My latest original-ubuntu installation OpenSSL

First, OpenSSL simple introduction

OpenSSL is a strong Secure Sockets Layer cipher library that includes key cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides a rich set of applications for testing or other purposes.

SSL is an abbreviation of Secure Sockets layer (Secure Sockets level protocol) that provides covert transmission over the Internet. SSL enables communication between user/server applications to be intercepted by attackers and always authenticates the server and optionally authenticates the user. The SSL protocol is required to be based on a reliable Transport Layer protocol (TCP).

Second, install the corresponding software package

1234	$ sudoapt-get installapache2      ##安装Apache$ sudoapt-get installopenssl      ##安装openssl$ sudoapt-get installlibssl-dev    ##安装openssl开发库$ sudoapt-get installbless       ##编辑器使用 bless 十六进制编辑器,需预先安装

Three, openssl.cnf simple explanation

12345678910111213141516171819202122232425262728293031323334

$ vi/usr/lib/ssl/openssl.cnf127 [ req_distinguished_name ]128 countryName                     = Country Name (2 letter code)##国家名，2个字母代码简称129 countryName_default             = CN   ##中国就是CN130 countryName_min                 = 2131 countryName_max                 = 2132 133 stateOrProvinceName             = State or Province Name (full name)##州或省的名字134 stateOrProvinceName_default     = beijing135 136 localityName                    = Locality Name (eg, city)   ##本地城市名137 localityName_default            =beijing138 0.organizationName              = Organization Name (eg, company) ##组织(公司)名139 0.organizationName_default      = beijing www company140 145 organizationalUnitName          =Organizational Unit Name(eg,section)##组织单元(部门)名146 organizationalUnitName_default  = www147148 commonName                      = Common Name(e.g.server FQDN or YOUR name)##服务器域名149 commonName                      = www.baidu.com150 commonName_max                  = 64151 152 #emailAddress                   = Email Address      ##Email地址153 emailAddress                    = [email protected]154 emailAddress_max                = 64155 156 # SET-ex3                       = SET extension number 3157 158 [ req_attributes ]159 #challengePassword              = A challenge password   ##修改密码160 challengePassword               = 161 163 challengePassword_min           = 4164 challengePassword_max           = 20

Iv. Become a digital Certificate Authority (CA) and generate a certificate for the CA

① Copy the OPENSSL.CNF configuration file to the current directory and create the following subfolders specified in the configuration file

650) this.width=650; "title=" QQ picture 20150812160526.png "alt=" wkiol1xlahgghz-baaaxi0qjdoq917.jpg "src="/http S3.51cto.com/wyfs02/m02/71/4c/wkiol1xlahgghz-baaaxi0qjdoq917.jpg "/>

123456

$ sudoln/usr/lib/ssl/openssl.cnf .       $ mkdir demoCA                                          $ cddemoCA                                            $ mkdir certs crl newcerts                        $ touchindex.txt serial  ##index.txt为空；                          ##serial必须写入内容，且为字符串格式的数字（比如1111)

Once you've set these up, you're ready to create and publish your certificate now.

② generates a self-signed certificate for its own CA, which means that the institution is trusted and its certificate is used as the root certificate

1	$ openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

650) this.width=650; "title=" QQ picture 20150813193106.png "alt=" wkiol1xmgjmzueplaaimibr5cay144.jpg "src="/http S3.51cto.com/wyfs02/m02/71/5c/wkiol1xmgjmzueplaaimibr5cay144.jpg "/>

Note: Be sure to remember the password you entered, the file stored in the command output: Ca.key and CA.CRT. The file Ca.key includes the CA's private key, and CA.CRT contains the public key certificate.

V. Generate certificates for customers

Now, we are root CA, can sign the digital certificate for customer, customer is www.baidu.com.

① generate public/private key pair

1	$ openssl genrsa -des3 -out server.key 1024

650) this.width=650; "title=" QQ picture 20150813164023.png "alt=" wkiol1xmw1zzv0dtaaczbmrhauo779.jpg "src="/http S3.51cto.com/wyfs02/m01/71/5b/wkiol1xmw1zzv0dtaaczbmrhauo779.jpg "/>

Note: A password is required to protect your key and the key will be saved in the Server.key file.

② generates a certificate signing request, and once the company has a key file, it should generate a certificate signing request (CSR). The CSR will be sent to Ca,ca to generate a certificate for the request (usually after confirming the identity information in the CSR matches).

1	$ openssl req -new -key server.key -out server.csr -config openssl.cnf

650) this.width=650; "title=" QQ picture 20150813193341.png "alt=" wkiol1xmgtjxs5sgaah--yldios531.jpg "src="/http S3.51cto.com/wyfs02/m00/71/5c/wkiol1xmgtjxs5sgaah--yldios531.jpg "width=" 650 "/>

Note: Please remember your input

③ generate the certificate. A CSR file needs to have a CA's signature to form a certificate (in the real world, CSR files are often sent to trusted CA signatures). Enter the CA's key and use our own CA to generate the certificate:

1	$ openssl ca -inserver.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

650) this.width=650; "title=" QQ picture 20150813193731.png "alt=" wkiom1xmgavt0uwaaaicihaz7xe481.jpg "src="/http S3.51cto.com/wyfs02/m02/71/60/wkiom1xmgavt0uwaaaicihaz7xe481.jpg "width=" 650 "/>

Vi. using the PKI in the Web site

①

12	$ sudovi/etc/hosts127.0.0.1    www.baidu.com

② start a simple Web server that has a previously generated certificate

123	$ cpserver.key server.pem$ catserver.crt >> server.pem           ##将密钥和证书合并成一个文件$ openssl s_server -cert server.pem -www    ##使用server.pem启动服务器

650) this.width=650; "title=" QQ picture 20150813194601.png "alt=" wkiol1xmhc3tudbfaabfzpro7bq305.jpg "src="/http S3.51cto.com/wyfs02/m02/71/5c/wkiol1xmhc3tudbfaabfzpro7bq305.jpg "/>

③ by default, the server listens on port 4433. Input https://www.baidu.com:4433

650) this.width=650; "title=" QQ picture 20150813194856.png "alt=" wkiom1xmhejxcdyvaaenz8ql08q080.jpg "src="/http S3.51cto.com/wyfs02/m02/71/60/wkiom1xmhejxcdyvaaenz8ql08q080.jpg "width=" 650 "/>

Note: This connection is not trusted because our CA is self-signed and this is not the case if a CA such as VeriSign is authorized.

Here you can configure Firefox to accept our self-signed (similar to other browsers), configured as follows:

Menu---> Preferences---> Advanced---> Certificates---> View certificates (certificate manager)---> Import---> Go to the directory where you configured OpenSSL, select CA.CRT---> Open (Download certificate)---> Tick "Trust Web sites identified with this CA"---> OK, then refresh the site

650) this.width=650; "title=" QQ picture 20150813195728.png "alt=" wkiol1xmid6a4szlaahdtla8viy255.jpg "src="/http S3.51cto.com/wyfs02/m02/71/5c/wkiol1xmid6a4szlaahdtla8viy255.jpg "/>

650) this.width=650; "title=" QQ picture 20150813200203.png "alt=" wkiom1xmh_jhdoezaacadywbhr4356.jpg "src="/http S3.51cto.com/wyfs02/m02/71/60/wkiom1xmh_jhdoezaacadywbhr4356.jpg "/>

650) this.width=650; "title=" QQ picture 20150813200728.png "alt=" wkiom1xmik-tn9diaamzhlcknbw855.jpg "src="/http S3.51cto.com/wyfs02/m00/71/60/wkiom1xmik-tn9diaamzhlcknbw855.jpg "/>

650) this.width=650; "title=" QQ picture 20150813201002.png "alt=" wkiom1xmitwbw8rkaac_h5u9ipq638.jpg "src="/http S3.51cto.com/wyfs02/m02/71/60/wkiom1xmitwbw8rkaac_h5u9ipq638.jpg "/>

My latest original-ubuntu installation OpenSSL