Windows and CentOS certificates

when you visit the site, you will always encounter some untrusted sites, such as 12306 sites. That's thinking about how to turn untrusted websites into trust.

One, how to resolve the untrusted Web site that appears in Windows.

① Press F12 (the QQ browser I used) to view the certificate and export the certificate.

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/07/44/wKiom1nGKOPDcoXPAADZbtwTxPA999.png "title=" 1.png "alt=" Wkiom1ngkopdcoxpaadzbtwtxpa999.png "/>

② Open the certificate and start the Fool-mounted certificate.

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/A5/F5/wKioL1nGKiCy1wnkAAF6Uc1hdYs806.png "title=" 1.png "alt=" Wkiol1ngkicy1wnkaaf6uc1hdys806.png "/>

③ is imported to a trusted root certification authority.

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/07/44/wKiom1nGKoPDOQeiAADGeSfjEU0113.png "title=" 2.png "alt=" Wkiom1ngkopdoqeiaadgesfjeu0113.png "/>

④ then the next visit will not be reminded again that the site is not trusted.

Second, the CentOS in the certificate and how to issue it.

Before you know the CentOS issue certificate, check out the configuration file for OpenSSL:/etc/pki/tls/openssl.cnf

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M01/A6/18/wKioL1nI8m6QyrDGAADOy0pEgio407.png "style=" float : none; "title=" 1.png "alt=" Wkiol1ni8m6qyrdgaadoy0pegio407.png "/>

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/07/66/wKiom1nI8qqRA35UAAD5TOetHjA109.png "style=" float : none; "title=" 2.png "alt=" Wkiom1ni8qqra35uaad5toethja109.png "/>

Experiment: Emulate how to create a CA and how to issue certificates to clients.

Assumption: Centos7 for server CENTOS6 as client

(1) The server creates a CA, which is itself a CA.

Three strategies: matching, support, and optional

Match refers to the information required to fill in with the CA setup information must be consistent, support is required to fill in this application information, optional refers to unnecessary

① Creating the required files

Touch/etc/pki/ca/index.txt generate the Certificate index database file ( must be created, and the file name must be the same, or late error )

echo >/etc/pki/ca/serial Specify the serial number of the first issued certificate ( must be generated, the serial number can be arbitrary )

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/A6/18/wKioL1nI9WPQxCPXAABIK2ngGbo229.png "title=" 1.png "alt=" Wkiol1ni9wpqxcpxaabik2nggbo229.png "/>

②ca from the visa book.

Mr. CA becomes the private key.

Command: (umask 066; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/A6/18/wKioL1nI9yqRwAtSAAApJwJOFYI213.png "title=" 1.png "alt=" Wkiol1ni9yqrwatsaaapjwjofyi213.png "/> CA itself to issue a certificate to itself

Command: OpenSSL req-new-x509–key/etc/pki/ca/private/cakey.pem-days 7300-out/etc/pki/ca/cacert.pem

The meaning of the specific options inside is as follows:

-new: Generate a new certificate signing request

-x509: specifically for the CA to generate self-visa books, such as issued to the server without this

-key: The private key file used to generate the request

-days N: Validity period of the certificate

-out/path/to/somecertfile: Save path to Certificate

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/A6/18/wKioL1nI-UTBKH2OAACtoKetwyk949.png "title=" 1.png "alt=" Wkiol1ni-utbkh2oaactoketwyk949.png "/> (2) CA issue certificate to customer service side

The client generates a certificate request, sends it to the CA, and lets the CA sign the certificate and issue it to the client.

The ① client generates the private key.

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/A6/1A/wKioL1nJDTiTRwvOAAAvQog5UMU411.png "title=" 1.png "alt=" Wkiol1njdtitrwvoaaavqog5umu411.png "/>

The ② client generates a certificate request.

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M00/07/68/wKiom1nJEDLx-32bAACj4Z7vV3s089.png "title=" 1.png "alt=" Wkiom1njedlx-32baacj4z7vv3s089.png "/>

③ sends the certificate request to the CA server side.

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/07/67/wKiom1nJBYrT9oPXAAAeemfpuo4940.png "title=" 1.png "alt=" Wkiom1njbyrt9opxaaaeemfpuo4940.png "/> ④ca Server signed the certificate, and sent to the customer service side.

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/A6/1A/wKioL1nJEBuD3h10AAC-q-feNC8803.png "title=" 1.png "alt=" Wkiol1njebud3h10aac-q-fenc8803.png "/> ⑤ca signed certificate sent to the client.

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/07/69/wKiom1nJEdzSn-zyAAAc-tkzJ7I698.png "title=" 1.png "alt=" Wkiom1njedzsn-zyaaac-tkzj7i698.png "/>

⑥ View the certificate inside the client.

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M02/07/69/wKiom1nJEsWxkHy5AABp2Dz7TYg329.png "title=" 1.png "alt=" Wkiom1njeswxkhy5aabp2dz7tyg329.png "/>

Third, the steps to revoke the certificate.

① to obtain the serial of the certificate to be revoked on the client

Command: OpenSSL x509-in test.crt-noout-serial-subject

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/A6/1A/wKioL1nJE7rC_sMoAAAf96rkjDU074.png "title=" 1.png "alt=" Wkiol1nje7rc_smoaaaf96rkjdu074.png "/> ② on the CA, based on the serial and subject information submitted by the customer, compare the verification with the information in the Index.txt file, revoke the certificate

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/A6/1A/wKioL1nJFbqAPynpAAAht996HkU250.png "title=" 1.png "alt=" Wkiol1njfbqapynpaaaht996hku250.png "/> can revoke a certificate by comparing discovery information

Command: OpenSSL CA-REVOKE/ETC/PKI/CA/NEWCERTS/00.PEM

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/A6/1A/wKioL1nJFmHCLcc0AABqvR6bcTw489.png "title=" 1.png "alt=" Wkiol1njfmhclcc0aabqvr6bctw489.png "/>

③ Specify the number of the first revocation certificate

Command: Echo >/etc/pki/ca/crlnumber ( number can be written by itself )

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/07/6B/wKiom1nJpXyzPvs5AAAuhDDKIF4979.png "title=" 1.png "alt=" Wkiom1njpxyzpvs5aaauhddkif4979.png "/>

④ Updating the certificate revocation list on the CA

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/07/6B/wKiom1nJpoXwrhIFAACjB1yXwuM205.png "title=" 1.png "alt=" Wkiom1njpoxwrhifaacjb1yxwum205.png "/>

⑤ View the revoked certificate on the physical machine.

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/A6/1D/wKioL1nJpprD3isfAAAmLJg5uzk026.png "title=" 1.png "alt=" Wkiol1njpprd3isfaaamljg5uzk026.png "/>

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/07/6B/wKiom1nJp2OSHhRgAAErDOHQY1k919.png "title=" 1.png "alt=" Wkiom1njp2oshhrgaaerdohqy1k919.png "/>

Revocation of the certificate is successful and should be posted to the official website later, so everyone knows. So much for the certificate, the rest of the time has not yet come to mind, and there are false welcome points.

Windows and CentOS certificates