In cryptography, CA (Certificate Authority) refers to an organization trusted by multiple users, which can create and assign public key certificates.
For the sake of standardization, we will first introduce the terms that may be involved in this article,
Asypolicric cryptography: asymmetric cryptography (or public key encryption and public key encryption). A key involves a key pair consisting of a public key and a private key;
Key pair: a pair of public/private keys in asymmetric cryptography;
Private key: private key, which should only be known by the owner;
Public key: the public key that is disclosed to other users in the asymmetric encryption system;
Public key certificate: public key certificate, which is a user public key certificate signed by the certification authority using its own private key, including the user's public key and identity information, used to confirm the identity of the holder of the public key certificate;
CA: an authority that can issue public key certificates;
PKI: public key infrastructure );
Many websites involving electronic transactions or electronic transfers need to ensure that users are securely connected to their websites. To achieve this, these organizations need to issue their own public key certificates by internationally recognized CAS (such as VeriSign. These certificates are used to establish SSL connections or decrypt electronic signatures. The process of applying for a certificate must be verified by the CA. At the same time, the CA must pay a high fee for the certificate.
For scenarios that only build a VPN or intranet environment, such overhead and cycle are obviously unnecessary, therefore, in some specific environments, we only need to issue a public key certificate for ourselves. This article describes how to serve as your CA, that is, to "create" an experimental CA.
In this document, we use/etc/pki/CA as the root directory for saving the private key and public key certificate. For convenience, refer to the following section for the "certificate Root Directory ".
Our experimental environment is Ubuntu 14.04 LTS, but it should also be applicable to other Linux platforms. The operating system needs to install OpenSSL, and this part of the operation should be performed as a system administrator, therefore, the following command line uses the "#" identifier to start the header.
After OpenSSL is installed, the system will generate the openssl. cnf file under the/etc/ssl/Directory (different operating systems may be located in different directories). This file will be used later.
The secret and serial files are used to track key and certificate records:
# Mkdir/etc/pki/CA
# Cd/etc/pki/CA
# Mkdir certs crl newcerts private
# Chmod 700 private
# Touch index.txt
# Echo 1000> serial
The preceding command creates four new directories and two tracking documents under the root directory of the certificate. It is a good habit to change the permissions in a timely manner after the directory is created.
Here, the private/directory will store the CA root private key that we will create in the future. This private key must be strictly protected. Once this private key is disclosed, any person who obtains the private key can use it to create a certificate, so we will encrypt it in the following section.
At the same time, if you apply the operation described in this article to a small production or LAN environment, the ideal situation is to disconnect the network before generating the CA root private key in this directory, save the generated content to a storage medium that is not connected to the network, such as a USB flash disk. The generated content can be connected to the host only when necessary.
Next, we need to generate our own CA private key. The following command uses the AES-256 algorithm to encrypt the CA root private key and save it in private/ca. key. in the pem file, to avoid accidental modification, set the file to only readable by the administrator.
Because the encrypted CA private key is selected, you must enter a password when generating the private key. This password is used to decrypt and obtain the CA private key when using the CA root private key, therefore, the password should be input and properly saved by creating a CA private key.
# Openssl genrsa-aes256-out/etc/pki/CA/private/ca. key. pem 4096
Enter pass phrase for ca. key. pem:SECRET
Verifying-Enter pass phrase for ca. key. pem:SECRET
# Chmod 400/etc/pki/CA/private/ca. key. pem
Next, we use OpenSSL to create a public key certificate for ourselves. Assume that the certificate is saved as ca. cert. pem. First, we configure the public key certificate before it is created,
# Cd/etc/pki/CA # cp/etc/ssl/openssl. cnf root_CA.cnf # vim root_CA.cnf
The configuration items in the template must be modified to ensure that the following fields are set:
[CA_default]
Dir =/etc/pki/CA
Certs = $ dir/certs
Private = $ dir/private
Certificate = $ certs/ca. cert. pem
Private_key = $ private/ca. key. pem
[Usr_cert] # Extended basicConstraints = CA: FALSEkeyUsage = nonRepudiation, digitalSignature, signature = "OpenSSL Generated Certificate" subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid, issuer [v3_ca] # typical extensions of CA subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid: always, issuerbasicConstraints = CA: truekeyUsage = cRLSign, keyCertSign
Next, create a public key certificate,
# Cd/etc/pki/CA
# Openssl req-new-x509-days 3650-key private/ca. key. pem \
-Sha256-extensions v3_ca-out certs/ca. cert. pem \
-Config root_CA.cnf
The above command specifies that we want to issue a public key certificate for the CA root private key we created earlier, the certificate is valid for 10 years, using the SHA-256 algorithm to generate a message digest, in addition, because this is a CA certificate, you need to specify the v3_ca extension in the command. The specific configuration of this extension has been set in the root_CA.cnf file, and The-config option includes the configuration file.
After the command is executed, we must first enter the CA private key password set in the previous article, and declare some of our identity information:
Enter pass phrase for ca. key. pem: You are about to be asked to enter information that will be inreceivatedinto your certificate request. ----- Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: BeijingLocality Name (eg, city) [Default City]: BeijingOrganization Name (eg, company) [Default Company Ltd]: Alice CAOrganizational Unit Name (eg, section) []: Certificate AuthorityCommon Name (eg, your name or your server's hostname) []: alice CAEmail Address []: [email protected]
After the information is entered, the generated public key certificate ca. cert. pem is imported to the certs/directory.
In this way, we have created a CA with the private key and public key certificate of the CA. Next, we can directly use this CA private key and certificate to sign and issue Customer certificates, you can also use the root private key and public key certificate to create an intermediate certification authority. The Intermediate certification authority is the proxy of our CA here, which can issue Customer certificates on behalf of the CA we just created. The advantage of creating an intermediate CA is that we don't use the CA root private key, but use the private key of the intermediate CA to issue the client certificate. The CA root private key is only used to issue the certificate revocation list of the intermediate CA, in this way, the CA root private key can be more properly protected.
The following article describes how to use the CA created in this article to create an intermediate CA and issue it a certificate;
You can also use the private key and certificate generated in this article to issue a user certificate.
Use OpenSSL to create your own CA root certificate