Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use openssl to generate a free certificate, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

One: what is openssl? What does it do? What is the application scenario?

Openssl is an open source library package that applications can use for secure communication to prevent information from being overheard.

SSL is an acronym for Secure Sockets Layer (secure Sockets layer Protocol) and provides secret transmission over Internet. Netscape (Netscape) put forward the SSL protocol standard while launching the first Web browser. Its goal is to ensure the confidentiality and reliability of communication between the two applications, which can be supported on both the server side and the user side.

Because in the process of network transmission, the network data must pass through the wifi router, right? then we can get the data by tampering with the router, so the function of openssl is to prevent the information from being overheard.

So how does openssl ensure that information is not overheard? Therefore, we need to understand some basic concepts such as asymmetric encryption, digital signature, digital certificate and so on.

1.1 what is asymmetric encryption?

Asymmetric encryption is to encrypt the data with a key, and then we can decrypt the data with a different key. These two keys are public keys and private keys.

We can calculate the public key from the private key, but we can't calculate the private key from the public key. The private key is generally held by the server, while the public key is used on the client.

Note: we do not study the specific algorithm of asymmetric encryption.

1.2 what is a digital signature?

According to Baidu encyclopedia: digital signature (also known as public key digital signature) is a kind of ordinary physical signature similar to written on paper, but it uses the technology in the field of public key encryption, it is a method for identifying digital information. Digital signature has two complementary operations, one for signature and the other for verification.

The function is: it will use a certain HASH algorithm to calculate a fixed number of digits of the summary information, then use the private key to encrypt the summary, and then send the message to the receiver, and the receiver will decrypt the summary through the public key. Also through the hash algorithm to calculate the message summary, if the two summaries are the same, indicating that the data has not been tampered with, indicating that the data is complete.

1.3 what is a digital certificate?

According to Baidu encyclopedia: a digital certificate is a string of numbers that mark the identity information of all parties in Internet communication. A way of verifying the identity of a communication entity on an Internet is provided.

It is a way of identity issued to the website by CA. It contains the public key of the website, the validity time, the address of the website, and the digital signature of CA.

The function is: it uses the private key of CA to sign the information such as the public key of the website. When the client requests the server, the website will send the certificate to the client. The client will first verify the identity of CA through the digital signature of CA to prove the true integrity of the certificate.

After understanding the above concepts of asymmetric encryption, digital signatures, and digital certificates, let's take a look at how it ensures that data is not forged:

SSL implements authentication of users and servers

Now let's think about a question, if we visit our blog park website now, how do we know whether we are visiting a real blog park or a fake blog park? In order to determine whether the server of our blog Park website has been forged, there is such a rule in SSL: if we make a request to the server, the server must return its digital certificate to the recipient. When we get the digital certificate, we can verify the validity of the digital certificate according to the ca digital signature inside. What if we can now prove that the digital certificate belongs to the blog park, but it doesn't mean that the server that sent us the certificate is from the blog park? In order to solve this problem, in fact, the public key of the blog park will be included in the certificate we get. In the subsequent communication, the client will use this public key to encrypt the data to the blog park server. The blog park server must use the private key to solve the data inside. As long as he can work out the data, it shows that he is legal, otherwise, it is forged. If it's a forgery, then you can't communicate. So SSL solves the problem of server authentication.

How to prevent encrypted data from being stolen during communication?

When the client sends a request to the server for the first time (the request before getting the certificate), it will put a random number (such as A) in the request, and the response of the server to return the certificate will also have a random number (such as B). After the client gets the certificate, it will use the public key to encrypt a random number (such as C) to the server, so the client will send it to the server. The server has three random numbers: a, B, and C. Both parties use these random numbers and the same algorithm to generate a key that will be used for all future communications.

In general, these three keys cannot be disclosed at the same time, because they are randomly generated by three random numbers. And one of the random numbers uses public key encryption. Therefore, it is in this way to ensure that the data will not be stolen.

The above are some conceptual problems seen on the Internet, just understand it simply, and know that it is such a concept, and our openssl is the implementation version of SSL. Therefore, the role of openssl to prevent information from being stolen, it is done through the above knowledge points.

Application scenarios of openssl:

In the use of http websites, we often see that there are some advertisements on the website. In fact, these advertisements are not put on by the website itself, but are caused by the middle operators tampering with the content in the middle. Now we can use https technology (based on openssl) to encrypt the data. It ensures that the data will not be tampered with.

Second: use openssl to generate free certificates

1 generate a RSA private key using the openssl tool

Use the command:

Openssl genrsa-des3-out server.key 2048

As above: des3 is the algorithm, 2048-bit strength (for confidentiality). Server.key is the name of the key file-out means the path and name of the generated file.

As follows:

Let's look at the private key we just generated. Use the command as follows:

Openssl rsa-text-in server.key

As shown in the following figure:

Continue to view the server.key usage command: cat server.key, as shown in the following figure:

two。 Create a certificate signing request CSR file

Use the command as follows:

Openssl req-new-key server.key-out server.csr

-key means: specify the ca private key

-out means: server.csr generates certificate files

As follows:

After running the above command, the following information is required when generating CSR:

Country Name (2 letter code) []: CN / / enter the country code, China enter CNState or Province Name (full name) []: HangZhou / / enter province, here enter HangZhouLocality Name (eg, city) []: HangZhou / / enter city, we also enter HangZhouOrganization Name (eg, company) []: tbj / / enter organization (or company name) I will write a tbj) Organizational Unit Name (eg, section) []: tbj / / enter the agency department Common Name (eg, fully qualified host name) []: * .abc.com / / enter the domain name This is (* .abc.com) Email Address []: tugenhua0707@qq.com / / your email address Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: 123456 / / your certificate password. If you don't want to set the password, you can enter directly.

After doing so, the following two files are generated in the current directory:

Server.key server.csr

As shown in the following figure:

View the csr file with the following command:

Openssl req-text-in server.csr-noout

As shown in the following figure:

3. Generate CA certificate

Openssl x509-req-days 365-in server.csr-signkey server.key-out server.crt

The meaning of x509: specify the format

Meaning of-in: specify the request file

The meaning of signkey: self-signature

As shown in the following figure:

Note: as above, server.crt is the information of the certificate holder, the holder's public key, and the signature of the signer.

4. Generate client certificate

Generating a client certificate is similar to generating an CA certificate.

4.1. The private key needs to be generated first.

Use the command:

Openssl genrsa-out client.key 2048

As shown in the following figure:

4.2 generate request file

Use the command:

Openssl req-new-key client.key-out client.csr

As shown in the following figure:

4.3 send signature to ca

Use the command:

Openssl x509-req-days 365-in client.csr-signkey client.key-out client.crt

As shown in the following figure:

About how to use openssl to generate a free certificate to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.