Self-built CA Based on OpenSSL and SSL certificate issuance

Self-built CA Based on OpenSSL and SSL certificate issuance

For details about SSL/TLS, see the SSL/TLS principles.
For more information about Certificate Authority (CA) and digital certificate, see OpenSSL and SSL digital certificate concepts.

Openssl is a suite of open-source programs. It consists of three parts: one islibcryto, This is a general function of the encryption library, which implements a large number of encryption libraries; secondlibsslThis implements the ssl mechanism. It is used to implement TLS/SSL functions. The third is openssl, which is a multi-function command line tool that implements encryption and decryption, it can even be used as a CA, allowing you to create and revoke certificates.

Openssl is installed on both Ubuntu and CentOS by default. Directory structure of the ssl certificate on CentOS 6.x:

1 2 3 4 5 6 7 8 9 10 11

/Etc/pki/CA/ Newcerts stores digital certificates signed (issued) by the CA (certificate Backup Directory) Private is used to store the private key of the CA. Certificate revoked by crl /Etc/pki/tls/ Cert. pem soft link to certs/ca-bundle.crt Certs/certificate directory on the server, which can house your own certificates and built-in certificates Ca-bundle.crt built-in trusted Certificate Private certificate key storage directory The CA master configuration file for openssl. cnf openssl

 

1. issue certificate 1.1 modify CA configuration files

To issue a certificate to someone else, the CA must first have a root certificate. Before all work, we must modify the CA configuration file, serial number, index, and so on.

vi /etc/pki/tls/openssl.cnf:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

... [CA_default] Dir =/etc/pki/CA # Where everything is kept Certs = $ dir/certs # Where the issued certs are kept Crl_dir = $ dir/crl # Where the issued crl are kept Database = $ dir/index.txt # database index file. # Unique_subject = no # Set to 'no' to allow creation # Several ctificates with same subject. New_certs_dir = $ dir/newcerts # default place for new certs. Certificate = $ dir/cacert. pem # The CA certificate Serial = $ dir/serial # The current serial number Crlnumber = $ dir/crlnumber # the current crl number # Must be commented out to leave a V1 CRL Crl = $ dir/crl. pem # The current CRL Private_key = $ dir/private/cakey. pem # The private key RANDFILE = $ dir/private/. rand # private random number file ... Default_days = 3650 # how long to certid ... # For the CA policy [Policy_match] CountryName = match StateOrProvinceName = optional LocalityName = optional OrganizationName = optional OrganizationalUnitName = optional CommonName = supplied EmailAddress = optional ... [Req_distinguished_name] CountryName = Country Name (2 letter code) CountryName_default = CN CountryName_min = 2 CountryName_max = 2 StateOrProvinceName = State or Province Name (full name) StateOrProvinceName_default = GD ... The [req_distinguished_name] section mainly refers to some default values during certification and can not be moved.

 

Be sure to note[ policy_match ]The matching rules set in may be caused by different certificates used by different tools. Even if the csr seems to have the same countryName, stateOrProvinceName and so on, the following error is still reported when the certificate is generated:

1 2 3 4 5

Using configuration from /usr/lib/ssl/openssl.cnf Check that the request matches the signature Signature ok The stateOrProvinceName field needed to be the same in the CA certificate (GuangDong) and the request (GuangDong)

 

touch index.txt serial:
Create two initial files in the CA directory:

1 2	# touch index.txt serial # echo 01 > serial

 

1.2 generate the Root Key

1 2	# cd /etc/pki/CA/ # openssl genrsa -out private/cakey.pem 2048

For the sake of security, you can modify the Private Key File Permission of cakey. pem to 600 or 400, or use a sub-shell to generate( umask 077; openssl genrsa -out private/cakey.pem 2048 ).

1.3 generate a root certificate

Use the req command to generate a self-signed certificate:

1	# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

 

You will be prompted to enter some content. Because it is private, you can enter it at will (the previously modified openssl. cnf will be displayed here). It is best to remember to keep it consistent with the subsequent content. The above self-signed documentscacert.pemIt should be generated in/etc/pki/CA.

1.4 generate an ssl Key for our nginx web Server

All the preceding operations are performed on the CA server and only need to be performed once. Now, the operation is transferred to the nginx server for execution:

1 2	# cd /etc/nginx/ssl # openssl genrsa -out nginx.key 2048

 

During the test, the CA center is the same as the server for applying for the certificate.

1.5 generate a Certificate Signing Request for nginx

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

# openssl req -new -key nginx.key -out nginx.csr ... Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:GD Locality Name (eg, city) []:SZ Organization Name (eg, company) [Internet Widgits Pty Ltd]:COMPANY Organizational Unit Name (eg, section) []:IT_SECTION Common Name (e.g. server FQDN or YOUR name) []:your.domain.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ...

You will also be prompted to enter some content.Commone NameIf you want to authorize the server domain name or Host Name of the certificate, do not fill in the challenge password.

1.6 The Private CA signs the certificate as requested

Next, you need to send the csr file generated in the previous step to the CA server and execute it on the CA Server:

1 2 3 4

# Openssl ca-in nginx. csr-out nginx. crt In rare cases, the certificate generated by the above command cannot be identified. Try the following command: # Openssl x509-req-in server. csr-CA/etc/pki/CA/cacert. pem-CAkey/etc/pki/CA/private/cakey. pem-CAcreateserial-out server. crt

 

The above issue process is actually used by default.-cert cacert.pem -keyfile cakey.pemThese two files are generated in the previous two steps/etc/pki/CA. Send the generated crt certificate back to the nginx server for use.

By now, we have all the files required to establish an ssl secure connection, and the crt and key of the server are located in the configured directory. The rest is how to use the certificate.

2. Use ssl Certificate 2.1 for general browsers

The browser acts as a client to access the https-encrypted server. Generally, you do not need to perform other settings manually, suchhttps://www.google.com.hkThis is because Chrome, FireFox, Safari, IE and other browsers have built most common CA root certificates, but the self-built CA root certificates are no longer in the browser's trust list, the following message is displayed during access:
IE browser

Google Chrome

After the website certificate is installed (a trusted root certificate also exists), the address bar usually displays a small green lock.

Certificate Information

How to import certificates to a browser: http://cnzhx.net/blog/self-signed-certificate-as-trusted-root-ca-in-windows/

2.2 Add a root certificate for linux

This step is not mandatory and generally appears in the development and testing environment. The specific application should provide the method for adding certificates.

curlThe tool can simulate sending requests in linux, but when it accesses an https encrypted website, the following message is displayed:

1 2 3 4 5 6 7 8 9 10 11 12 13

# curl https://sean:sean@registry.domain.com:8000/ curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

 

The above information indicates that curl does not find the root certificate in the linux certificate trust set. You can usecurl --insecureTo not verify the reliability of the certificate, this can only ensure that the data is encrypted transmission, but cannot ensure that the other party is the service we want to access. Usecurl --cacert cacert.pemYou can manually specify the root certificate path. We can also add the root certificate to the system (CentOS 5, 6) default bundle:

1 2 3 4 5

# Cp/etc/pki/tls/certs/ca-bundle.crt {,. bak} backup to prevent errors # Cat/etc/pki/CA/cacert. pem>/etc/pki/tls/certs/ca-bundle.crt # Curl https: // sean: sean@registry.domain.com: 8000 "Docker-registry server (dev) (v0.8.1 )"

 

2.3 nginx

In the nginx configuration file (which may be/etc/nginx/sites-available/default) To add:

1 2 3

ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key;

At the same time, note that server_name must be the same as the Common Name when the certificate is applied. open port 443. Of course, there are other configuration content about web server encryption. For example, you can only encrypt some URLs and enforce https access to URL redirection. For more information, see.

3. About Certificate Application

Note: For general applications, the Administrator only needs to generate a "certificate request" (the suffix is mostly. csr), which contains your name and public key, and then sends the request to a CA service company such as verisign (of course, along with hundreds of dollars ), after your certificate request is verified, the CA uses its Private Key signature to form a formal certificate and send it back to you. The administrator can import the certificate on the web server. If you don't want to spend that money, or want to understand the principle, you can do it yourself. From the ca perspective, you need the private key and public key of the CA. From the perspective of the server that wants the certificate, you need to send the certificate request from the server to the CA.

If you want to make your own CA, do not forget that the client needs to import the CA certificate (the CA certificate is self-signed, import it means you "trust" The certificate signed by the CA ). Commercial CAs are generally not used because they are already built into your browser.

For more information about OpenSSL, see the following links:

Use OpenSSL command line to build CA and Certificate

Install OpenSSL in Ubuntu

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to generate certificates in Linux

Use OpenSSL to sign multi-domain certificates

Add a custom encryption algorithm to OpenSSL

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: