Simple setup of CA server

Simple setup of CA server

First, Brief introduction
The CA also has a certificate (with public and private keys included). Public users on the Internet trust the CA by verifying the CA's signature, and anyone can get the CA's certificate (with the public key) to verify the certificate it has issued.
If a user wants a certificate that belongs to him, he should apply to the CA first. After the CA has identified the applicant, he is assigned a public key, and the CA binds the public key to the applicant's identity and signs it, then forms a certificate to the applicant.
Ii. Description of the environment

ip:192.168.151.204# cat/etc/redhat-release CentOS Release 6.7 (Final) # uname-ix86_64

Third, the required software

OpenSSL openssl-devel# yum install OpenSSL openssl-devel-y

Iv. installation Process
1.
Cd/etc/pki/ca
#如果没有 certs CRL (Expired certificate) newcerts directory, create

# mkdir {Certs,crl,newcerts}

2. Create two empty files, index file and serial number file

# Touch index.txt# Touch serial# vim/etc/hosts192.168.151.204 ca.10fei3.top

3. Create a root certificate

# echo > Serial (This command is required to create the root certificate for the first time)

The RSA key used to generate the certificate is saved to the private directory

# OpenSSL Genrsa 1024x768 > Private/hunk-ca.key

Generate self-signed electronic certificates with Hunk-ca.key

# cat private/hunk-ca.key -----begin rsa private  KEY-----miicxaibaakbgqdsuxptt8nwmmkunlo+b5dltpkaefjevnt3t4w1dscobcwq4rv6swclxigkn8nhn3hw5puyaocd7n9zluqvsk/o5u /ge4njhsdw1xli1jnvftpm8ykn9k0qqqz76nl7y0rbggxfb+a4jgfb27oii2oj1+ b66pyvanioru3fwhqtcqidaqabaogahwliyfufplumsmxsx7jh7fhv6xp+eugzrhcroqxaeihuhrzgtrtotu99p8uyl9fxg0mhgxmig+ w46v9mzgy3wgucvtmevi/si39pv0mtlyz+bhayoox/ykorw1+dpu6gj6ynv+oqs8psue8b1xyg854iumshylvrppn1ok+ bmq0cqqdz235onq50po2vkx7/irkf1iqafmykprdfwpgxfmnywnqjgom3+jfvakl+ rl2gzb6ovuol8g20vu0waxfblzybakea3mwo6knl0xgvsfel1mysfx/13sq98fx3j2lb+ oykp1vht0vdubcfgcfkkumqihfwaxk70mwn9jpsshngppvw4wjbaivcv4uyckeilo8lspavnirovz0wfjym/c8wkygxthjp6dsvs/ uvk5gum8qmaj4+few/45ueshtkxalqptqvuf0cqfrfi5snjmfs2is5g5xfw+bjhv8hfrzg5ez4f1n3t5tqgqelr9kgbpzyf/9d5glp+ Ikxpdfgblcfocyhiqkb8cscqb6+a/sracosaicbu5neikpfpf068y785fm2qbo/nbbp/m8qagfebrmoxabcmmleexmylmycnqebg8gb6vvld1i =-----end rsa private key-----[[EMAIL PROTECTED] CA]# OPENSSL REQ&Nbsp;-new -x509 -key private/hunk-ca.key -days 365 -out hunk-ca.crtyou  Are about to be asked to enter information that will be  incorporatedinto your certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  blankfor some fields there will be a default value,if you  enter  '. ',  the field will be left blank.-----country name  (2  letter code)  [XX]:CNState or Province Name  (full name)  []: shanghailocality name  (eg, city)  [Default City]:ShanghaiOrganization Name  ( Eg, company)  [default company ltd]:etnetorganizational unit name  (eg, section)  []:ITCommon Name   (Eg, your name or your server ' S hostname)  []:ca.10fei3.topEmail  Address []:hunkz.gmail.com

[[email protected] ca]# cd .. /tls/[[email protected] tls]# vim openssl.cnf[ ca_default ]dir              = /etc/pki/CA            # Where everything is keptcerts            =  $dir/certs             # Where the issued certs are keptcrl_dir          =  $dir/crl               # Where the issued crl are  keptdatabase        =  $dir/index.txt         # database index file. #unique_subject  = NO  &NBsp;                 #  Set to  ' No '  to allow creation of                                          # several  ctificates with same subject.new_certs_dir   =  $dir/newcerts          # default place for new certs. #certificate     =  $dir/cacert.pem       # the ca  certificatecertificate     =  $dir/hunk-ca.crt       # The CA certificateserial           =  $dir/SERIAL &Nbsp;         # the current serial  numbercrlnumber       =  $dir/crlnumber         # the current crl number                                          # must be  commented out to leave a v1 crlcrl              =  $dir/crl.pem           # The current CRLprivate_key     =  $dir/private/hunk-ca.key # the private keyrandfile        =  $dir/private/. Rand    # private random number filex509_extensions = usr_cert               # the extentions to add to  the cert[ policy_match ]countryName              = optionalstateOrProvinceName     =  Optionalorganizationname        = optionalorganizationalunitname   = optionalcommonName               = suppliedemailAddress             = optional

[[Email protected] tmp]# openssl genrsa 1024 > dovecot.keygenerating  rsa private key, 1024 bit long modulus.............++++++.......++++++e  is 65537  (0x10001) [[email protected] tmp]# openssl req -key  dovecot.key -out dovecot.csr ^c[[email protected] tmp]# openssl req - new -key dovecot.key -out dovecot.csr you are about to be  asked to enter information that will be incorporatedinto your  Certificate request. what you are about to enter is what is called a  Distinguished name or a dn. there are quite a few fields but you can leave some  Blankfor some fields there will be a default value,if you enter  '. ', the field will be left  blank.-----country name  (2 letter code)  [xx]:cnstate or province name   (Full name)  []:ShanghaiLocality Name  (eg, city)  [default city]: shanghaiorganization name  (Eg, company)  [default company ltd]: etnetorganizational unit name  (eg, section)  []:ITCommon Name  (eg, your  name or your server ' S hostname)  []:www.abc.com   Email  address []:[email protected]please enter the following  ' Extra '  attributesto  be sent with your certificate requesta challenge password []:an  optional company name []:

[[email protected] tmp]# openssl ca -in dovecot.csr -out  dovecot.crtusing configuration from /etc/pki/tls/openssl.cnfcheck that the  request matches the signaturesignature okcertificate details:         Serial Number: 1  (0x1)          Validity            not before: jun  23 03:29:48 2016 GMT             Not After : Jun 23 03:29:48 2017 GMT         subject:            countryname                = CN             stateorprovincename       = shanghai             organizationName           = etnet             organizationalUnitName    = IT             commonName                 = www.abc.com             emailaddress              = [ email protected]        x509v3 extensions:             X509v3 Basic Constraints:                  ca:false             Netscape Comment:                  OpenSSL Generated Certificate             X509v3 Subject Key Identifier:                  9d:1d:a6:54:5a :a9:55:1a:10:1a:ca:8e:af:a9:00:82:44:1e:a2:e9             X509v3 Authority Key Identifier:                  keyid:a6:85:80:4e:ae:b7:e6:de:ea:35:88:63:2d:8a:ab:4e:fd :09:d8:3fcertificate is to be certified until jun 23 03:29:48  2017 gmt  (365 days) sign&Nbsp;the certificate? [y/n]:y1 out of 1 certificate requests certified ,  commit? [y/n]ywrite out database with 1 new entriesdata base  updated

7. Useful Documents

DOVECOT.CRT Dovecot.key

8. Test Certificate with Mutt

# mutt -f pops://[email protected] @mail. 10fei3.top  q: Exit   ?: Help this certificate belongs to:   www.abc.com  [email protected]    ETNET   IT     SHANGHAI  CN This certificate is published from:    Ca.10fei3.top  hunkz.gmail.com   etnet   it   shanghai   SHANGHAI  CN This certificate is valid     from  thu, 23 jun 2016 03:29:48  UTC    Hair  Fri, 23 Jun 2017 03:29:48 UTCSHA1  fingerprint: acec  40BC 4101 4E3A 7FB1 D1E0 23C5 7200 5BE9 994EMD5  Fingerprint: ff9f  4BE0 BB97 CEBF 499B CE5D D4D6 F95D WARNING: The server host name does not match the certificate-- mutt: ssl   Certificate Check   (check chain has  1  certificates, total  1 ) deny (R), accept once (O), always accept (a) 

V. Summary of the article

1. Ca.10fei3.top to be able to parse, otherwise there may be problems. 2. This article generates a CA certificate to build a secure mail pickup server. can be accessed by testing.

Simple setup of CA server