Private CA Build under Linux

Digital certificates provide electronic authentication for the secure communication between the two parties. In the Internet, corporate intranet or extranet, the use of digital certificates for identification and electronic information encryption. The digital certificate contains the identification information of the owner of the key pair (public key and private key) to authenticate the identity of the certificate holder by verifying the authenticity of the identified information.

Certificate application and signing procedure;

1. Generate application request;

2, RA nuclear inspection;

3, CA sign;

4, obtain the certificate;

Create a private CA

1. Create the required files under/ETC/PKI/CA

[email protected] ca]# Touch index.txt

[Email protected] ca]# echo > serial

[[email protected] ca]# ls

Certs CRL Index.txt newcerts private serial

2, generate CA self-signed certificate;

[[Email protected] ca]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/cakey.pem 4096)

Generating RSA private key, 4096 bit long modulus

..............................++

...............................................................................++

E is 65537 (0x10001)

[email protected] ca]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-days 365-out cacert.pe M

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [XX]:CN

State or province name (full name) []:beijing

Locality Name (eg, city) [Default city]:beijing

Organization Name (eg, company) [Default company LTD]:D K

Organizational Unit Name (eg, section) []:ops

Common name (eg, your name or your server ' s hostname) []:ca.xiong.cn

Email Address []:[email protected]

The effect of some options:

-new: Generate a new certificate signing request

-x509: Dedicated to CA generate self-signed certificate;

-key: The private key file used to generate the request;

-days N: Validity period of the certificate;

-out/path/to/someceftfile: The path to save the certificate;

View the newly generated CAKEY.PEM, Cacert.pem two files

[Email protected] ca]# ls-l

Total Dosage 28

-rw-r--r--1 root root 1399 June 19:51 Cacert.pem

-RW-------1 root root 3247 June 19:06 Cakey.pem

Drwxr-xr-x. 2 root root 4096 June 18:50 certs

Drwxr-xr-x. 2 root root 4096 February 23:49 CRL

-rw-r--r--1 root root 0 June 19:03 index.txt

Drwxr-xr-x. 2 root root 4096 June 18:48 newcerts

DRWX------. 2 root root 4096 June 18:17 private

-rw-r--r--1 root root 3 June 19:03 serial

The host generates a certificate request on the client

[[Email protected] ssl]# (umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 4096)

Generating RSA private key, 4096 bit long modulus

..................................................................................++

............................................................................................................++

E is 65537 (0x10001)

[email protected] ssl]# OpenSSL req-new-key/etc/httpd/ssl/httpd.key-days 369-out/etc/h Ttpd/ssl/httpd.csr

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [XX]:CN

State or province name (full name) []:beijing

Locality Name (eg, city) [Default city]:beijing

Organization Name (eg, company) [Default company LTD]:D K

Organizational Unit Name (eg, section) []:ops

Common name (eg, your name or your server ' s hostname) []:www.xiong.cn

Email Address []:[email protected]

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:123456

An optional company name []:centos

To view two files generated by a client

[[email protected] ssl]# ls

HTTPD.CSR Httpd.key

Pass the HTTPD.CSR file to the CA and then authorize the CA. The experiment is uploaded to the CA under the/tmp directory, according to the specifications of the words are uploaded to the corresponding folder inside, here for convenience put in/tmp

[Email protected] ssl]# SCP HTTPD.CSR [email protected]:/tmp/

The authenticity of host ' 192.168.2.30 (192.168.2.32) ' can ' t be established.

ECDSA key fingerprint is 62:d9:92:9a:3a:be:c1:82:6a:96:36:da:b7:9d:e3:a9.

Is you sure want to continue connecting (yes/no)? Yes

warning:permanently added ' 192.168.2.32 ' (ECDSA) to the list of known hosts.

[email protected] ' s password:

HTTPD.CSR 100% 1801 1.8K b/S 00:00

[Email protected] ssl]#

Then authorize it on the CA and agree to

[email protected] ca]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365

Using Configuration From/etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature OK

Certificate Details:

Serial number:1 (0x1)

Validity

Not Before:jun 15:20:46 GMT

Not After:jun 15:20:46 2018 GMT

Subject:

CountryName = CN

Stateorprovincename = Beijing

OrganizationName = Dk

Organizationalunitname = Ops

CommonName = www.xiong.cn

EmailAddress = [email protected]

X509v3 Extensions:

X509v3 Basic Constraints:

Ca:false

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

37:6b:ff:b5:74:93:4f:ed:36:bc:23:2f:77:66:4d:31:48:bf:23:a6

X509v3 Authority Key Identifier:

Keyid:8c:d9:52:fd:d6:ec:86:99:de:14:d4:a8:d9:c5:01:cf:69:da:e2:d1

Certificate is to be certified until June 15:20:46 2018 GMT (365 days)

This piece of the word it is asking you to be sure to give it authorization, we enter Y agree to

Sign the certificate? [y/n]: Y

1 out of 1 certificate requests certified, commit? [Y/n]y

Write out database with 1 new entries

Data Base Updated

View the information in the authorization certificate, it's a little long, it's been copied and lost.

[email protected] ca]# OpenSSL X509-in/etc/pki/ca/certs/httpd.crt-noout-text

Certificate:

Data:

Version:3 (0x2)

Serial number:1 (0x1)

Signature algorithm:sha1withrsaencryption

ISSUER:C=CN, St=beijing, l=beijing, O=DK, Ou=ops, Cn=ca.xiong.cn/[email protected]

Validity

Not Before:jun 15:20:46 GMT

Not After:jun 15:20:46 2018 GMT

SUBJECT:C=CN, St=beijing, O=DK, Ou=ops, Cn=www.xiong.cn/[email protected]

Subject Public Key Info:

Public Key Algorithm:rsaencryption

Public-key: (4096 bit)

Modulus:

Release the authorized certificate to the client's specified directory from the CA server again

[Email protected] ca]# SCP certs/httpd.crt [email protected]:/etc/httpd/ssl/

Address 192.168.2.30 maps to Bogon, it is does not map back to the address-possible break-in attempt!

[email protected] ' s password:

HTTPD.CRT 100% 6051 5.9K b/S 00:00

To view a certificate in the client-specified folder

[Email protected] ~]# ls/etc/httpd/ssl/

HTTPD.CRT HTTPD.CSR Httpd.key

Little white First Blog there must be a lot of questions, the article what the problem of the great God can help point out!! Thank you very much.

Private CA Build under Linux