Shulou(Shulou.com)06/01 Report--

How to use OpenSSL to realize homemade CA server? In this case, this mechanism is generally available within a company.

1. The general process of implementing self-built CA

The general operation flow is shown in the figure above.

2. Detailed operation flow of self-built CA

Step 1: build your own CA server

1. Generate the secret key

[root@centos6-5] # (umask 077 Openssl genrsa-out / etc/pki/CA/private/cakey.pem 4096) Generating RSA private key 4096 bit long modulus.++. . + + e is 65537 (0x10001) [root@centos6-5 ~] # # the name of the key file cannot be changed by itself

2. Self-signed certificate

[root@centos6-5] # openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-days 360You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'. The field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HenanLocality Name (eg, city) [Default City]: ZZOrganization Name (eg, company) [Default Company Ltd]: MageEduOrganizational Unit Name (eg, section) []: OpsCommon Name (eg) Your name or your server's hostname) []: ca.magedu.comEmail Address []: root@magedu.com [root@centos6-5 ~] # # req generation certificate signing request #-news new request #-key specifies the private key file #-out signature file location #-x509 generation word signature file #-days valid days

The reasons why you cannot specify the name of the key file and the name of the self-signed file are:

In the / etc/pki/tls/openssl.cnf configuration file:

These file names are specified in the configuration file. It is found that two files, index.txt and serial, are also needed.

3. Create the necessary files and initialize the working environment

[root@centos6-5 ~] # touch / etc/pki/CA/index.txt [root@centos6-5 ~] # echo "00" > / etc/pki/CA/serial

Step 2: the node applies for a certificate

1. Generate key pairs

[root@centos6-5] # mkdir / etc/httpd/ssl; (umask 077 Openssl genrsa-out / etc/httpd/ssl/httpd.key 4096) mkdir: cannot create directory `/ etc/httpd/ssl': File existsGenerating RSA private key 4096 bit long modulus. . +.. + + e is 65537 (0x10001) [root@centos6-5] #

2. Generate a certificate signing request

[root@centos6-5] # openssl req-new-key / etc/httpd/ssl/httpd.key-out / etc/httpd/ssl/httpd.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter' The field will be left blank.-Country Name (2 letter code) [CN]: State or Province Name (full name) [Henan]: Locality Name (eg, city) [ZZ]: Organization Name (eg, company) [MageEdu]: Organizational Unit Name (eg, section) [Ops]: Common Name (eg) Your name or your server's hostname) []: www.magedu.comEmail Address []: www@magedu.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: # request whether the certificate is encrypted Set the password at this time. When signing CA, you need to enter the password An optional company name []: [root@centos6-5 ~] #

# how to modify the default value when entering the relevant name here:

3. Send the signature request file to the CA service

# since the node requested to sign here and the CA server are on the same machine, this step is not needed here. # if it is not on the same machine, it needs to be copied to the CA server. This is usually done using the scp command. # for example: scp / path/to/secert.crs root@CA_HOST_NAME:/path/to/somewhere/

Step 3: CA signs the certificate

1. Verify the information in the certificate and sign the certificate

[root@centos6-5] # openssl ca-in / etc/httpd/ssl/httpd.csr-out / etc/httpd/ssl/httpd.crt-days 300Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 0 (0x0) Validity Not Before: Aug 1 15:37:48 2014 GMT Not After: May 28 15:37:48 2015 GMT Subject: CountryName = CN stateOrProvinceName = Henan organizationName = MageEdu organizationalUnitName = Ops commonName = www.magedu.com emailAddress = www@magedu.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 04:5E:41:F4:DF:77:DE:64:D3:C0:AC:3C:2E:69:C1:01:E5:80:30:4B X509v3 Authority Key Identifier: keyid:AF:D8:63:8A:94:87:40:2A:EA:15:FB:D4:E2:61:23:D7:E8:96:40: 3BCertificate is to be certified until May 28 15:37:48 2015 GMT (300 days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [YBO] yWrite out database with 1 new entriesData Base Updated [root@centos6-5] #

2. Send it to the requester

# send it to the requestor using scp

At this point, the signature is completed as follows:

[root@centos6-5] # cat / etc/pki/CA/index.txt V 150528153748Z 00 unknown / C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=www@magedu.com [root@centos6-5] # cat / etc/pki/CA/serial 01 [root@centos6-5] #

III. Revocation of certificates

Sometimes we lose our node key and we need to apply to CA for revocation.

In the node: at this point, you first need to obtain the serial of the certificate in the node

[root@server ssl] # openssl x509-in / etc/httpd/ssl/httpd.crt-noout-serial-subjectserial=01subject= / C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www2.magedu.com/emailAddress=www2@magedu.com [root@server ssl] # # noout does not output additional information # serial output serial information, in serial file # output subject information, in index.txt file

In CA:

1. Verification information

Verify whether it is consistent with the information in the index.txt file according to the serial and subject information submitted by the node

[root@centos6-5] # cat / etc/pki/CA/index.txtV150528153748Z00unknown/C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=www@magedu.comV140831155108Z01unknown/C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www2.magedu.com/emailAddress=www2@magedu.com

2. Revoke the certificate

1) revocation of certificate

# the certificate to be revoked is generally under the / etc/pki/CA/newcerts directory The name is serial number .pem [root@centos6-5] # openssl ca-revoke / etc/pki/CA/newcerts/01.pem Using configuration from / etc/pki/tls/openssl.cnfRevoking Certificate 01.Data Base Updated [root@centos6-5] # cat / etc/pki/CA/index.txtV 150528153748Z 00 unknown / C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=www@magedu.comR 140831155108Z 140801160733Z 01 unknown / C=CN/ ST=Henan/O=MageEdu/OU=Ops/CN=www2.magedu.com/emailAddress=www2@magedu.com [root@centos6-5] #

2) generate a revocation list (the first revocation is required)

[root@centos6-5 ~] # echo 00 > / etc/pki/CA/crlnumber [root@centos6-5 ~] # # revocation list file is also defined in / etc/pki/tls/openssl.cnf.

3) Update the certificate revocation list

[root@centos6-5] # openssl ca-gencrl-out / etc/pki/CA/crl/01.crlUsing configuration from / etc/pki/tls/openssl.cnf

Check out the contents of crl:

[root@centos6-5 ~] # openssl crl-in / etc/pki/CA/crl/01.crl-noout-textCertificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: / C=CN/ST=Henan/L=ZZ/O=MageEdu/OU=Ops/CN=ca.magedu.com/emailAddress=root@magedu.com Last Update: Aug 1 16:15:12 2014 GMT Next Update: Aug 31 16:15:12 2014 GMT CRL extensions: X509v3 CRL Number: 0Revoked Certificates: Serial Number: 01 Revocation Date: Aug 1 16:07:33 2014 GMT Signature Algorithm: sha1WithRSAEncryption 75:29:0d:44:97:a7:8d:a0:2c:30:a7:97:9c:b1:30:9b:ef:c7: d4:53:d2:39:2e:5e:9d:5e:28:97:92:1a:04:ec:78:5d:8d:db : 85:44:d3:bc:fa:db:d2:76:16:d5:79:20:3a:10:db:18:d3:e7: 8e:3d:80:04:8c:92:6a:ae:ac:61:a5:dc:2d:9d:1f:ca:b3:03: db:c1:ce:41:5f:91:f3:8b:7a:ff:c6:5b:5a:1f:fa:69:68:a3 : b0:2b:e8:22:58:53:57:c0:20:ec:be:21:bf:36:20:c2:a9:77: 85:21:f7:7f:87:a9:43:d3:01:45:c1:fd:1b:45:8d:8b:af:88: 83:17:2e:a0:8b:85:b6:cc:b4:54:9b:50:fa:e2:8a:7e:d4:6c : a6:02:8a:e3:7e:11:03:0c:64:1e:13:07:10:b1:54:97:af:5a: d8:ec:cd:62:02:1a:2d:a4:c8:b4:09:ef:d6:e1:c0:cb:f1:10: ba:c1:12:3d:a6:8f:5a:5e:81:77:5a:58:52:47:ab:96:84:b3 : b8:2a:0e:cf:89:63:00:e3:90:df:c3:f6:f0:e5:d2:cc:9f:38: 31:e4:88:ad:55:1a:e1:83:0b:a3:32:28:2a:8e:1b:b7:2b:12: 01:0a:11:df:10:0e:34:ce:84:24:9e:5e:fa:f9:43:c9:c7:a4 : a4:a1:07:53:b1:74:9f:20:ba:a2:f7:30:11:1f:20:38:be:a7: d9:1f:c1:12:21:71:e3:78:20:80:ec:46:d9:92:95:34:f5:ea: da:6f:d8:e4:0f:f4:c1:09:6c:e6:55:fe:f6:ef:62:73:96:94 : 4e:30:94:1c:e0:5f:ec:5e:13:ce:0a:5e:5e:88:3f:49:61:0c: e2:c7:5a:33:72:1d:a3:84:5b:a8:e5:31:05:f2:5a:ac:0b:7d: 29:5a:60:b4:53:dd:33:f1:e2:e8:de:66:3b:da:4d:c9:56:eb : 85:08:f9:6b:5b:11:cc:c9:32:ec:5a:7a:4c:26:42:8f:fe:25: a7:b9:31:6f:42:60:6d:8a:59:15:2e:b2:e0:7b:a3:b2:b6:d6: 93:c8:4d:b8:70:b3:54:78:c1:ac:8a:f8:a4:cb:6f:95:51:2d : 2b:64:90:b2:ed:51:01:5c:d2:2a:a2:9a:60:45:bb:c1:d3:87: 5c:aa:9f:0b:05:55:cf:3a:e9:d9:b5:23:80:6a:e4:9c:f6:90: f5:af:24:94:00:88:67:d2:61:4d:66:b9:38:a7:d4:87:04:e1 : ad:11:4e:07:0d:88:33:96:34:25:e9:29:77:4e:61:b5:dd:1a: 15:d6:62:77:a3:f8:95:43:a0:52:f7:09:40:58:6b:5a:a3:88: d8:0d:7b:6b:6e:ab:3a:65 [root@centos6-5] #

So far, how to build CA, sign certificate and revoke certificate have been built. As for how to import the signed certificate into the application we need, it will be explained in the subsequent blog.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.