Digital certificates provide electronic authentication for the secure communication between the two parties. In the Internet, corporate intranet or extranet, the use of digital certificates for identification and electronic information encryption. The digital certificate contains the identification information of the owner of the key pair (public key and private key) to authenticate the identity of the certificate holder by verifying the authenticity of the identified information.
Certificate application and signing procedure;
1. Generate application request;
2, RA nuclear inspection;
3, CA sign;
4, obtain the certificate;
Create a private CA
1. Create the required files under/ETC/PKI/CA
[email protected] ca]# Touch index.txt
[Email protected] ca]# echo > serial
[[email protected] ca]# ls
Certs CRL Index.txt newcerts private serial
2, generate CA self-signed certificate;
[[Email protected] ca]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
..............................++
...............................................................................++
E is 65537 (0x10001)
[email protected] ca]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-days 365-out cacert.pe M
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:beijing
Locality Name (eg, city) [Default city]:beijing
Organization Name (eg, company) [Default company LTD]:D K
Organizational Unit Name (eg, section) []:ops
Common name (eg, your name or your server ' s hostname) []:ca.xiong.cn
Email Address []:[email protected]
The effect of some options:
-new: Generate a new certificate signing request
-x509: Dedicated to CA generate self-signed certificate;
-key: The private key file used to generate the request;
-days N: Validity period of the certificate;
-out/path/to/someceftfile: The path to save the certificate;
View the newly generated CAKEY.PEM, Cacert.pem two files
[Email protected] ca]# ls-l
Total Dosage 28
-rw-r--r--1 root root 1399 June 19:51 Cacert.pem
-RW-------1 root root 3247 June 19:06 Cakey.pem
Drwxr-xr-x. 2 root root 4096 June 18:50 certs
Drwxr-xr-x. 2 root root 4096 February 23:49 CRL
-rw-r--r--1 root root 0 June 19:03 index.txt
Drwxr-xr-x. 2 root root 4096 June 18:48 newcerts
DRWX------. 2 root root 4096 June 18:17 private
-rw-r--r--1 root root 3 June 19:03 serial
The host generates a certificate request on the client
[[Email protected] ssl]# (umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 4096)
Generating RSA private key, 4096 bit long modulus
..................................................................................++
............................................................................................................++
E is 65537 (0x10001)
[email protected] ssl]# OpenSSL req-new-key/etc/httpd/ssl/httpd.key-days 369-out/etc/h Ttpd/ssl/httpd.csr
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:beijing
Locality Name (eg, city) [Default city]:beijing
Organization Name (eg, company) [Default company LTD]:D K
Organizational Unit Name (eg, section) []:ops
Common name (eg, your name or your server ' s hostname) []:www.xiong.cn
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:123456
An optional company name []:centos
To view two files generated by a client
[[email protected] ssl]# ls
HTTPD.CSR Httpd.key
Pass the HTTPD.CSR file to the CA and then authorize the CA. The experiment is uploaded to the CA under the/tmp directory, according to the specifications of the words are uploaded to the corresponding folder inside, here for convenience put in/tmp
[Email protected] ssl]# SCP HTTPD.CSR [email protected]:/tmp/
The authenticity of host ' 192.168.2.30 (192.168.2.32) ' can ' t be established.
ECDSA key fingerprint is 62:d9:92:9a:3a:be:c1:82:6a:96:36:da:b7:9d:e3:a9.
Is you sure want to continue connecting (yes/no)? Yes
warning:permanently added ' 192.168.2.32 ' (ECDSA) to the list of known hosts.
[email protected] ' s password:
HTTPD.CSR 100% 1801 1.8K b/S 00:00
[Email protected] ssl]#
Then authorize it on the CA and agree to
[email protected] ca]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365
Using Configuration From/etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature OK
Certificate Details:
Serial number:1 (0x1)
Validity
Not Before:jun 15:20:46 GMT
Not After:jun 15:20:46 2018 GMT
Subject:
CountryName = CN
Stateorprovincename = Beijing
OrganizationName = Dk
Organizationalunitname = Ops
CommonName = www.xiong.cn
EmailAddress = [email protected]
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:6b:ff:b5:74:93:4f:ed:36:bc:23:2f:77:66:4d:31:48:bf:23:a6
X509v3 Authority Key Identifier:
Keyid:8c:d9:52:fd:d6:ec:86:99:de:14:d4:a8:d9:c5:01:cf:69:da:e2:d1
Certificate is to be certified until June 15:20:46 2018 GMT (365 days)
This piece of the word it is asking you to be sure to give it authorization, we enter Y agree to
Sign the certificate? [y/n]: Y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
View the information in the authorization certificate, it's a little long, it's been copied and lost.
[email protected] ca]# OpenSSL X509-in/etc/pki/ca/certs/httpd.crt-noout-text
Certificate:
Data:
Version:3 (0x2)
Serial number:1 (0x1)
Signature algorithm:sha1withrsaencryption
ISSUER:C=CN, St=beijing, l=beijing, O=DK, Ou=ops, Cn=ca.xiong.cn/[email protected]
Validity
Not Before:jun 15:20:46 GMT
Not After:jun 15:20:46 2018 GMT
SUBJECT:C=CN, St=beijing, O=DK, Ou=ops, Cn=www.xiong.cn/[email protected]
Subject Public Key Info:
Public Key Algorithm:rsaencryption
Public-key: (4096 bit)
Modulus:
Release the authorized certificate to the client's specified directory from the CA server again
[Email protected] ca]# SCP certs/httpd.crt [email protected]:/etc/httpd/ssl/
Address 192.168.2.30 maps to Bogon, it is does not map back to the address-possible break-in attempt!
[email protected] ' s password:
HTTPD.CRT 100% 6051 5.9K b/S 00:00
To view a certificate in the client-specified folder
[Email protected] ~]# ls/etc/httpd/ssl/
HTTPD.CRT HTTPD.CSR Httpd.key
Little white First Blog there must be a lot of questions, the article what the problem of the great God can help point out!! Thank you very much.
Private CA Build under Linux