Ubuntu installation OpenSSL

First, OpenSSL simple introduction

OpenSSL is a strong Secure Sockets Layer cipher library that includes key cryptographic algorithms, common key and certificate encapsulation management functions, and SSL protocols, and provides a rich set of applications for testing or other purposes.

SSL is an abbreviation of Secure Sockets layer (Secure Sockets level protocol) that provides covert transmission over the Internet. SSL enables communication between user/server applications to be intercepted by attackers and always authenticates the server and optionally authenticates the user. The SSL protocol is required to be based on a reliable Transport Layer protocol (TCP).

Second, install the corresponding software package

$ sudo apt-get install apache2 # #安装Apache

$ sudo apt-get install OpenSSL # #安装openssl

$ sudo apt-get install Libssl-dev # #安装openssl开发库

$ sudo apt-get install bless # #编辑器使用 bless hex Editor, pre-installation required

Three, openssl.cnf simple explanation

$ vi/usr/lib/ssl/openssl.cnf

127 [Req_distinguished_name]

CountryName = Country Name (2 letter code) # #国家名, 2 letters short

129 countryname_default = CN # #中国就是CN

Countryname_min = 2

131 Countryname_max = 2

132

133 Stateorprovincename = State or province name (full name) # #州或省的名字

134 Stateorprovincename_default = Beijing

135

136 Localityname = Locality Name (eg, city) # #本地城市名

137 Localityname_default =beijing

138 0.organizationName = Organization name (eg, company) # #组织 (Corporate) name

139 0.organizationname_default = Beijing www Company

140

145 organizationalunitname =organizational Unit name (eg,section) # #组织单元 (department) name

146 Organizationalunitname_default = www

147

148 commonname = Common name (e.g.server FQDN or YOUR Name) # #服务器域名

149 CommonName = www.baidu.com

Commonname_max = 64

151

#emailAddress = Email Address # #Email地址

153 EmailAddress = [email protected]

154 Emailaddress_max = 64

155

156 # set-ex3 = SET Extension Number 3

157

158 [Req_attributes]

159 #challengePassword = A Challenge Password # #修改密码

Challengepassword =

161

163 Challengepassword_min = 4

164 Challengepassword_max = 20

Iv. Become a digital Certificate Authority (CA) and generate a certificate for the CA

① Copy the OPENSSL.CNF configuration file to the current directory and create the following subfolders specified in the configuration file

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/71/4C/wKioL1XLAHGgHZ-bAAAxI0QjDoQ917.jpg "title=" QQ picture 20150812160526.png "alt=" Wkiol1xlahgghz-baaaxi0qjdoq917.jpg "/>

$ sudo ln/usr/lib/ssl/openssl.cnf.

$ mkdir Democa

$ CD Democa

$ mkdir certs CRL Newcerts

$ Touch index.txt Serial # #index. txt is empty;

# #serial必须写入内容, and a number formatted as a string (e.g. 1111)

Once you've set these up, you're ready to create and publish your certificate now.

② generates a self-signed certificate for its own CA, which means that the institution is trusted and its certificate is used as the root certificate

$ OpenSSL req-new-x509-keyout ca.key-out ca.crt-config openssl.cnf650) this.width=650; "Src=" Http://s3.51cto.com/wyfs 02/m02/71/5c/wkiol1xmgjmzueplaaimibr5cay144.jpg "title=" qq picture 20150813193106.png "alt=" Wkiol1xmgjmzueplaaimibr5cay144.jpg "/>

Note: Be sure to remember the password you entered, the file stored in the command output: Ca.key and CA.CRT. The file Ca.key includes the CA's private key, and CA.CRT contains the public key certificate.

V. Generate certificates for customers

Now, we are root CA, can sign the digital certificate for customer, customer is www.baidu.com.

① generate public/private key pair

$ OpenSSL genrsa-des3-out server.key 1024650) this.width=650; "Src=" http://s3.51cto.com/wyfs02/M01/71/5B/ Wkiol1xmw1zzv0dtaaczbmrhauo779.jpg "title=" qq picture 20150813164023.png "alt=" Wkiol1xmw1zzv0dtaaczbmrhauo779.jpg "/>

Note: A password is required to protect your key and the key will be saved in the Server.key file.

② generates a certificate signing request, and once the company has a key file, it should generate a certificate signing request (CSR). The CSR will be sent to Ca,ca to generate a certificate for the request (usually after confirming the identity information in the CSR matches).

$ OpenSSL req-new-key server.key-out server.csr-config openssl.cnf

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/71/5C/wKioL1XMgtjxs5sgAAH--YlDios531.jpg "title=" QQ picture 20150813193341.png "alt=" Wkiol1xmgtjxs5sgaah--yldios531.jpg "/>

Note: Please remember your input

③ generate the certificate. A CSR file needs to have a CA's signature to form a certificate (in the real world, CSR files are often sent to trusted CA signatures). Enter the CA's key and use our own CA to generate the certificate:

$ OpenSSL ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-config openssl.cnf

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/71/60/wKiom1XMgavT0UWAAAIciHAz7XE481.jpg "title=" QQ picture 20150813193731.png "alt=" Wkiom1xmgavt0uwaaaicihaz7xe481.jpg "/>

Vi. using the PKI in the Web site

①$ sudo vi/etc/hosts

127.0.0.1 www.baidu.com

② start a simple Web server that has a previously generated certificate

$ CP Server.key SERVER.PEM

$ cat Server.crt >> SERVER.PEM # #将密钥和证书合并成一个文件

$ OpenSSL s_server-cert server.pem-www # #使用server. PEM Boot Server

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/71/5C/wKioL1XMhc3TudBFAABFzpRo7BQ305.jpg "title=" QQ picture 20150813194601.png "alt=" Wkiol1xmhc3tudbfaabfzpro7bq305.jpg "/>

③ by default, the server listens on port 4433. Input https://www.baidu.com:4433

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/71/60/wKiom1XMhEjxcDYVAAENZ8Ql08Q080.jpg "title=" QQ picture 20150813194856.png "alt=" Wkiom1xmhejxcdyvaaenz8ql08q080.jpg "/>

Note: This connection is not trusted because our CA is self-signed and this is not the case if a CA such as VeriSign is authorized.

Here you can configure Firefox to accept our self-signed (similar to other browsers), configured as follows:

Menu---> Preferences---> Advanced---> Certificates---> View certificates (certificate manager)---> Import---> Go to the directory where you configured OpenSSL, select CA.CRT---> Open (Download certificate)---> Tick "Trust Web sites identified with this CA"---> OK, then refresh the site

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/71/5C/wKioL1XMid6A4szLAAHDtla8VIY255.jpg "title=" QQ picture 20150813195728.png "alt=" Wkiol1xmid6a4szlaahdtla8viy255.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/71/60/wKiom1XMh_jhdOeZAACAdYWbHR4356.jpg "title=" QQ picture 20150813200203.png "alt=" Wkiom1xmh_jhdoezaacadywbhr4356.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/71/60/wKiom1XMiK-TN9DIAAMzHLcknBw855.jpg "title=" QQ picture 20150813200728.png "alt=" Wkiom1xmik-tn9diaamzhlcknbw855.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/71/60/wKiom1XMiTWBW8rKAAC_H5U9ipQ638.jpg "title=" QQ picture 20150813201002.png "alt=" Wkiom1xmitwbw8rkaac_h5u9ipq638.jpg "/>

Ubuntu installation OpenSSL