OpenSSL encryption, decryption, and self-built CAs

Source: Internet
Author: User
Tags install openssl

SSL is a Secure Socket Layer (Secure Sockets Layer protocol) abbreviations, OpenSSL the functionality provided is quite powerful and comprehensive, encompassing key cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides a rich application for testing or other purposes to use.

Check that there is no installation OpenSSL package, if it is not installed, install it first OpenSSL, here with Yum Installation:

[Email protected] ~]# rpm-q OpenSSL

Openssl-1.0.1e-30.el6.x86_64

[Email protected] ~]# yum-y install OpenSSL

I. Using OpenSSL for symmetric encryption and decryption of files

Use Enc tool for example, encrypt /tmp/test.txt file Generation Test.aes file

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/56/wKiom1VG0svQ2VlGAACF_-8v1aM279.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiom1vg0svq2vlgaacf_-8v1am279.jpg "/>

Decrypt The Test.aes file

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/52/wKioL1VG1DnTqU3CAABlqLMfrzM258.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiol1vg1dntqu3caablqlmfrzm258.jpg "/>


ii. using OpenSSL to generate a key pair

1. generate the private key first

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6C/52/wKioL1VG1I2jnj4dAACO5aCFDMY434.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiol1vg1i2jnj4daaco5acfdmy434.jpg "/>

2. Extracting the public key from the private key

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6C/57/wKiom1VG0yDjs6DuAALJkA6zYBg711.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiom1vg0ydjs6duaaljka6zybg711.jpg "/>

third, the use OpenSSL implement one-way encryption to extract file fingerprints

take dgst tool,MD5 algorithm as an example

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1MuxeHEEAAB_M2CpvCA890.jpg "title=" 5.jpg " alt= "Wkiol1vg1muxeheeaab_m2cpvca890.jpg"/>

Iv. Use of OpenSSL Implement build Private CA

OpenSSL Master profile:/etc/pki/tls/openssl.cnf

[Ca_default]

DIR:CA 's Home directory

Certs: storage location for issued certificates

Crl_dir: Where the revoked certificate is stored

Database: Certificate index file

New_certs_dir: storage location for newly issued certificates

Certificate: CA certificate file

Serial: The current serial number when the certificate is issued

Crlnumber: Revoking the current serial number of the certificate

CRL: CRL currently in use

PRIVATE_KEY:CA private Key

Randfile: Private random number generator file

(1) generate private key

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1TfxNJrDAACoN2YMZfU468.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiol1vg1tfxnjrdaacon2ymzfu468.jpg "/>

(2) generate self-signed certificate

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/53/wKioL1VG1TejeG65AAEy2jKsEs8332.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiol1vg1tejeg65aaey2jkses8332.jpg "/>

(3) Follow-up work

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/57/wKiom1VG08mAKDFPAAB9bzv4xC8992.jpg "style=" float: none; "title=" 3.jpg "alt=" Wkiom1vg08makdfpaab9bzv4xc8992.jpg "/>

V. Issue certificates to Nodes

(1) node Request certificate

1. Generate private key

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1bqQ575GAAB0BmxxZPU634.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiol1vg1bqq575gaab0bmxxzpu634.jpg "/>

2. Generate Certificate Signing Request

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1brj9MmEAAGc4uJS3wU188.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiol1vg1brj9mmeaagc4ujs3wu188.jpg "/>

3. Send the request to the CA

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/57/wKiom1VG1EzB27ZHAABI_euDBJE533.jpg "style=" float: none; "title=" 3.jpg "alt=" Wkiom1vg1ezb27zhaabi_eudbje533.jpg "/>

(2) CA Sign Certificate

1 . Verify the requestor's information and sign the certificate

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/57/wKiom1VG1JmREAsLAAHSFY8pzS4728.jpg "title=" 1.jpg " alt= "Wkiom1vg1jmreaslaahsfy8pzs4728.jpg"/>

2. Send the signed certificate to the requestor

(3) View certificate information

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6C/53/wKioL1VG1lPCPmb0AABK8fwoHUY772.jpg "title=" 1.jpg " alt= "Wkiol1vg1lpcpmb0aabk8fwohuy772.jpg"/>

Six, revoking Certificates (nodes)

(1) Obtaining the certificate's serial(certificate holder)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/53/wKioL1VG1sCjKAdwAABnWg4Xu7I354.jpg "style=" float: none; "title=" 1.jpg "alt=" Wkiol1vg1scjkadwaabnwg4xu7i354.jpg "/>

(2) The CA determines whether the certificate is revoked based on the serial and subject information submitted by the certificate holder , consistent with the information in the Index.txt database file

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/57/wKiom1VG1VKB6T-8AAC0qCUBuGg139.jpg "style=" float: none; "title=" 2.jpg "alt=" Wkiom1vg1vkb6t-8aac0qcubugg139.jpg "/>

(3) Subsequent work on the first revocation of the certificate

1. generate the number of revoked certificates

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/57/wKiom1VG1VLDmgNaAABZz1-1gi4972.jpg "style=" float: none; "title=" 3.jpg "alt=" Wkiom1vg1vldmgnaaabzz1-1gi4972.jpg "/>

2. Update the certificate revocation list and view the CRL file

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/53/wKioL1VG1sCyZMNUAAIB1YmxJpw045.jpg "style=" float: none; "title=" 4.jpg "alt=" Wkiol1vg1scyzmnuaaib1ymxjpw045.jpg "/>


This article from the "source clean is clear, the shape of the end of the shadow straight" blog, please be sure to keep this source http://zhouxt.blog.51cto.com/8743763/1641579

OpenSSL encryption, decryption, and self-built CAs

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.