The introduction of private CAs and encryption and decryption via OpenSSL

Source: Internet
Author: User
Tags openssl x509 csr certificate asymmetric encryption

Encryption Incode: Translation of plaintext (readable information), using different algorithms to encrypt plaintext in code form (password). The inverse process of the process is called decryption (Descode), the process of converting the encoded information into clear text

Common cryptographic algorithms and protocols:

1. Symmetric encryption

2. Public key encryption (asymmetric encryption)

3. One-way encryption

4. Authentication Agreement

symmetric encryption : Encryption and decryption use the same key, dependent on the algorithm and key, whose security depends on the key rather than the algorithm
Common algorithms: DES, 3DES, AES, Blowfish, Idea, Twofish, CAST5, RC6
Features: 1) encryption and decryption using the same key
2) separate plaintext into blocks of fixed size, encrypted one by one
Defect: 1) Too many keys
2) Key Distribution
Asymmetric Encryption : Public Key cryptography,

Key pair: Private key (for personal use only) and public key (publicly available to everyone)
The public key is extracted from the private key (data encrypted with the public key can only be decrypted with the private key paired with the public key, and vice versa)


1) Identity authentication: The private key owner uses its own private key to encrypt the data, as long as its public key can be decrypted, can authenticate its identity
2) Key exchange: Before any one person plans to communicate with the communication, first obtain the other party's public key, generate an encrypted password, with the other party's public key encryption, and to each other
3) Data encryption
Algorithm: RSA, DSA realize digital signature, ELGamal
Features: 1) Large key length, 512bit,2048bits,4096bits
2) encryption and decryption are performed using the key pair in the key pair, respectively.
3) often used for data signing and key exchange
one-way encryption : Data can be encrypted but not decrypted, the signature used to extract the data


1) fixed-length output: No matter how large the original data is, the length of the encrypted result is the same
2) Avalanche effect: Small changes in raw data will result in great changes in results;
3) Irreversible:
Algorithm: md5:128bits fixed-length output, sha1:160bit fixed-length output, SHA256, SHA384, SHA512, CRC32 cyclic redundancy check

Let's talk about how OpenSSL builds a CA

OpenSSL is an open source implementation of SSL (which can be downloaded for free ) and is a secure secret program that is primarily used to improve the security of Telnet access. It is also one of the tools used in the encryption algorithm at present, which is very powerful.

OpenSSL is a security protocol that provides security and data integrity for network communications, including key cryptographic algorithms, common key and certificate encapsulation management functions (CAS), and SSL protocols, and provides a rich set of applications for testing or other purposes, such as we will use OpenSSL to implement a private CA , and implement certificate issuance.

The components of OpenSSL:
Libscrypto: Encrypt and Decrypt library files
LIBSSL:SSL Protocol Implementation
OpenSSL: Multi-purpose command-line tools, each using a dedicated sub-command to implement

SSL: Secure Socket Layer, which provides a mechanism for key transmission over the Internet. The main objective is to ensure the confidentiality and reliability of communication data between two applications, and it can be supported simultaneously on the server side and client side. Current mainstream version SSLV2, SSLV3 (Common).

To build a private CA using OpenSSL:
1. Generate the private key:
2. Generate self-signed certificate:

(1) When the private key is used to sign a certificate, it is used to add a digital signature to the certificate;
(2) Certificate: Each Communication party imports this certificate to the trusted certification authority

Configuration file:/etc/pki/tls/openssl.cnf

Working directory:/etc/pki/ca/

650) this.width=650; "title=" 1.png "src=" Http:// " alt= "Wkiom1u3bwddm586aao6kevrrlm418.jpg"/>

Thinking about establishing a private CA:
                  1, generate private key file   /etc/pki/ca/private/cakey.pem (store)
                  #  cd/etc/pki/ca
                  #  (umask 077; OpenSSL genrsa-out/etc/pki/ CA/PRIVATE/CAKEY.PEM 2048)
                  2, generated from the visa book
                  # OpenSSL Req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days #

-new: Generate a new certificate signing request
-key: Private key file path for extracting the public key
-days-n: The certificate is valid for the duration of "days"
-out: Output File Save location
-x509: Direct output of self-signed certificate files, usually only used when building CAs, if no x509 is signed request
3. Provide auxiliary documents
To send a certificate to a node:

1, node request certificate: In the certificate request the host to do the following steps
(1) Generate private key
(2) Generate certificate signing request
Note: The Subject Information section, to be consistent with the CA
Common name to use this host in communication real use name
(3) Send the request to the CA; Let the CA make the request
2. CA Issue Certificate
(1) Verifying requestor information
(2) Signing certificate
# OpenSSL Ca-in/path/from/csr_file-out/path/to/crt_file-days N
(3) Send the signed certificate back to the requester.

The following is an example of HTTP for the implementation of CA construction:

# cd/etc/httpd/
# ls

# Touch Index.txt
# echo > Serial

# mkdir SSL
# (Umask 077;openssl genrsa-out httpd.key 1024) generate key
# LL

650) this.width=650; "title=" 2.png "src=" Http:// " alt= "Wkiol1u3cofqlt_jaadue5bbadu836.jpg"/> # OpenSSL Req-new-key httpd.key-out HTTPD.CSR Certificate Signing request
--Enter related information
--two times enter with a blank password
# LL

650) this.width=650; "title=" 3.png "src=" Http:// " alt= "Wkiol1u3cqlilitqaamxveitxvc929.jpg"/> # OpenSSL CA-IN/ETC/HTTPD/SSL/HTTPD.CSR-OUT/ETC/HTTPD/SSL/HTTP.CRT -days 3650 Signing Certificate Direct signing certificate

650) this.width=650; "title=" 4.png "src=" Http:// " alt= "Wkiom1u3cclgzn7uaampdhuzdzo863.jpg"/>

650) this.width=650; "title=" 5.png "src=" Http:// " alt= "Wkiom1u3cioqckdvaaeh9rxzfxs108.jpg"/>

A red Logo section appears indicating successful signing

To revoke a certificate:
1. Obtain the serial number of the revoked certificate

# OpenSSL X509-in/path/from/crt_file-serial-subject
# OpenSSL X509-in/etc/httpd/ssl/http.crt-serial-subject

650) this.width=650; "title=" 6.png "src=" Http:// " alt= "Wkiom1u3cydyqysxaaacsushex0570.jpg"/> 2, Implementing certificate revocation: According to the certificate holder
Ensure consistency
(1) Revocation of certificates
# OpenSSL Ca-revoke/path/fromcrt_file
(2) Number of revoked certificates generated
echo >/etc/pki/ca/crlnumber
(3) Update certificate revocation List
# OpenSSL Crl-gencrl-out thisca.crl

The introduction of private CAs and encryption and decryption via OpenSSL

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.