OpenSSL creating a private CA

1.A and B transfer data via SSL approximate process

Private key encrypted data can only be decrypted by its own corresponding public key.
The CA Visa authority first sends itself a certificate, a publicly recognized institution,

The communication data between a B is encrypted by the private key generated by itself.

First, a the public key of their name and address is sent to the CA, the data is called AA,

The CA itself generates a pair of public and private keys. The CA extracts the signature of the AA data first, then encrypts it with its own private key, generates a piece of data, and the encrypted result is appended to the AA data, which is the signature, called AAA.

B get the certificate of the issuing agency, which contains the public key of the issuing agency, which can decrypt the data proof Certificate of the AAA is issued by the issuing agency. Get AA and then get the public key of a to verify the integrity of the data. The data of a is then decrypted with the public key of a.

2.ssl Approximate content

PKI Public key Infrastructure infrastructure infrastructure
Core is CA Certificate Authority Certificate Authority
CRL certificate Revocation List Certificate Revocation list, the certificate validity needs to be detected before using the certificate.

Common X509 format for certificate store formats
Include content
Public key validity period
Legal owner of the certificate
How the certificate is used
Information about the CA
CA-Signed check code (signature)

X509 format used by Pki:tls/ssl
Pki:opengpg
Five layer protocol: Physical Layer Data Link Layer Network layer Transport Layer Application layer
SSL Secure Socket Layer Netscape Company
is a library in the transport and application tiers that is encrypted by calling SSL
V1 V2 V3 Version
TLS Transport Layer Security Internationalization Standards Organization
V1 equivalent to SslV3
HTTPS 443 port

Client and server-side communication
Client Request Service Side
Client and server negotiation using cryptographic protocols, cryptographic algorithms SSLv1 SSLv2 TLSV1
The server sends the certificate to the client
The client generates a random number and transmits the data (symmetric password) to the server by encrypting the server's public key.
Service end symmetric password encrypt data to client

3. Common cryptographic Algorithms

Symmetric encryption
Des
3DES
Aes
AES192 AES AES512
One-way encryption
Md4
Md5
SHA1
SHA192 SHA256 SHA384
CRC-32

Public Key Cryptography
Identity verification
Data encryption
Key exchange
RSA algorithms can be used to encrypt or to sign
The DSA algorithm can only be used to sign

The implementation of Openssl SSL, a cryptographic tool
Component
Various encryption algorithms of LIBCRYPTO Universal Encryption Library
Libssl TLS/SSL Realization of data confidentiality, session integrity of the TSL/SSL library
The OpenSSL Multipurpose command-line tool enables private certification authorities


4.OPENSSL Command
Speed test native to various encryption algorithms
OpenSSL speed RSA can be connected to an algorithm that represents the rate at which a single algorithm is tested
Enc-des specified encryption algorithm, symmetric encryption algorithm
-A base64 processing of file contents
-E Encryption default options
-D Decryption
-salt Plus Salt encryption
-in specifying the files to encrypt
-out output file after encryption
DGST-MD5 Calculating file signatures
Genrsa Generating RSA keys
GENDSA Generating a DSA key

Encrypt OpenSSL enc-des3-salt-a-in/etc/fstab-out fstab.des3
Decrypt OpenSSL enc-des3-d-salt-a in Fstab.des3-out fstab

md5sum sha1sum Calculating the MD5,SHA1 signature of a file
OpenSSL passwd-1-salt Ffgs
-1 Specify MD5 encryption
OpenSSL rand-base64 100 generates 100-bit base64 encrypted random number

Whatis passwd Get Help



5.openssl making a private CA
Generate a pair of keys
Generate self-signed certificates

The commands in (Umask 077; OpenSSL genrsa-out test.key 1024) () Only take effect in the child shell, generating

Private key with a permission of 600 and a length of 1024 bits
OpenSSL rsa-in test.key-pubout means extracting the public key from the private key

OpenSSL req-new-x509-key test.key-out server.crt-days 365//Generate private Certificate
Req generate a certificate, and the command to request a certificate
-new representative generates a new application
-x509 generating self-signed certificates
-key Specifying a key file
-out specifying the output certificate file
-days Specifying an expiration time
Opsenssl x509-text-in SERVER.CRT//view private certificate Content Text format


/ETC/PKI/TLS/OPENSSL.CNF OpenSSL configuration file
Dir indicates the CA working directory/etc/pki/ca
Certs Client Certificate Save directory
CRL Certificate Revocation List Directory
Database certificate to save databases
New_certs_dir the newly generated certificate save path
Certificate's own certificate file
Serial Certificate serial Number file
Crlnumber the number of the certificate revocation list
CRL Revocation certificate File
Private_key CA's private key file

Create Certs, NEWCERTS,CRL directories, and index,serial files under the/etc/pki/ca directory,
/ECT/PKI/CA/PRIVATE/CAKEY.PEM store self-signed private certificate, must be named Cakey.pem
Give the serial file an initial value of 01 (custom), from the visa book Cacrt.pem

6. Website Request CA Sign Request
OpenSSL req-new-key request.key-out REQUEST.CSR//Request CA Sign Certificate

Send certificate to CA


Opensssl ca-in request.csr-out request.crt-days 3655//ca signing Request certificate

The CA sends the certificate to the requesting host

OpenSSL creating a private CA