Shulou(Shulou.com)06/02 Report--

This article introduces what Ubuntu installation OpenSSL refers to, the content is very detailed, interested friends can refer to, hope to be helpful to you.

1. A brief introduction to OpenSSL

OpenSSL is a powerful secure socket layer cipher library that includes major cryptographic algorithms, commonly used key and certificate encapsulation management functions, and SSL protocols, and provides rich applications for testing or other purposes.

SSL is an acronym for Secure Sockets Layer (secure Sockets layer Protocol) and provides secret transmission over Internet. SSL can keep the communication between user / server applications from being eavesdropped by attackers, and authenticate the server all the time, and you can also choose to authenticate users. The SSL protocol is based on a reliable transport layer protocol (TCP).

2. Install the corresponding software package

$sudo apt-get install apache2 # # install Apache$ sudo apt-get install openssl # # install openssl$ sudo apt-get install libssl-dev # # install openssl development library $sudo apt-get install bless # # editor use bless hexadecimal editor, need to be pre-installed

III. Simple interpretation of openssl.cnf

$vi / usr/lib/ssl/openssl.cnf127 [req_distinguished_name] 128 countryName = Country Name (2 letter code) # # country name CountryName_default = CN # # China is CN130 countryName_min = 2131 countryName_max = 2132 133stateOrProvinceName = State or ProvinceName (full name) # # the name of the state or province 134stateOrProvinceName_default = beijing135 136localityName = Locality Name (eg City) # # Local city name 137 localityName_default = beijing138 0.organizationName = Organization Name (eg, company) # # Organization (company) name 139 0.organizationName_default = beijing www company140 145 organizationalUnitName = Organizational UnitName (eg Section) # # organizational unit (department) name 146organizationalUnitName_default = www147148 commonName = Common Name (e.g.server FQDN or YOUR name) # # server domain name 149commonName = www.baidu.com150 commonName_max = 64151 152# emailAddress = Email Address # # Email address 153emailAddress = admin@baidu .com154 emailAddress_max = 64155 156 # SET-ex3 = SET extension number 3157 [req_attributes] 159 # challengePassword = A challenge password # # change password 160challengePassword = 161163 challengePassword_min = 4164 challengePassword_max = 20 IV, Become a digital certificate authority (CA) And generate a certificate for the CA

① copies the openssl.cnf configuration file to the current directory and creates the following subfolders specified in the configuration file

$sudo ln / usr/lib/ssl/openssl.cnf. $mkdir demoCA $cd demoCA $mkdir certs crl newcerts $touch index.txt serial # # index.txt is empty; # # serial must be written and is a number in string format (for example, 1111)

With these set up, you are now ready to create and publish certificates

② generates a self-signed certificate for its own CA, which means that the institution is trusted and its certificate is used as an root certificate

$openssl req-new-x509-keyout ca.key-out ca.crt-config openssl.cnf

Note: be sure to remember the password you entered, command output file storage: ca.key and ca.crt. The file ca.key includes the private key of CA, while ca.crt contains the public key certificate.

5. Generate certificates for customers

Now that we are root CA, we can sign digital certificates for our customers. The customer is www.baidu.com.

① generates public / private key pairs

$openssl genrsa-des3-out server.key 1024

Note: you need to provide a password to protect your key, which will be saved in the server.key file.

② generates a certificate signing request, and once the company has a key file, it should generate a certificate signing request (CSR). The CSR will be sent to CA,CA and a certificate will be generated for the request (usually after confirming that the identity information in the CSR matches).

$openssl req-new-key server.key-out server.csr-config openssl.cnf

Note: please remember your input

③ generates a certificate. CSR files need to have a CA signature to form a certificate (in the real world, CSR files are often sent to trusted CA signatures). Enter the key for CA and use our own CA to generate the certificate:

$openssl ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key-config openssl.cnf

6. Use PKI in the website

one

$sudo vi / etc/hosts127.0.0.1 www.baidu.com

② starts a simple web server with a previously generated certificate

$cp server.key server.pem$ cat server.crt > > server.pem # # merge keys and certificates into one file $openssl s_server-cert server.pem-www # # start the server using server.pem

③ by default, the server listens on port 4433. Enter https://www.baidu.com:4433

Note: note that this connection is not trusted because our CA is self-signed, which would not have happened if it was authorized by a CA such as VeriSign.

Here you can configure Firefox to accept our self-signature (other browsers are more or less the same). The configuration is as follows:

Menu-> preferences-> Advanced-> Certificate-> View Certificate (Certificate Manager)-> Import-> enter the directory where you configured openssl, select ca.crt- > Open (download Certificate)-> check "Trust websites using this CA logo"-> OK, and then refresh the website.

On the installation of Ubuntu OpenSSL refers to what is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.