OpenSSL is an open source implementation of SSL, and OpenSSL consists of 2 library files:

Libcrpto: This is a generic cryptographic library file that contains various cryptographic algorithms. Our data is through the algorithms in this

Data encryption is implemented.

Libssl: This library file is the implementation of TLS/SSL, which is session-based, identity authentication, data confidentiality, and session integrity

The TLS/SSL Library

So OpenSSL is a very powerful command.

The following describes the use of OpenSSL and how to create a CA using OpenSSL.

OpenSSL is a multipurpose command-line tool that contains various cryptographic algorithms and can also create a private key CA, although a common private key CA can only be used within a company.

OpenSSL: can display standard commands for OpenSSL and various encryption protocols

OpenSSL speed [cryptographic algorithm]: Test OpenSSL for various cryptographic algorithms

OpenSSL rand-base64 numbits: A random password used to generate a specified number of digits

OpenSSL passwd-1 {passwd}: Password encryption for a user's account

OpenSSL dgst-sha1 FILENAME: Generate a checksum for a file

SHA1 FILENAME: You can also generate a check code for a file

OpenSSL version: View the currently used OpenSSL release number

OpenSSL can also encrypt a file

OpenSSL enc-des3-salt-a-e-in inputfile-o outputfile

-E: Indicates encryption

-D: Means decryption

-in: Files to encrypt

-out: Encrypted File

Create a private key CA using OpenSSL

There are 2 steps to creating a private CA:

1. Generate a pair of keys

To create a private key:

(umask 077;openssl Genrsa-out/path/to/cakey.pem numbits)

using (), the command will execute in the child shell and exit the child shell after execution, because the key file needs to be

This will create a private key file with the permissions specified as 600;

-out Cakey.pem is the file of the private key. The file here is to be the same as the private key file in/etc/pki/tls/openssl.cnf

Numbits is the length of the key.

Extract the public key from the private key (the public key is extracted from the private key)

OpenSSL genrsa-in/path/to/cakey.pem-pubout

The public key is used to generate the certificate, and the private key is to encrypt the data

2. Generate self-visa book

OpenSSL Req-new-x509-key/path/to/keyfile.pem-out/path/to/certifcate.crt-day 365

Use the OpenSSL x509-text-in/path/to/certifcate.crt to view the contents of this certificate

With these two steps, you can manually create a CA. However, the CA that is created will not be able to issue certificates, and the corresponding files are required to issue certificates to customers, which we can create manually based on the configuration file/etc/pki/tls/openssl.conf of the private ca.

The configuration file for the private CA,/etc/pki/tls/openssl.conf, contains:

Here's what we need to introduce

[Ca_default]

Dir =/etc/pki/ca #定义默认CA目录

certs = $dir/certs #客户端证书路径

Crl_dir = $dir/crl #证书吊销列表的路径

Database = $dir/index.txt #保存已发出去的证书 due to retrieval

New_certs_dir = $dir/newcerts # Save the certificate you just generated

Certificate = $dir/CACERT.PEM # CA Own certificate

Serial = serial number of the $dir/serial # certificate, starting from 01 by default

Crlnumber = $dir/crlnumber #证书吊销列表的工作号

CRL = $dir/crl.pem # file for certificate revocation List

#证书吊销列表保存着曾经发出的证书, but not expired, but not used for some reason (security mechanism)

Private_key = $dir/private/cakey.pem # private key file

So we need to create the private key file in the/etc/pki/ca/directory, the CA certificate, cert, CRL, Newcerts directory, create serial and Index.txt files

Issuing certificates to clients

First, the client to generate a certificate for a program or service, it is best to create a certificate in the corresponding program directory, such as HTTP, for example, create the following file in the/etc/httpd/ssl directory:

1. You need to create a private key locally on the client

OpenSSL genrsa-out keyfile 10244

2. Generate the issuing certificate request file and pass it to the CA

OpenSSL Req-new-key keyfile-out keyfile.csr (request file suffix must be. CSR)

3. CA Sign Request File

OpenSSL ca-in keyfile.csr-out certificate.crt-days 365 ( valid for 3,365 days )

4, after signing the completion of the production of a certificate, and the certificate passed to the client.

The/etc/pki/ca/index.txt and/etc/pki/ca/serial files change at the same time.

Note: Because the entire process is done on the same computer, the client-generated certificate request does not need to be passed to the CA, and the CA-signed certificate is not passed to the client. Because the CA and the client use the same host.

Summary: The whole process of creating a certificate

1. Create a private key CA

Create a pair of keys

Generate self-signed certificates

2, the client needs:

Create a pair of keys

Generate issued certificate request (request file suffix. CSR)

Send request to CA

3. The CA signs the request, generates a certificate, and passes it to the client

This article from the "Linux Learning Path" blog, declined reprint!