Shulou(Shulou.com)06/01 Report--

I. the format of the CA certificate

Format of the digital certificate (x.509 v3):

Version number (version)

Serial number (serial number): CA is used to uniquely identify this certificate

Signature algorithm flag (Signature algorithm identifier)

Name of the publisher: that is, the name of CA itself

Validity period: two dates, start date and end date

Certificate principal name: the name of the certificate owner

Certificate principal public key information: certificate owner's own public key

Unique logo of the publisher:

Unique identity of the certificate principal:

Extended Information:

Signature: CA's digital signature of this certificate

Second, establish your own CA

To build a private CA using OpenSSL:

1. Generate a private key

2. Generate self-signed certificate

(1) when the private key is used to issue a certificate, a digital signature is added to the certificate.

(2) Certificate: each communicating party imports this certificate to the trusted Certificate Authority

Configuration file: / etc/pki/tls/openssl.cnf

Working directory: / etc/pki/CA/

3. Start to establish a private CA:

1. Generate the private key file: / etc/pki/CA/private/cakey.pem

2. Generate self-signed certificate

# openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-days #

-new: generate a new certificate signing request

-key: private key file path, which is used to extract the public key

-days N: the validity period of the certificate (in "days")

-out: where the output file is saved

-x509: output directly from the signed certificate file, which is usually used only when building CA

If our company is called MEITUAN in Zhengzhou, Henan Province, China, the name of the department is YOUHUI, and the website is www. Meituan.com

3. Provide the necessary supporting documents so that when others apply for a certificate or revoke a certificate, I can record their information automatically in the future.

Create an index.txt file under etc/pki/CA

# touch / etc/pki/CA/index.txt

And create the serial directory file, add a starting sequence number to the file

# echo 01 > / etc/pki/CA/serial

Apply for a certificate from CA

1. Generate your own private key

two。 Generate a certificate signing request file

Openssl req-new-key.. -out.. -days..

The options in the certificate signing request, except for common name to fill in your own website, must be consistent with the CA issuing authority.

3. Send the request file to CA

Copy it with a flash drive or send it by e-mail

5. CA issues certificates

1. Verify the identity information of the requester

two。 Sign the certificate

Openssl ca-in / etc/httpd/ssl/cakey.csr-out / etc/httpd/ssl/cakey.crt-days 365

3. Return the signed certificate to the requestor

VI. Revocation of certificate

1. Obtain the serial number of the revocation certificate

Openssl x509-in / PATH/FROM/CRT_FILE-noout-serial-subject

2. Revoke the certificate

Openssl ca-revoke / PATH/FROM/CRT-FILE

3. Generate the revocation number

Echo 01 > / etc/pki/CA/crlnumber

All right. This is it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.