Shulou(Shulou.com)06/01 Report--

Catalogue

1 CA Architecture description

1.1 noun description

1.2 Trust relationship description

2 the specific use of certificates in windows services

3 the operation method of realizing CA system by Openssl

3.1 self-built CA using self-signed certificate (operated on CA side)

3.2 generate a certificate request file on the client side (operate on the APP side)

3.3 issue certificates on the CA side

3.4 specific case testing

3.4.1 introduction to the environment

3.4.2 Centos19 installation and configuration nginx

3.4.3 nginx uses self-signature to enable ssl authentication

3.4.4 use windows01 access test-expected effect certificate is not trusted

3.4.5 windows01 adds trust in self-signed certificates

3.4.6 access test using windows01-expected effect certificate trust

3.4.7 create a CA on centos18

3.4.8 issue certificates using CA and bind to nginx

3.4.9 use windows01 access test-expected effect certificate is not trusted

3.4.10 windows01 add trust to CA (centos18)

3.4.11 use windows01 access test-expected effect certificate trust

1 CA Architecture description 1.1Noun description CA: certification authorities, similar to the Trade and Industry Bureau, specialize in issuing certificates. Only the certificate application issued by CA can provide services normally.

Public key: as the name implies, the public key does not require high security and can be shared for everyone to use.

Private key: a private key that can only be used by yourself and needs to be protected from disclosure.

The relationship between public key and secret key: public key and secret key appear in pairs and authenticate each other, that is, files encrypted by my public key can only be unlocked by my secret key, and files encrypted by my secret key can only be unlocked by my public key. Each individual (which can be a user or a host) can have a pair.

Certificate: a file generated with the characteristics of a public key, issued by CA, similar to a business license

1.2 Trust relationship description

As pictured above, APP can be Web server or other applications. PC refers to devices that browse the services provided by APP, including computers, mobile phones and other devices. When PC accesses APP (ssl authentication), you need to verify the authenticity of the certificate bound by APP, and the certificate is issued by CA. In this case, PC only needs to trust CA. The way to trust is to add CA's self-signed certificate to the computer's "trusted Certificate Authority". You can check which CA your computer trusts through the console of windows or the settings in the IE browser, as shown below

Open the "internet options"-"content"-- "Certificate"-- "trusted Root Certificate Authority" to see that Microsoft has helped us trust some public CA.

Generally speaking, it takes a fee to find the CA organization listed here to apply for a certificate, so you will often find a warning of a security certificate when you visit the web page, which is usually issued by CA within the organization or a self-signed certificate. Self-signed certificates are implemented by merging the server where CA and APP are located.

# the above operation is a windows system. If it is a RedHat system, you can use the following ways to add trust to CA

Cat [Root Certificate File] > > / etc/pki/tls/certs/ca-bundle.crt

2 the specific use of certificate in windows service as the author is engaged in the work related to Windows operation and maintenance, first briefly introduce the application of CA in windows AD.

In an AD environment, it is generally necessary to set up a CA for other services that require certificate encryption. After the completion of CA erection (integrated AD erection), all windows devices in the domain will automatically trust the CA, and all devices and users in the domain can apply for certificates from CA. There are two ways to apply for a certificate. One is to log in to the web page provided by CA, and the other is as follows:

"start"-"run"-"enter mmc enter"-- "File"-- "add and delete snap-ins"-"Certificate" as shown below

You can apply in the name of the user or the host. Choose my user account here.

Right-click "personal"-"all tasks"-"apply for a new certificate" and click next

After the registration policy is defined on the CA side in this interface, the registration policy will be displayed here. After selecting the corresponding registration policy, the application will be submitted to CA. After the certificate is issued on the CA side, the certificate will be displayed in the certificate column.

Here is a brief introduction to the certificate application method in windows AD environment. If CA is built using third-party tools such as openssl, there may be some differences in the specific operation methods.

3 Openssl implementation of CA system Operation method 3.1 self-built CA with self-signed certificate (operated on CA) # create private key

Openssl genrsa-out cakey.pem 4096

# create a certificate using the private key above, which is called the root certificate. When a computer imports this certificate into a trusted root certificate authority, it is equivalent to the trusted CA

Openssl req-new-x509-key cakey.pem-out cacert.pem-days 3650

3.2 generate a certificate request file on the client side (operate on the APP side) # generate a private key

Openssl genrsa-out app.key 4096

# generating a certificate application file actually generates a self-signed certificate, but later you need to give it to CA for signature

Openssl req-new-x509-key app.key-out app.csr-days 3650

3.3 issue a certificate on the CA side # copy the private key generated in the previous step to the CA side, and do the following

Openssl ca-in httpd.csr-out httpd.crt-days 3650

# after the certificate is generated, you can view the certificate by using the following command

Openssl x509-in httpd.crt-noout-serial-subject

3.4 specific case tests 3.4.1 introduction to the environment Centos18:CA

Centos19: run nginx, open the ssl module, and apply for a certificate from CA

Windows01: the windows computer that did the experiment, named windows01.

3.4.2 Centos19 installation configuration nginx using source code to install is too troublesome, directly use the yum source of epel to install, the following yum source for reference, the specific installation steps will not be introduced

3.4.3 nginx uses self-signed certificates to enable ssl authentication # create a private key

Openssl genrsa-out httpd.key 1024

# create a certificate using the private key above

Openssl req-new-x509-key httpd.key-out httpd.crt-days 3650

Enter the path of the private key and certificate into the following fields in / etc/nginx/nginx.conf. These fields are commented out by default and need to be uncommented.

3.4.4 using windows01 access test-expected effect Certificate untrusted access https://centos19 discovers certificate error

Looking at the certificate details, you can see that the certificate is issued by centos19 itself and is not trusted

3.4.5 windows01 add Trust for self-signed certificates add Trust you can copy the certificate generated in 3.4.3 directly to windows01 for installation, or install it directly when you view the certificate on a web page (this may not apply in some cases). Let's introduce the second way.

View the certificate as shown in the picture and install the certificate-the next step

Select the storage location as trusted Root Certificate Authority

After the installation is complete, trust in centos19 is added

3.4.6 use windows01 access test-expected effect Certificate Trust re-visit the web page and find that there is no error

3.4.7 create directories and files required for CA creation on centos18, and the configuration of these file directories is defined in / etc/pki/tls/openssl.conf

Then create the private key and certificate of CA as follows

# create a private key

Openssl genrsa-out / etc/pki/CA/private/cakey.pem 4096

# create a certificate using the private key above, which is called the root certificate. When a computer imports this certificate into a trusted root certificate authority, it is equivalent to the trusted CA

Openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-days 3650

3.4.8 use CA to issue certificates and bind to nginx# to generate private keys on centos19

Openssl genrsa-out httpd.key 4096

# generate certificate request file on centos19

Openssl req-new-key httpd.key-out httpd.csr-days 3650

# Edit the nginx configuration file / etc/nginx/nginx.conf to bind the newly requested private key and certificate to nginx

Make the configuration effective

Nginx-s reload

3.4.9 use windows01 access Test-expected effect Certificate untrusted access https://centos19 Discovery Certificate untrusted

Check the certificate and find that the certificate was issued by centos18 to centos19 and proved to be a certificate issued by CA.

3.4.10 windows01 add Trust to CA (centos18) copy the self-signed certificate file cakey.pem generated by CA in 3.4.7 to windows01, but you need to change the suffix to crt and import this certificate file into the trusted Root Certificate Authority

Open this file and import it. As shown in the following figure, you can see that the root certificate file is indeed issued to yourself by CA (centos18).

After doing this, I trust CA, and all certificates issued by CA will no longer have to do a separate trust relationship.

3.4.11 use windows01 access Test-expected effect Certificate Trust after completing the previous step, there is no certificate warning when you visit the page again

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.