Shulou(Shulou.com)06/01 Report--

The target user (system) is required to install their own CA root certificate, the effect is the same, and the cost of asking the authoritative CA to sign the certificate can be saved.

Here's how to create your own CA

1. Preparatory work

First create a subdirectory in / etc/httpd/conf:

Private

Certificates

Among them, private contains the private key and CSR (described later), and certificates contains the certificate.

2. Create a CA private key

Openssl code

Openssl genrsa-out private/ca.key.pem 2048

With this command, the private key is created and the file name is ca.key.pem

But basically, it's for nothing. Anyway, I can't understand it. We only know that there are actually two sets of numbers in the private key, which are used to form the public key and will eventually be included in the certificate.

In addition, the final .pem extension indicates that the private key is encoded in PEM. In fact, private keys and certificates are encoded in PEM, PEM is just a coding format, do not need to care too much. Httpd can handle this encoding format directly, as long as you know that both the certificate and the private key are encoded, but the difference is whether the encoding is PEM or PKCS. Just as "Hello" can be encoded in UTF-8 or GBK, the content remains the same.

3. Create a CA signature request

Openssl code

Openssl req-new-key private/ca.key.pem-out private/ca.csr-subj "/ C=CN/ST=SZ/L=SZ/O=kyfxbl/OU=kyfxbl/CN=*.kyfxbl.net"

Generated signature request file, which is ca.csr

4. Issue your own CA root certificate

Openssl code

Openssl x509-req-days 3650-sha1-extensions v3_ca-signkey private/ca.key.pem-in private/ca.csr-out certificates/ca.cer

The generated ca.cer is the final root certificate! This file is very important because subsequent server certificates and client certificates are issued with this CA and should be distributed to customers to import into their browsers or systems.

5. Change the root certificate from PEM code to PKCS code.

Openssl code

Openssl pkcs12-export-cacerts-inkey private/ca.key.pem-in certificates/ca.cer-out certificates/ca.p12

The ca.p12 obtained is the transcoded CA root certificate. When ca.cer cannot be used directly, ca.p12 is used instead.

VI. Issue the server certificate

Now that you have the CA root certificate and private key, you can start issuing the server certificate (the issuing request ca.csr is a process file, which is no longer needed with cer, or you can delete it). The following command is similar to issuing the CA certificate, but there are differences in parameters

1. Create the server private key

Openssl code

Openssl genrsa-out private/server.key.pem 2048

2. Create a server-side certificate issuance request

Openssl code

Openssl req-new-key private/server.key.pem-out private/server.csr-subj "/ C=CN/ST=SZ/L=SZ/O=kyfxbl/OU=kyfxbl/CN=www.kyfxbl.net"

The difference between CN and ca.csr is that the CN here is not * .kyfxbl.net, but www.kyfxbl.net, because I am now applying for a certificate for www.kyfxbl.net

3. Use CA root certificate to issue server certificate

Openssl code

Openssl x509-req-days 3650-sha1-extensions v3_req-CA certificates/ca.cer-CAkey private/ca.key.pem-CAserial ca.srl-CAcreateserial-in private/server.csr-out certificates/server.cer

There is a big difference between the parameters here and the previous CA certificate issued by yourself. The final server.cer is the server certificate.

7. Test one-way authentication

Next, use https://localhost to access, and the browser alarms:

Here is the function of the CN entered when creating the CSR. This certificate is applied for www.kyfxbl.net, but the requested address here is localhost, so an error is reported because of the mismatch. In order to be able to access with the hostname www.kyfxbl.net, you need to change the / etc/hosts file:

127.0.0.1 localhost

192.168.1.102 www.kyfxbl.net

Then you can access it with www.kyfxbl.net, and try again: https://www.kyfxbl.net/

This time the browser is still an alarm, but the alarm message has changed:

The certificate information is as follows:

You can see that this certificate is issued by the CA * .kyfxbl.net. The browser does not recognize it, so it does not trust all certificates issued by this CA. Next, you need to import ca.cer into the browser. It's OK to import server.cer directly here, but if you create another website, such as www2.kyfxbl.net, it won't work again. So the best way is to import the CA root certificate directly, and the browser will trust any certificate issued with this root certificate.

When you visit again, you can see that it is successful, the browser does not alarm, and there is a green check in front of the URL bar.

8. Configure two-way authentication

If you want to configure the server to allow only legitimate users to access, you need to configure two-way authentication

After being configured for two-way authentication, in addition to the server issuing a certificate to the client, the client also has to issue a client certificate to the server before access is allowed.

Httpd code

SSLCACertificateFile "/ etc/httpd/conf/ca.cer"

SSLVerifyClient require

SSLVerifyDepth 10

Configure the above three parameters on the basis of individual authentication

SSLCACertificateFile, which means that when a client sends a client certificate, which CA root certificate does httpd use to verify it?

It has been configured and cannot be restarted, because the client certificate is not ready yet.

Here's an explanation of how the client certificate came from.

There are two ways:

First, the client also CA itself, and then issues a certificate to itself. Send the client's CA root certificate and configure it as SSLCACertificateFile. This is basically impossible in Internet applications, security and management are problems. But in enterprise applications, it is quite common that both parties exchange CA root certificates with each other.

Second, use the CA root certificate of the server just now to issue a client certificate to the user. Every time the user uses this certificate to send a request, such as the bank, Alipay, etc., in this way.

Of course, in theory, there is another way, that is, the customer should go to the authoritative CA to sign the certificate, but this is impossible, because it is very troublesome, and it is very expensive to find CA to sign.

IX. Issue client certificate

1. Create the client private key

Openssl code

Openssl genrsa-out private/client.key.pem 2048

2. Create a client certificate issuance request

Openssl code

Openssl req-new-key private/client.key.pem-out private/client.csr-subj "/ C=CN/ST=SZ/L=SZ/O=kyfxbl/OU=kyfxbl/CN=kyfxbl"

3. Use CA root certificate to issue client certificate.

Openssl code

Openssl x509-req-days 3650-sha1-extensions v3_req-CA certificates/ca.cer-CAkey private/ca.key.pem-CAserial ca.srl-CAcreateserial-in private/client.csr-out certificates/client.cer

It's basically the same as issuing server.cer.

4. Convert the client certificate to p12 format

Openssl code

Openssl pkcs12-export-clcerts-inkey private/client.key.pem-in certificates/client.cer-out certificates/client.p12

This step is necessary because you need to import the client certificate into the browser later, but most browsers cannot use PEM-encoded certificates directly.

Testing two-way authentication

Then visit https://www.kyfxbl.net/ again, and this time it is not a warning, but a direct error report:

The next step is to import client.p12 into the browser

Before importing:

When importing, a password is required to prevent someone from secretly copying someone else's client certificate and pretending to be a legitimate user:

After import:

Then visit again, and the browser will ask to select a certificate. This step is necessary when visiting a website through two-way authentication, but it does not seem to be available when visiting banks and Alipay. This is because these websites require users to install "security controls" in order to simplify their operations. The control automatically selects the certificate.

Click OK, the visit is successful!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.