Shulou(Shulou.com)06/01 Report--

The overall steps for creating a private CA center using Openssl:

1. Generate root ca, and then generate intermediate CAs according to roo.ca. The best practice is not to let root.ca sign directly, but to let intermediate CAs sign. The best way to generate root.ca is to isolated, so as not to lose the private key.

1.1. prepare the place where the root certificate is placed to store the private key and certificate

Mkdir / root/ca

Cd / root/ca

Mkdir certs crl newcerts private

Chmod 700 private

Touch index.txt

Echo 1000 > serial

Index.txt and serial files is used to record the tracking of certificate signatures.

1.2.You must use a configuration file for openssl to use. The saved name is located in / root/ca/openssl.cnf, with https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html attached.

1.3.Create the private key key of root CA, and use aes256 to encrypt the key file, which is 4096 bits.

# cd / root/ca

# openssl genrsa-aes256-out private/ca.key.pem 4096

-will prompt you to enter your password-

# chmod 400 private/ca.key.pem

1.4.Create the public key certificate of root CA, use the private key to generate the public key, and set a longer expiration date (eg:20 years)

# cd / root/ca

# openssl req-config openssl.cnf\

-key private/ca.key.pem\

-new-x509-days 7300-sha256-extensions v3_ca\

-out certs/ca.cert.pem

-will prompt you for relevant information-

# chmod 444 certs/ca.cert.pem

Use-config to specify the configuration template we downloaded earlier, otherwise the default template will be used, located at / etc/pki/tls/openssl.cnf

1.5. Verify whether the generated public key is what we want

# openssl x509-noout-text-in certs/ca.cert.pem

2. To generate intermediate pairs,intermediate CA, you can sign a third party on behalf of root CA, and root CA sign intermediate CA, resulting in a trust chain chain of trust.

2.1. Prepare the catalog

# mkdir / root/ca/intermediate

# cd / root/ca/intermediate

# mkdir certs crl csr newcerts private

# chmod 700 private

# touch index.txt

# echo 1000 > serial

There is one more csr directory than root ca, which is mainly used to hold certificate signing requests.

# echo 1000 > / root/ca/intermediate/crlnumber

Create a crlnumber file that is mainly used to track certificate revocation lists.

2.2.2.The preparation configuration file is / root/ca/intermediate/openssl.cnf, and the configuration file template is https://jamielinux.com/docs/openssl-certificate-authority/appendix/intermediate-configuration-file.html

There are five main options that need to be changed:

[CA_default]

Dir = / root/ca/intermediate

Private_key = $dir/private/intermediate.key.pem

Certificate = $dir/certs/intermediate.cert.pem

Crl = $dir/crl/intermediate.crl.pem

Policy = policy_loose

The policy in root.ca is policy_strict, which means that it only signs intermediate, while intermediate is loose is another certificate that allows him to sign more certificates.

2.3.Create the intermediate private key, the same command as root ca

# cd / root/ca

# openssl genrsa-aes256\

-out intermediate/private/intermediate.key.pem 4096

-prompt for protection password-

# chmod 400 intermediate/private/intermediate.key.pem

Use the intermediate private key to create a certificate signing request (CSR)

# cd / root/ca

# openssl req-config intermediate/openssl.cnf-new-sha256\

-key intermediate/private/intermediate.key.pem\

-out intermediate/csr/intermediate.csr.pem

-will output a lot of information for you to enter, except for the difference between Common Name and root ca, it is best to keep it consistent.

Note that the configuration file of intermediate is used above, and the following is the configuration file of using root ca. With v3_intermediate_ca extension signs the CSR generated above, and generates the signed intermediate public key certificate:

# cd / root/ca

# openssl ca-config openssl.cnf-extensions v3_intermediate_ca\

-days 3650-notext-md sha256\

-in intermediate/csr/intermediate.csr.pem\

-out intermediate/certs/intermediate.cert.pem

# chmod 444 intermediate/certs/intermediate.cert.pem

After the above command is completed, the following information will be generated under index.txt in the directory where the openssl ca command is run (/ root/ca). Do not delete: v 250408122707Z 1000 unknown. / CN=Alice Ltd Intermediate CA

2.5. Verify that the details of the certificate are correct:

# openssl x509-noout-text\

-in intermediate/certs/intermediate.cert.pem

Then verify whether the declare certificate is correctly signed by root ca:

# openssl verify-CAfile certs/ca.cert.pem\

Intermediate/certs/intermediate.cert.pem

Create a certificate chain file, which is mainly used in an application. For example, if the browser wants to verify whether the valid issuing authority of declare certificate is root ca (assuming the browser trusts root ca)

# cat intermediate/certs/intermediate.cert.pem\

Certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem

# chmod 444 intermediate/certs/ca-chain.cert.pem

The certificate chain file must contain root ca's certification and install the root public key certificate on each internal client.

3. Use intermediate CA to sign the usual server and client. If a third party gives it to you, they only need to give you CSR, and you can give CSR your signature. The following is a step-by-step operation from an internal point of view.

Create a key private key on the server. Although root and intermediate pair are 4096bit, it is best to use 2048bit when signing server and client to reduce the performance pressure when shaking hands with TLS.

# cd / root/ca

# openssl genrsa-aes256\

-out intermediate/private/www.example.com.key.pem 2048

# chmod 400 intermediate/private/www.example.com.key.pem

If you use apache, enter the password to protect the private key every time you start, and if you don't want to enter the password, remove-aes256.

Use the key private key to generate an CSR certificate (to put it bluntly, an unsigned public key certificate)

# cd / root/ca

# openssl req-config intermediate/openssl.cnf\ (use the private key of intermediate to generate the public key of server? Wrong, maybe the intermediate in this is equivalent to the third party's own internal CA,pending....)

-key intermediate/private/www.example.com.key.pem\

-new-sha256-out intermediate/csr/www.example.com.csr.pem

-output a bunch of information for you to fill in. You do not need to correspond to intermediate, but fill in the full name of the website when common name. If it is client, you'd better fill in the email information.

Use an intermediate certificate to sign the CSR of server or client and generate a post-signed certificate, usually for one year

# cd / root/ca

# openssl ca-config intermediate/openssl.cnf\

-extensions server_cert-days 375-notext-md sha256\

-in intermediate/csr/www.example.com.csr.pem\

-out intermediate/certs/www.example.com.cert.pem

# chmod 444 intermediate/certs/www.example.com.cert.pem

If you are going to sign a client, change it to-extensions usr_cert

Finally, a message similar to the following will be generated in the intermediate/index.txt file: v 160420124233Z 1000 unknown. / CN=www.example.com

3.4. Verify whether the generated certificate information is correct

# openssl x509-noout-text\

-in intermediate/certs/www.example.com.cert.pem

3.5. verify whether the certificate chain file created before intermediate is ok.

# openssl verify-CAfile intermediate/certs/ca-chain.cert.pem\

Intermediate/certs/www.example.com.cert.pem

3.6.The deployment certificate is assumed to be apache, and the following files are required

Ca-chain.cert.pem

Www.example.com.key.pem

Www.example.com.cert.pem

If you are signing for a third party, you only need to give them ca-chain.cert.pem and

Www.example.com.cert.pem, because when they ask you to sign, they won't give you the private key.

4. Certificate revocation list CRLs is mainly used for client programs (eg: IE) to use CRL to verify whether a certificate has been revoked, and the server can also use CRLs to restrict client connections with invalid certificates. At present, CRLs has been replaced by Online Certificate Status Protocol (OCSP), so here we prefer the new to the old.

OCSP server address is usually specified in the certificate.

OCSP prepares the configuration file, which is specified in the configuration file of intermediate CA, because intermediate CA is to be used as the signature

[server_cert]

#... Snipped...

AuthorityInfoAccess = OCSP;URI: http://ocsp.example.com

To create an OCSP key pair, OCSP responder needs to use this key pair to encrypt and reply to requesting party, and must use the same CA signature as the owner of the certificate

Generate the private key:

# cd / root/ca

# openssl genrsa-aes256\

-out intermediate/private/ocsp.example.com.key.pem 4096

Generate CSR based on the private key:

# cd / root/ca

# openssl req-config intermediate/openssl.cnf-new-sha256\

-key intermediate/private/ocsp.example.com.key.pem\

-out intermediate/csr/ocsp.example.com.csr.pem

-output a lot of information that needs to be entered. It is best to use the same information as the signature CA to be used. Common name is a full domain name.

Use intermediate CA to sign the CSR:

# openssl ca-config intermediate/openssl.cnf\

-extensions ocsp-days 375-notext-md sha256\

-in intermediate/csr/ocsp.example.com.csr.pem\

-out intermediate/certs/ocsp.example.com.cert.pem

Verify that the generated certificate contains the correct x509 v3 extension:

# openssl x509-noout-text\

-in intermediate/certs/ocsp.example.com.cert.pem

Revoke the certificate. Openssl's ocsp tool is used as the ocsp responder in this test environment, and the commercial version is required in the production environment.

Create a server certificate to test

# cd / root/ca

# openssl genrsa-out intermediate/private/test.example.com.key.pem 2048

# openssl req-config intermediate/openssl.cnf\ (again, why do I need an intermediate configuration file to generate a server certificate? No Google)

-key intermediate/private/test.example.com.key.pem\

-new-sha256-out intermediate/csr/test.example.com.csr.pem

# openssl ca-config intermediate/openssl.cnf\

-extensions server_cert-days 375-notext-md sha256\

-in intermediate/csr/test.example.com.csr.pem\

-out intermediate/certs/test.example.com.cert.pem

Run OCSP responder locally, usually with intermediate ca (because he uses his configuration file), the OCSP responder reads index.txt directly, reply messages will also use OCSP cryptographic pair (using the-rkey and-rsigner options):

# openssl ocsp-port 127.0.0.1 virtual 2560-text-sha256\

-index intermediate/index.txt\

-CA intermediate/certs/ca-chain.cert.pem\

-rkey intermediate/private/ocsp.example.com.key.pem\

-rsigner intermediate/certs/ocsp.example.com.cert.pem\

-nrequest 1

In another window, send the requery package to OCSP, using-cert to specify the certificate to send:

# openssl ocsp-CAfile intermediate/certs/ca-chain.cert.pem\

-url http://127.0.0.1:2560-resp_text\

-issuer intermediate/certs/intermediate.cert.pem\

-cert intermediate/certs/test.example.com.cert.pem

-there will be a lot of output information. OCSP Response Status indicates the sent status, Responder Id refers to the identity of responder, and Cert Status indicates the undo status. -

Revoke the certificate action, who issues and who revokes:

# openssl ca-config intermediate/openssl.cnf\

-revoke intermediate/certs/test.example.com.cert.pem

Then ask again, and you can see the status of the undo.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.