The Linux OpenSSL tool creates a private CA

Source: Internet
Author: User
Tags cast5 decrypt openssl openssl enc openssl x509

    • Certificate creation depends on the encryption algorithm, see

    • Preface, with the development of the network, because the use of HTTP protocol communication between the two sides of the data is clear-form, it is easy to be other network host to steal or swap data, can not provide security protection of data. To ensure the confidentiality and integrity of data, SSL is available

    • Ssl:secure Sockets layer Secure Sockets layers

      • Can be understood as a half layer between the transport layer and the application layer to encrypt and decrypt data

      • is a protocol for securely exchanging information between a Web browser and a Web server, providing two basic security services: Authentication and confidentiality.

      • For more details, please see Http://

  • OPENSSL: Open Source Interface SSL

    • libcrypto# an implementation of the library file Libssl#ssl protocol used to encrypt and decrypt openssl# multi-purpose command-line tools, each of which can be accomplished using dedicated subcommands
    • Standard commands #标准命令

    • Asn1parse CA Ciphers CMS

    • CRL CRL2PKCS7 dgst DH

    • Dhparam DSA Dsaparam EC

    • Ecparam ENC engine ERRSTR

    • Gendh GENDSA Genpkey Genrsa

    • Nseq OCSP passwd PKCS12

    • PKCS7 Pkcs8 Pkey Pkeyparam

    • Pkeyutl Prime Rand Req

    • RSA Rsautl s_client S_server

    • S_time sess_id smime Speed

    • SPKAC TS Verify version

    • X509

    • Message Digest commands (see the ' dgst ' command for more details)#消息摘要命令: One-way encryption algorithm

    • MD2 MD4 MD5 rmd160

    • Sha SHA1

    • Cipher commands (see the ' enc ' command for more details) #加密解密相关的命令

    • AES-128-CBC AES-128-ECB AES-192-CBC AES-192-ECB

    • AES-256-CBC AES-256-ECB Base64 BF








    • DES-OFB Des3 desx Idea


    • RC2 RC2-40-CBC RC2-64-CBC RC2-CBC


    • rc4-40 seed SEED-CBC SEED-CFB

    • SEED-ECB SEED-OFB zlib

      • Part:

      • [[Email protected] pki]# Tree caca├──certs The location where the certificate file is stored ├──crl the location where the certificate revocation list is stored ├──newcerts the location of the newly created certificate └──private CA private key storage Put
      • Generate private key:

      • Parentheses cannot be omitted, equivalent to opening a child shell process to run

      • # OpenSSL Genrsa-out TestKey 2048
      • Private keys are generally only readable and writable by themselves and must be changed to their permissions

      • # chmod TestKey
      • Can be changed to:

      • # (Umask 077;openssl genrsa-out testkey 2048)
      • OpenSSL enc-e-des3-a-salt-in fstab-out fstab.des3 #对文件加密 (symmetric encryption) OpenSSL enc-d-des3-a-salt-in fstab.des3-out Fsta #对文件解密 (encryption and decryption of the same key)
      • For example:

      • Generate key pair operation process:

      • Certificate directory:/ETC/PKI/CA

To create a private CA using OpenSSL:

    • Generate private key

      • When you use the private key to sign a certificate, you add a digital signature to the certificate

650) this.width=650; "src=" Http:// "title=" Screenclip.png "alt=" Wkiom1vdfwmhas3saad1euf9l1m932.jpg "/>

Initiate a certificate signing request and self-sign the certificate

    • Each communication party imports this certificate to the trusted certification authority

650) this.width=650; "src=" Http:// "title=" Screenclip.png "alt=" Wkiol1vdgnlhqz5uaao3ctkgx9g390.jpg "/>

-new: Generate a new certificate signing request
-key: Private key file path for extracting the public key
-days #: Certificate validity period, unit of day
-out: Output file (certificate) Save location
-x509: Direct output of self-signed certificates, usually only when building CAs

This completes the CA build. Each communication party can request a certificate from that ca.

For more details, refer to the/etc/pki/tls/openssl.conf file (you need to create a new secondary file, below)

Provide the necessary supporting documentation

    • 650) this.width=650; "src=" Http:// "title=" Screenclip.png "alt=" Wkiol1vdihqiw9gnaahoc_p_vuo584.jpg "/>

    • Span style= "font-size:20px;" > send a certificate to the node

      • Verify requestor information

      • Direct signing certificate

      • Generate private key:

      • Generate certificate signing request

        650) this.width=650; "Src=" HT Tp:// "title=" ScreenClip.png "alt=" Wkiom1vdhacthtenaassmybk3xi391.jpg "/>

      • Send the request CRT file in a way to the CA

      • Node to initiate a certificate request

      • CA Issue certificate

650) this.width=650; "src=" Http:// "title=" Screenclip.png "alt=" wkiom1vdiygwjfjiaafe8ydr0u4043.jpg "/> Note: Here to show you the error example, the signature is OK, the problem is that the requester and the requested area is inconsistent

From the build certificate signing request There is an error that begins, correct as follows

650) this.width=650; "src=" "style=" float: none; "title=" Screenclip.png "alt=" Wkiom1vdi5fazvi0aalpgotlgca761.jpg "/>

650) this.width=650; "src=" "style=" float: none; "title=" Screenclip1.png "alt=" Wkiol1vdjqoxxmupaap1ptsj6-m806.jpg "/>

At this point, the certificate has been signed! Look at the interface is very comfortable, there is no ~
You will see the changes to the auxiliary files as follows:

650) this.width=650; "src=" Http:// "title=" Screenclip.png "alt=" Wkiol1vdjy6tfpifaajhfmkllpc001.jpg "/>

  • Send the signed certificate back to the requestor

  • Revocation of Certificate:

    • Obtain the serial number of the revoked certificate

    • Implementing revocation of a certificate

    • OpenSSL crl-gencrl-out thisca.crl

    • OpenSSL X509-in/etc/httpd/ssl/httpd.crt-noout-serial-subject


    • echo >/etc/pki/ca/crlnum

    • Update certificate Revocation List

    • Revoking a certificate

    • Generate the number of the revocation certificate

This is over.

This article is from the "Ops Dog" blog, make sure to keep this source

The Linux OpenSSL tool creates a private CA

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.