Everyone can generate public and private key pairs and cannot determine who the public key is. If you can determine who the public key is, there will be no such problem. For example, if you receive a public key sent by a hacker impersonating a server, you can find that the public key is not a server.
To solve this problem, the digital certificate has emerged, which can solve the problem above. Let's take a look at what a digital certificate is. A certificate contains the following details:
- Certificate publishing authority
- Certificate validity period
- Public Key
- Certificate owner (subject)
- Algorithm used for signature
- Fingerprint and fingerprint Algorithm
The detailed explanation of the certificate content will be explained in detail later. Here you only need to clarify a bit,Digital Certificate can guaranteeNumberThe public key in the certificate is indeed the certificate owner (subject), or the certificate can be used to confirm the identity of the other party. That is to say, when we get a digital certificate, we can determine who the digital certificate is.
1. After OpenSSL is installed, find OpenSSL. CnF in the/usr/lib/SSL directory (for Ubuntu system, use whereis to check the SSL directory) and copy it to the working directory.
2. Create a New democafolder under the Work directory, create the new files index.txt and serial in the folder, and then create a newcerts folder. Add the character 01 to serial.
Mkdir democa
CD democa
Touch./{serial, index.txt}
Add 01: WQ to VI serial
Certificate generation process: (note that the following processes are all performed in the working directory, that is,/home/Qing/CA, which indicates that an error occurred during the test, finally, move the generated file to the working directory)
1. Generate the server-side private key (key file)
OpenSSL genrsa-des3-out server. Key 1024
The entered password is used to read the private key file each time. It can be removed but is not recommended (OpenSSL RSA-in server. Key-out server. Key)
2. Generate the CSR file (Certificate Signing Request). Only after the CSR file is signed by the CA can the certificate be generated.
OpenSSL req-New-key server. Key-out server. CSR-config OpenSSL. CNF
3. perform the same operation on the client to generate the key and CSR File
OpenSSL genrsa-des3-out client. Key 1024
OpenSSL req-New-key client. Key-out client. CSR-config OpenSSL. CNF
4. Make your own ca
OpenSSL req-New-X509-keyout ca. Key-out ca. CRT-config OpenSSL. CNF
5. Use the self-generated CA certificate to sign server. CSR and client. CSR.
OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key-config OpenSSL. CNF
OpenSSL ca-in client. CSR-out client. CRT-Cert CA. CRT-Keyfile ca. Key-config OpenSSL. CNF
OpenSSL Certificate generation-csdn blog