Shulou(Shulou.com)05/31 Report--

Https OpenSSL how to generate root CA and issue certificates, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

A brief introduction to openssl

Openssl is the most popular SSL password library tool at present, which provides a universal, robust and fully functional tool suite to support the implementation of SSL/TLS protocol. Official website: https://www.openssl.org/source/, which has three main uses: 1, cryptographic algorithm library (establishing RSA, DH, DSA key parameters, calculating message digest, using various Cipher encryption / decryption) 2, key and certificate encapsulation management function (establishing X.509 certificate, certificate signature request (CSR) and CRLs (certificate recovery list)) 3. API interface for SSL communication (testing of SSL/TLS client and server, handling S/MIME or encrypting mail).

Second, install openssl (linux CentOS7 32-bit)

If you are using the unix operating system, this library may already exist and exist when the system is installed. But before using it, you need to pay attention to the version of the current openssl library.

Openssl versionOpenSSL 1.0.1 14 Mar 2012

Because version 1.0.1 is a very important feng shui Ling version. Because 1.0.1 is the first version to support TLS1.1 and 1.2. Support the new agreement. The choice of operating system is also important, such as Ubuntu 12.04 LTS, the client does not support SSL2. Take the CentOS7 system as an example for installation here:

A. Download openssl library file: https://www.openssl.org/source/

B. Put the downloaded package in the root directory, extract it, and enter the extracted file (get the openssl-openssl-1.0.0 folder) cd openssl-1.0.0

C, configure openssl before compilation, execute the command:. / config-- prefix=/usr/local/openssl, where the (--prefix) parameter is the directory you want to install, that is, the files after installation will appear in this directory.

D, compile openssl, execute command: make install

1, problem description: the installation is complete, an error was reported when viewing the version information, and a library file libssl.so.1.1 is missing.

[root@b6e4cbd27773 / usr/local/openssl/ loading shared libraries: libssl.so. File: No such file or directory2, the solution depends on not installing libssl. Write the search path of the openssl library file in the / etc/ld.so.conf file, and use the modified conf to take effect: echo "/ usr/local/lib64" > > / etc/ld.so.confldconfig-v

Use openssl to generate RSA key pairs

Before using the private key of openssl to generate a public key, you need to know the following:

1. Key algorithm: openssl supports the generation of key pairs for RSA,DSA,ECDSA, but RSA is the most commonly used one.

2. Key length: 2048 of RSA is recognized as the safer key length.

3, password (Passphrase): using a password on key is an optional value, but it is generally strongly recommended (according to the official website, many of the actual projects do not have a password set), so that every time you use a key file, you need to enter this password to use it, enhancing its security, but the resulting ease of use will also become worse.

Use the genrsa command to generate RSA key (generate key files for other DSA algorithms. You can refer directly to the tutorials on the official website here to take the commonly used ones as an example). You can complete the steps in 2 steps:

A. Generate private key:

Use the command: openssl genrsa-aes128-out fd.key 2048. The following entry sets the password for this key value, and the password is saved using aes128 encryption.

$openssl genrsa-aes128-out fd.key 2048

Generating RSA private key, 2048 bit long modulus

... + e is 65537 (0x10001) Enter pass phrase for fd.key: * Verifying -Enter pass phrase for fd.key: *

This key file is the private key file. You can view the contents of the file below:

$cat fd.key

-BEGIN RSA PRIVATE KEY-Proc-Type: 4ENCRYPTEDDEKMurInfo: AES-128-CBC,01EC21976A463CE36E9DB59FF6AF689AvERmFJzsLeAEDqWdXX4rNwogJp+y95uTnw+bOjWRw1+O1qgGqxQXPtH3LWDUz1YmmkpxmIwlSidVSUuUrrUzIL+V21EJ1W9iQ71SJoPOyzX7dYX5GCAwQm9Tsb40FhV/ [21 lines removed...] 4phGTprEnEwrffRnYrt7khQwrJhNsw6TTtthMhx/UCJdpQdaLW/TuylaJMWL1JRWi321s5me5ej6Pr4fGccNOe7lZK+563d7v5znAx+Wo1C+F7YgF+g8LOQ8emC+6AVV-END RSA PRIVATE KEY-

B. Generate public key:

Use the command: openssl rsa-in fd.key-pubout-out fd-public.key

Openssl rsa-in fd.key-pubout-out fd-public.keyEnter pass phrase for fd.key: *

Look at the key file, which is the public key:

$cat fd-public.key-BEGIN PUBLIC KEY-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnlccwQ9FRyJYHM8sFNsYPUHJHJzhJdwcS7kBptutf/L6OvoEAzCVHi/m0qAA4QM5BziZgnvv+FNnE3sgE5pziovEHJ3C959mNQmpvnedXwfcOIlbrNqdISJiP0js6mDCzYjSO1NCQoy3UpYwvwj70ryR1F+abARehlts/Xs/PtX3VamrljiJN6JNgFICy3ZvEhLZEKxR7oob7TnyZDrjIHxBbqPNzeiqLCFLFPGgJPa0cH8DdovBTesvu7wr/ecsf8CYyUCdEwGkZh9DKtdUHFa9H8tWW2mX6uwYeHCnf2HTw0E8vjtOb8oYQxlQxtL7dpFyMgrpPOoOVkZZW/P0NQIDAQAB-END PUBLIC KEY-

III. Steps to obtain certificates issued by authoritative institutions

To obtain the certificate issued by the authority, you need to first get the key file (.key) of the private key, then use the key file of the private key to generate the sign req file (.csr), and finally send the csr file to the authority, waiting for the authority to authenticate. After the authentication is successful, the certificate file (.crt) will be returned.

A: generate the private key key.

This is consistent with step An in section 2, which uses openssl to generate RSA key pairs. Use the command: openssl genrsa-aes128-out fd.key 2048

B: the key file of the private key generates the sign req file (.csr)

When generating the csr file, you need to fill in some information about the person to be signed or the company, such as country name, province name, organization name, host name, email name, and some information can be left out and used. Identification.

Use the command: openssl req-new-key fd.key-out fd.csr. The process is as follows:

$openssl req-new-key fd.key-out fd.csr

Enter pass phrase for fd.key: * You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'.', the field will be left blank.-Country Name (2 letter code) [AU]: GBState or Province Name (full name) [Some-State]: .Locality Name (eg) City) []: LondonOrganization Name (eg, company) [Internet Widgits Pty Ltd]: Feisty Duck LtdOrganizational Unit Name (eg, section) []: Common Name (e.g. Server FQDN or YOUR name) []: www.feistyduck.comEmail Address []: webmaster@feistyduck.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []:

C, send the csr document to the authoritative organization, wait for the authoritative organization authentication, pay the fee to obtain the certificate.

4. OpenSSL generates root CA and issues certificates

Sometimes, the SSL protocol is used by your own internal server, so you don't have to find a third-party authoritative CA institution to do a certificate. You can do a self-signed certificate (create your own root CA (non-authoritative)) in the following three steps.

A: create the working directory of the SSL that openssl.cnf needs to use when using default-ca (must be set for the first time).

1. View the configuration file of openssl:

$openssl version-a

OpenSSL 1.0.1e-fips 17 Nov 2016built on: Fri Nov 18 16:28:23 CST 2016platform: linux-x86_64options: bn (64) md2 (int) rc4 (16x idx,cisc,16,int) idea (int) blowfish (idx) compiler: gcc-fPIC-DOPENSSL_PIC-DZLIB-DOPENSSL_THREADS-D_REENTRANT-DDSO_DLFCN-DHAVE_DLFCN_H-DKRB5_MIT-M64-DL_ENDIAN-DTERMIO-Wall-O2-g-pipe-Wall-Wp -D_FORTIFY_SOURCE=2-fexceptions-fstack-protector-- param=ssp-buffer-size=4-M64-mtune=generic-Wa,--noexecstack-DPURIFY-DOPENSSL_IA32_SSE2-DOPENSSL_BN_ASM_MONT-DOPENSSL_BN_ASM_MONT5-DOPENSSL_BN_ASM_GF2m-DSHA1_ASM-DSHA256_ASM-DSHA512_ASM-DMD5_ASM-DAES_ASM-DVPAES_ASM-DBSAES_ASM-DWHIRLPOOL_ASM-DGHASH_ASMOPENSSLDIR: "/ etc/pki/tls" engines: rdrand dynamic

2. Find the configuration file openssl.cnf of OPENSSLDIR: "/ etc/pki/tls"

Create the corresponding folders and files according to the default values of the [CA_default] node under the configuration file.

Create folders and files by executing the following command under / etc/pki/CA in order:

Among them, certs: store the issued certificate; newcerts: store the new certificate generated by the CA instruction; private: store the private key; crl: store the revoked integer; index.txt:penSSL defines the text database file of the issued certificate, which is usually empty at initialization Serial: the serial number reference file used when the certificate is issued. The serial number of the file is stored in hexadecimal format. The file must provide and contain a valid serial number.

After execution, the current directory is:

[tt@SWEBMYVMM000210 / etc/pki/CA] $lltotal 20drwxrwxrwx 2 root root 4096 Mar 12 11:08 certsdrwxrwxrwx 2 root root 4096 Nov 18 2016 crl-rwxrwxrwx 1 root root 0 Mar 12 11:06 index.txtdrwxrwxrwx 2 root root 4096 Nov 18 2016 newcertsdrwxrwxrwx 2 root root 4096 Nov 18 2016 private-rwxrwxrwx 1 root root 33 Mar 12 11:12 serial episode: sign user certificate with self-signed certificate Times error File does not exist 1. Problem description: $openssl ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key Using configuration from / etc/pki/tls/openssl.cnf / etc/pki/CA/serial: No such file or directory

Error while loading serial number

139996157081440:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen ('/ etc/pki/CA/serial','r')

139996157081440:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

2. Problem solving: if you do not set the working directory, you will get an error when you use the ca command of openssl to generate a user's ca certificate in the last step of the third step, and you can create the working directory of SSL that openssl.cnf needs to use when using default-ca.

B: generate CA root certificate (root ca certificate).

Step: generate CA private key (.key)-- > generate CA certificate request (.csr)-- > self-sign to get the root certificate (.crt) (CA to the self-issued certificate).

# Generate CA private key-> ca.key

Openssl genrsa-out ca.key 2048

# Generate CSR-> ca.csr

Openssl req-new-key ca.key-out ca.csr

# Generate Self Signed certificate (CA Root Certificate)-> ca.crt

Openssl x509-req-days 365-in ca.csr-signkey ca.key-out ca.crt

Interlude: command method to obtain the CA root certificate directly from the key file: after getting the key file, execute the following command: openssl req-new-x509-days 365-key fd.key-out fd.crt if you do not want to fill in those registration information, execute the following command: openssl req-new-x509-days 365-key fd.key-out fd.crt subj "/ C=GB/L=London/O=Feisty Duck Ltd/CN=www.feistyduck.com

C: sign the user's certificate with the self-signed root certificate ca.crt.

Step: generate private key (.key)-- > generate certificate request (.csr)-- > get certificate (.crt) with CA root certificate signature

# private key-> server.keyopenssl genrsa-out server.key 102 certificates generate csr-> server.csropenssl req-new-key server.key-out server.csr# generate certificate-- > server.crtopenssl ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.key episode: sign Times error with CA Root Certificate The mandatory stateOrProvinceName field was missing1, problem description: sudo openssl ca-in server.csr-out server.crt-cert ca.crt-keyfile ca.keyUsing configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okThe mandatory stateOrProvinceName field was missing2, reason: there are three match in CA policy in openssl.cnf, which must be the same, or change to optional3, solution: modify the configuration file, and change it to:

# For the CA policy

[policy_match]

CountryName = optional

StateOrProvinceName = optional

OrganizationName = optional

OrganizationalUnitName = optional

CommonName = supplied

EmailAddress = optional

D: simple use of certificates.

Save server.crt and server.key on the server side and wait for the program to load and use; save ca.key on the client side, if the client needs to verify the certificate issued by the server side.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.