Use OpenSSL to create a private Ca and sign a certificate

OpenSSL Toolkit is one of the implementation methods of SSL v2/V3 and TLS v1 protocols on Linux, and provides common encryption and decryption functions.

OpenSSLIt consists of three parts:

1:Libcrypto: an encrypted library mainly used to implement encryption and decryption.

2:Libssl: implements the SSL server-side function session Library

3:OpenSSL command line tool:/usr/bin/OpenSSL

This document only describes how to use the OpenSSL command to create a private ca, how to apply for a certificate, and how to sign a certificate.

The certificate mainly includes the owner's attributes, public key, and Ca signature. The core is the user's public key. After the server has a certificate, it can send the certificate to the client. The client accepts the certificate before establishing an SSL session with the server and establishing an SSL connection.

For lab purposes only, so we will not apply for a certificate from a paid public CA, so we can create a private CA to issue a certificate to our server for internal use.

 

Create a private caPrerequisites:

You can use OpenSSL to simulate a self-built ca. Before that, let's take a look at the configuration file/etc/pki/tls/OpenSSL. CNF of OpenSSL:

The [ca_default] section defines some file paths and file names required by the self-built ca. Some key items are as follows:

[Ca_default]

Dir =/etc/pki/CA # where everything is kept

Private_key = $ DIR/private/cakey. pem # the Private Key

# The private key file of the self-built CA is/etc/pki/CA/private/cakey. pem.

Certificate = $ DIR/cacert. pem # The cacertificate

# Ca self-signed certificate file:/etc/pki/CA/cacert. pem

CA itself must have a certificate to issue certificates to others. But no one issues a certificate to the CA, so the CA issues the certificate to itself, that is, the so-called self-Visa book.

Database = $ DIR/index.txt # Database indexfile

# The database index file is/etc/pki/CA/index.txt.

Serial = $ DIR/serial # The current serial number

# The serial number file is/etc/pki/CA/serial

Therefore, when we use OpenSSL to create a private CA, the path and file name involved must be consistent with the default one in the configuration file. Otherwise, we need to modify the configuration file at the same time.

 

Create a private caSteps:

#cd /etc/pki/CA/

1. Generate a private key for the CA

#(umask 077; openssl genrsa-out private/cakey.pem 2048)

Because the private key file must be set to a permission other than the owner, and cannot be read by others, that is, set to 600. You can use this command to generate a private key file in one step and set the permission. (Parentheses indicate that the umask 077 command is valid only for sub-shell and invalid for the current shell)

2. generate self-signed documents

#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

          ...           Country Name：          ...

Note: The common name of the self-built ca self-built self-signed certificate must be the same as that of all countries and organizations. Otherwise, the self-built Ca cannot be signed. This is because our self-built private CA can only be used internally.

.

3. user-created Certificate database files

#touch index.txt

4. Create a serial number file and start from 01.

#echo 01 > serial

In this case, a self-built CA is created and you can start to grant a visa to another user.

 

Sign the certificate: 

The host where the created CA is located. After receiving the Certificate Signing Request from someone else, run the following command to sign the certificate and generate the Certificate file.

#openssl ca -in /path/to/certreq.csr -out/path/to/certfile.crt -days 365

After the CA signs the certificate, the certificate information is displayed in the index.txt file, and the serial number of the serial file is also changed.

Now that we have a private ca, our server can apply for a certificate from this ca.

 

To apply for a certificate:

1. Generate a private key by yourself;

#(umask 077; opensslgenrsa -out /root/mykey2.pri 2048)

2. Create a Certificate Signing Request. (This process automatically extracts the public key from the private key and attaches the personal information)

#openssl req -new -key /path/to/private_key -out /path/to/certificate.csr

          ...           Country Name：          ...

Do you remember this? As mentioned above, the information before country name must be consistent with the information entered when you create a self-signed certificate for a private ca.

3. Send the Certificate Signing Request file to the host where the self-built CA is located (of course, the same server can also be used in the experiment). After signing the certificate, the CA will generate the Certificate file, you can use this certificate file.

 

This article is from the zebra Linux blog, please be sure to keep this source http://zebralinux.blog.51cto.com/8627088/1540851