1. Fundamentals
I'm afraid the hardest part of the first contact with OpenSSL is understanding the concepts.
Public/private key/Signature/authentication signature/encryption/decryption/Asymmetric Encryption
Our general encryption is to encrypt a file with a password, and then decrypt it with the same password. It's good to understand that this is symmetric encryption. While some encryption, encryption with a password, and decryption with another set of passwords, this is called Asymmetric encryption, It means that the encryption and decryption of the password is not the same. The first contact may not be understood in any way. In fact, this is a mathematical method of a prime number of factors in the application of the principle, if you must understand, Baidu has a lot of information can be seen, the result is to use one of this set of keys to encrypt data, Can be undone with another. Yes, both the public and private keys can be used to encrypt data, while the public key encrypts the data with the other, and then the private key decryption is known as encrypted decryption, private key encryption data, and public key decryption is generally referred to as signature and verification signature.
Because the public key encrypted data only its corresponding private key can be solved, so you can give the public key to people and people, let him encrypt the data he wants to send to you, this data only to have the private key you here, can be solved into useful data, others are to get, also read the content. Similarly, If you use your private key to sign the data, then this data only the matching public key can be solved, there is only you the private key, so if the pairing of the public key to solve the data, it means that the data you sent, on the contrary, it is not. This is called signature.
In practice, it is generally exchanged with the other side of the public key, and then you want to send the other's data, with his public key encryption, he gets after using his private key to decrypt, he will send you the data, with your public key encryption, you get after using your private key decryption, so that the maximum security.
Rsa/dsa/sha/md5
There are many asymmetric encryption algorithms, the more famous are RSA/DSA, the difference is that RSA can be used to/decryption, but also for signature verification, DSA can only be used for signing. As for Sha is a MD5 same algorithm, it is not used for encryption decryption or signature, It is called a digest algorithm. It is through an algorithm, according to the data content to generate a fixed-length summary, this string of summary values and the original data has a correspondence, that is, the original data will generate this digest, but this summary can not be restored to the original data, hmm .... Normally, this algorithm works If you change the original data a little bit, then the generated summary will be different, the transfer process to give you the original data to give you a summary, you will get the original data also do a digest algorithm, and to your summary compared to know whether the data in the transmission process has been modified.
The actual application process, because the need to encrypt the data can be very large, the encryption is time-consuming and laborious, so generally the original data is summarized first, and then the digest value is encrypted, the original data of the plaintext and encrypted digest values along with you. So you unlock the encrypted digest value, And the data you get to the summary value corresponding to know that the data has been modified, and, because the private key only you have, only you can decrypt the digest value, so others even the original data to make a modification, and then generate a false summary to you also can not, your side with the key also can not open.
Ca/pem/der/x509/pkcs
The general public key will not be transmitted to others in clear text, will normally generate a file, the file is a public key file, and then this file can be handed over to others for encryption, but in the course of transmission if someone malicious damage, the public key is replaced by his public key, and then get the public key of the party encrypted data, No, he can decrypt the data with his own key. To solve this problem, a notary party is needed to do this, and anyone can find it to confirm who sent the public key. This is CA,CA. The principle of confirming a public key is also simple, and it publishes its own public key to everyone, Then a person who wants to publish their public key can send their public key and some identity information to Ca,ca to encrypt it with their own key, which can also be called a signature. Then the file that contains your public key and your information can be called a certificate file. So that all the people who get some public key files, Decryption of the file through the CA's public key, if the normal decryption after the confidential information inside must be true, because the encrypted side can only be a CA, the other people do not have its key AH. This way you unlock the public key file and look at the information inside to see if this is the public key you need to encrypt.
In practice, the average person will not find a CA to sign, because that is to collect money, so you can do a self-signed certificate file, is to generate a pair of keys, and then use their own generated another pair of key to the key to sign, this only for the real need to sign the certificate of the people, ordinary encryption and decryption data, You can do it directly with the public key and the private key.
The format of the key file is generated by OpenSSL only Pem and der two format, PEM is the key with Base64 code to express, directly open you can see a string of English letters, der format is a binary key file, directly open, you can see ... You can't read anything! X509 is a generic certificate file format definition. A set of criteria for a PKCS is the specified file standard for storing keys, as long as you know that the PEM DER X509 PKCS formats can be converted to each other.
The legend is as follows:
2. Generate certificate One: Generate CA Certificate
Currently does not use a third-party authoritative CA to authenticate itself as a CA role.
Download a OpenSSL software online
1. Create the private key:
OpenSSL genrsa-out Ca/ca-key.pem 1024
2. Create a certificate request:
OpenSSL req-new-out Ca/ca-req.csr-key Ca/ca-key. PEM----- Country Name (2 letter code) [AUS]: CN(full name) [Some-state]: Zhejiang(eg, city) []: Hangzhou(eg, company) [Internet Widgits Pty Ltd.]: skyvision(eg, section) []: test< /c10>(eg, YOUR name) []: RootEmail Address []: Sky
3. Self-Signed certificate:
OpenSSL x509-req-in ca/ca-req.csr-out ca/ca-cert.pem-signkey ca/ca-key.pem-days 3650
4. Export the certificate to a browser-supported. P12 Format:
OpenSSL pkcs12-export-clcerts-in Ca/ca-cert.pem-inkey ca/ca-key.pem-out ca/ca.p12
Password: Changeit
Two. Generate the server certificate
1. Create the private key:
OpenSSL genrsa-out Server/server-key.pem 1024
2. Create a certificate request:
OpenSSL req-new-out Server/server-req.csr-key Server/server-key. PEM----- Country Name (2 letter code) [AUS]: CN(full name) [Some-state]: Zhejiang(eg, city) []: Hangzhou(eg, company) [Internet Widgits Pty Ltd.]: skyvision(eg, section) []: test< /c10>(eg, YOUR name) []:192.168.1.246 Note: Be sure to write the IP address where the server is located email []: Sky
3. Self-Signed certificate:
OpenSSL x509-req-in server/server-req.csr-out server/server-cert.pem-signkey server/server-key.pem-ca ca/ Ca-cert.pem-cakey Ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to a browser-supported. P12 Format:
OpenSSL pkcs12-export-clcerts-in Server/server-cert.pem-inkey server/server-key.pem-out server/server.p12
Password: Changeit
Three. Generate a client certificate
1. Create the private key:
OpenSSL genrsa-out Client/client-key.pem 1024
2. Create a certificate request:
OpenSSL req-new-out Client/client-req.csr-key Client/client-key.PEM-----CountryName (2 letter code) [AU]: CNState or province Name(Full name) [Some-state]: ZhejiangLocality Name(eg, city) []: HangzhouOrganization Name(eg, company) [Internet widgits Pty LTD]: SkyVisionOrganizational Unit Name(eg, section) []: TestCommon Name(eg, YOUR name) []: SkyEmail Address []: SkyNote: Is logged in the center of the user (originally the user name should be common name, but Zhongshan police do not know why the use of the email Address, the other version is not tested) Please enter the following ' extra ' Attributesto is sent with your certificate Requesta challenge password []:123456An optional company name []: Tsing
3. Self-Signed certificate:
OpenSSL x509-req-in client/client-req.csr-out client/client-cert.pem-signkey client/client-key.pem-ca ca/ Ca-cert.pem-cakey Ca/ca-key.pem-cacreateserial-days 3650
4. Export the certificate to a browser-supported. P12 Format:
OpenSSL pkcs12-export-clcerts-in Client/client-cert.pem-inkey client/client-key.pem-out client/client.p12
Password: Changeit
Please strictly according to the steps inside, after the success of the experiment, modify the content you want to modify. I just did not install the fill at the beginning, the resulting certificate cannot be paired successfully.
Original: http://blog.csdn.net/oldmtn/article/details/52208747
OpenSSL uses 3 (rationale and Build process) (RPM)