One. OpenSSL building a private CA
Building a CA
1. Generate Private key
2. Self-signed certificate
Issuing certificates to nodes
1. Node Application certificate
Node Generation private key
Generate a Certificate signing request
Send the request file to the CA
2. CA Sign Certificate
CA validates requestor's information
Sign a certificate
Send the signed certificate back to the requester.
Certificate of Positive Examination:
1. Digital signature of the decryption certificate using the CA's public key
2. Extract certificate file signatures using the same one-way encryption algorithm, comparing the decrypted results
3. Verify that the principal name and the requested server address are the same
The working process of SSL, between client and server
1. Server has applied for a certificate to CA
2. Client and server 3-time handshake via TCP
3. Client requests certificate from server, server sends certificate to client
4, the client through the CA public key decryption signature authentication source legitimacy, and then use the same one-way encryption to calculate the signature verification integrity, after verifying that the access to the host is consistent (common name in the certificate comparison)
5, Negotiate SSL version, encryption algorithm, generate temporary key for communication
6, unless the connection is disconnected and establish the connection again
Two. Create a CA
switch to the/etc/pki/ca/directory
#cd/etc/pki/ca
Create the relevant directory and file for the CA, specify the serial number starting number, as explained in the previous step, they are created in the directory where the CA is located
#mkdir certs newcerts CRL
#touch index.txt
#echo > Serial
# ( umask 077;openssl genrsa-out private/cakey.pem 2048;)
() is used to run in a child shell, without affecting the current umask
-out the location of the private key for the output
2048 is the length of the key
CA requires a self-visa book, so we use the OpenSSL command to generate a self-visa book for it
#OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650
-new to generate a new certificate, the user will be asked to fill in the relevant information
-x509 is typically used for self-signed certificates, for generating test certificates or for CA self-signed
-key the location of the private key
-days number of days to apply (default is 30 days)
-out the generated location
Create an SSL directory in the/etc/vsftpd/directory, in the SSL directory Generate private key
generate a certificate signing request
#openssl req-new-key vsftpd.key-out VSFTPD.CSR
Edit the CA configuration file, which is located in Etc/pki/tls/openssl.cnf, which specifies the directory where your CA is located, changing the default property value
DIR =/etc/pki/ca
#openssl ca-in vsftpd.csr-out vsftpd.crt
Three. On the CA side, revoke the certificate
#openssl Ca-revoke/etc/pki/ca/newcerts/01.pem Revocation certificate
# OpenSSL ca-gencrl-out thisca.crl Update certificate revocation list
viewing revocation information
#cat Index.txt from V into R.
This article is from "Luo Chen's blog" blog, please be sure to keep this source http://luochen2015.blog.51cto.com/9772274/1694191
Self-built CA