Self-built CA

One. OpenSSL building a private CA

Building a CA

1. Generate Private key

2. Self-signed certificate

Issuing certificates to nodes

1. Node Application certificate

Node Generation private key

Generate a Certificate signing request

Send the request file to the CA

2. CA Sign Certificate

CA validates requestor's information

Sign a certificate

Send the signed certificate back to the requester.

Certificate of Positive Examination:

1. Digital signature of the decryption certificate using the CA's public key

2. Extract certificate file signatures using the same one-way encryption algorithm, comparing the decrypted results

3. Verify that the principal name and the requested server address are the same

The working process of SSL, between client and server

1. Server has applied for a certificate to CA

2. Client and server 3-time handshake via TCP

3. Client requests certificate from server, server sends certificate to client

4, the client through the CA public key decryption signature authentication source legitimacy, and then use the same one-way encryption to calculate the signature verification integrity, after verifying that the access to the host is consistent (common name in the certificate comparison)

5, Negotiate SSL version, encryption algorithm, generate temporary key for communication

6, unless the connection is disconnected and establish the connection again

Two. Create a CA

switch to the/etc/pki/ca/directory

#cd/etc/pki/ca

    Create the relevant directory and file for the CA, specify the serial number starting number, as explained in the previous step, they are created in the directory where the CA is located

#mkdir certs newcerts CRL

#touch index.txt

   #echo > Serial

   

# ( umask 077;openssl genrsa-out private/cakey.pem 2048;)

() is used to run in a child shell, without affecting the current umask

-out the location of the private key for the output

2048 is the length of the key

CA requires a self-visa book, so we use the OpenSSL command to generate a self-visa book for it

#OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650

-new to generate a new certificate, the user will be asked to fill in the relevant information

-x509 is typically used for self-signed certificates, for generating test certificates or for CA self-signed

-key the location of the private key

-days number of days to apply (default is 30 days)

-out the generated location

Create an SSL directory in the/etc/vsftpd/directory, in the SSL directory Generate private key

   

generate a certificate signing request

#openssl req-new-key vsftpd.key-out VSFTPD.CSR

Edit the CA configuration file, which is located in Etc/pki/tls/openssl.cnf, which specifies the directory where your CA is located, changing the default property value

DIR =/etc/pki/ca

   

#openssl ca-in vsftpd.csr-out vsftpd.crt

Three. On the CA side, revoke the certificate

#openssl Ca-revoke/etc/pki/ca/newcerts/01.pem Revocation certificate

    # OpenSSL ca-gencrl-out thisca.crl   Update certificate revocation list

viewing revocation information

#cat Index.txt from V into R.

This article is from "Luo Chen's blog" blog, please be sure to keep this source http://luochen2015.blog.51cto.com/9772274/1694191

Self-built CA