First, OpenSSL simple introduction
OpenSSL is a strong Secure Sockets Layer cipher library that includes key cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides a rich set of applications for testing or other purposes.
SSL is an abbreviation of Secure Sockets layer (Secure Sockets level protocol) that provides covert transmission over the Internet. SSL enables communication between user/server applications to be intercepted by attackers and always authenticates the server and optionally authenticates the user. The SSL protocol is required to be based on a reliable Transport Layer protocol (TCP).
Second, install the corresponding software package
1234 |
$
sudo
apt-get
install
apache2
##安装Apache
$
sudo
apt-get
install
openssl
##安装openssl
$
sudo
apt-get
install
libssl-dev
##安装openssl开发库
$
sudo
apt-get
install
bless
##编辑器使用 bless 十六进制编辑器,需预先安装
|
Three, openssl.cnf simple explanation
12345678910111213141516171819202122232425262728293031323334 |
$
vi
/usr/lib/ssl/openssl
.cnf
127 [ req_distinguished_name ]
128 countryName = Country Name (2 letter code)
##国家名,2个字母代码简称
129 countryName_default = CN
##中国就是CN
130 countryName_min = 2
131 countryName_max = 2
132
133 stateOrProvinceName = State or Province Name (full name)
##州或省的名字
134 stateOrProvinceName_default = beijing
135
136 localityName = Locality Name (eg, city)
##本地城市名
137 localityName_default =beijing
138 0.organizationName = Organization Name (eg, company)
##组织(公司)名
139 0.organizationName_default = beijing www company
140
145 organizationalUnitName =Organizational Unit Name(eg,section)
##组织单元(部门)名
146 organizationalUnitName_default = www
147
148 commonName = Common Name(e.g.server FQDN or YOUR name)
##服务器域名
149 commonName = www.baidu.com
150 commonName_max = 64
151
152
#emailAddress = Email Address ##Email地址
153 emailAddress = [email protected]
154 emailAddress_max = 64
155
156
# SET-ex3 = SET extension number 3
157
158 [ req_attributes ]
159
#challengePassword = A challenge password ##修改密码
160 challengePassword =
161
163 challengePassword_min = 4
164 challengePassword_max = 20
|
Iv. Become a digital Certificate Authority (CA) and generate a certificate for the CA
① Copy the OPENSSL.CNF configuration file to the current directory and create the following subfolders specified in the configuration file
650) this.width=650; "title=" QQ picture 20150812160526.png "alt=" wkiol1xlahgghz-baaaxi0qjdoq917.jpg "src="/http S3.51cto.com/wyfs02/m02/71/4c/wkiol1xlahgghz-baaaxi0qjdoq917.jpg "/>
123456 |
$
sudo
ln
/usr/lib/ssl/openssl
.cnf .
$
mkdir demoCA
$
cd
demoCA
$
mkdir certs crl newcerts
$
touch
index.txt serial
##index.txt为空;
##serial必须写入内容,且为字符串格式的数字(比如1111)
|
Once you've set these up, you're ready to create and publish your certificate now.
② generates a self-signed certificate for its own CA, which means that the institution is trusted and its certificate is used as the root certificate
1 |
$ openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf |
650) this.width=650; "title=" QQ picture 20150813193106.png "alt=" wkiol1xmgjmzueplaaimibr5cay144.jpg "src="/http S3.51cto.com/wyfs02/m02/71/5c/wkiol1xmgjmzueplaaimibr5cay144.jpg "/>
Note: Be sure to remember the password you entered, the file stored in the command output: Ca.key and CA.CRT. The file Ca.key includes the CA's private key, and CA.CRT contains the public key certificate.
V. Generate certificates for customers
Now, we are root CA, can sign the digital certificate for customer, customer is www.baidu.com.
① generate public/private key pair
1 |
$ openssl genrsa -des3 -out server.key 1024 |
650) this.width=650; "title=" QQ picture 20150813164023.png "alt=" wkiol1xmw1zzv0dtaaczbmrhauo779.jpg "src="/http S3.51cto.com/wyfs02/m01/71/5b/wkiol1xmw1zzv0dtaaczbmrhauo779.jpg "/>
Note: A password is required to protect your key and the key will be saved in the Server.key file.
② generates a certificate signing request, and once the company has a key file, it should generate a certificate signing request (CSR). The CSR will be sent to Ca,ca to generate a certificate for the request (usually after confirming the identity information in the CSR matches).
1 |
$ openssl req -new -key server.key -out server.csr -config openssl.cnf |
650) this.width=650; "title=" QQ picture 20150813193341.png "alt=" wkiol1xmgtjxs5sgaah--yldios531.jpg "src="/http S3.51cto.com/wyfs02/m00/71/5c/wkiol1xmgtjxs5sgaah--yldios531.jpg "width=" 650 "/>
Note: Please remember your input
③ generate the certificate. A CSR file needs to have a CA's signature to form a certificate (in the real world, CSR files are often sent to trusted CA signatures). Enter the CA's key and use our own CA to generate the certificate:
1 |
$ openssl ca - in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf |
650) this.width=650; "title=" QQ picture 20150813193731.png "alt=" wkiom1xmgavt0uwaaaicihaz7xe481.jpg "src="/http S3.51cto.com/wyfs02/m02/71/60/wkiom1xmgavt0uwaaaicihaz7xe481.jpg "width=" 650 "/>
Vi. using the PKI in the Web site
①
12 |
$ sudo vi /etc/hosts 127.0.0.1 www.baidu.com |
② start a simple Web server that has a previously generated certificate
123 |
$ cp server.key server.pem $ cat server.crt >> server.pem ##将密钥和证书合并成一个文件 $ openssl s_server -cert server.pem -www ##使用server.pem启动服务器 |
650) this.width=650; "title=" QQ picture 20150813194601.png "alt=" wkiol1xmhc3tudbfaabfzpro7bq305.jpg "src="/http S3.51cto.com/wyfs02/m02/71/5c/wkiol1xmhc3tudbfaabfzpro7bq305.jpg "/>
③ by default, the server listens on port 4433. Input https://www.baidu.com:4433
650) this.width=650; "title=" QQ picture 20150813194856.png "alt=" wkiom1xmhejxcdyvaaenz8ql08q080.jpg "src="/http S3.51cto.com/wyfs02/m02/71/60/wkiom1xmhejxcdyvaaenz8ql08q080.jpg "width=" 650 "/>
Note: This connection is not trusted because our CA is self-signed and this is not the case if a CA such as VeriSign is authorized.
Here you can configure Firefox to accept our self-signed (similar to other browsers), configured as follows:
Menu---> Preferences---> Advanced---> Certificates---> View certificates (certificate manager)---> Import---> Go to the directory where you configured OpenSSL, select CA.CRT---> Open (Download certificate)---> Tick "Trust Web sites identified with this CA"---> OK, then refresh the site
650) this.width=650; "title=" QQ picture 20150813195728.png "alt=" wkiol1xmid6a4szlaahdtla8viy255.jpg "src="/http S3.51cto.com/wyfs02/m02/71/5c/wkiol1xmid6a4szlaahdtla8viy255.jpg "/>
650) this.width=650; "title=" QQ picture 20150813200203.png "alt=" wkiom1xmh_jhdoezaacadywbhr4356.jpg "src="/http S3.51cto.com/wyfs02/m02/71/60/wkiom1xmh_jhdoezaacadywbhr4356.jpg "/>
650) this.width=650; "title=" QQ picture 20150813200728.png "alt=" wkiom1xmik-tn9diaamzhlcknbw855.jpg "src="/http S3.51cto.com/wyfs02/m00/71/60/wkiom1xmik-tn9diaamzhlcknbw855.jpg "/>
650) this.width=650; "title=" QQ picture 20150813201002.png "alt=" wkiom1xmitwbw8rkaac_h5u9ipq638.jpg "src="/http S3.51cto.com/wyfs02/m02/71/60/wkiom1xmitwbw8rkaac_h5u9ipq638.jpg "/>
My latest original-ubuntu installation OpenSSL