Shulou(Shulou.com)06/01 Report--

What is CA

CA is like the Bureau of Industry and Commerce. The CA certificate is a business license issued to merchants and an identity authentication license issued to each site on the Internet. For example, the website that appears after we enter www.xxx.com, how do we know if it is secure? How do we know it is the website we want to log on to? If it has a CA certificate, and we have its certificate in our computer, then we can judge that it is safe and reliable.

What are the contents of the CA certificate?

The x509 standard defines the contents of the CA certificate. Here is a comparison of the three versions.

Third, how to obtain CA certificate

Since the CA certificate is so important to the online public node, how do you get it?

To get the CA certificate like the CA registration authority to apply for it, but to spend money, a year does not have much money, ordinary users do not need CA, only those sites that need to be recognized by the network society, sites, platforms need CA certification.

But is there a free CA for free?

We can create our own CA and then issue our own certificates. But what's the point of doing this? Of course, it doesn't make much sense for small companies and ordinary users, but powerful companies dare to do so, such as monopolies, who issue certificates to themselves, believe it or not, it monopolizes resources, and you can't help it if you don't believe it.

For example, 12306, is it right for us to open it to indicate that the certificate is not trusted? It issued a certificate to itself. It said, "believe it or not, there is no second website that sells train tickets."

Learn 12306 to build your own CA

In linux, we will use the OpenSSL installation package to establish a private CA

Steps:

1. Generate a private key

When the private key is used to issue a certificate, it is used when adding a digital signature to the certificate

two。 Generate self-signed certificate

Each communicating party imports this certificate to the trusted Certificate Authority

3. Configuration file

/ etc/pki/tls/openssl.cnf

4. Working directory

/ etc/pki/CA/

5. Detailed steps for establishing CA

1. Generate a private key to / etc/pki/CA/private

2. Generate self-signed certificate to / etc/pki/CA/

If our company is called alibaba in Zhengzhou, China, the company number is 123456, the website is www.alibaba.com, and the mailbox is wuhf123@126.com.

3. Provide the necessary supporting documents so that when others apply for a certificate or revoke a certificate, I can record their information automatically in the future.

(1) create an index.txt file under / etc/pki/CA/

(2) create a / etc/pki/CA/serial file and add a starting number to it

Apply for a certificate from CA

If our company is called wuhfnet and our website is called www.wuhfnet.com

1. Generate your own private key

two。 Generate a certificate signing request file

Openssl req-new-key.. -out.. -days..

The options in the certificate signing request, except for common name to fill in your own website, must be consistent with the CA issuing authority.

3. Send the request file to CA

Copy it with a flash drive or send it by e-mail, just like you send a possible application to the Bureau of Industry and Commerce.

7. CA issues certificates

1. Verify the identity information of the requester

Just like the Trade and Industry Bureau receives an application and then goes to your company to examine your qualifications.

two。 Sign the certificate

Openssl ca-in.. -out.. -days..

3. Return the signed certificate to the requestor

VIII. Revocation of certificate

1. Obtain the serial number of the revocation certificate

2. Revoke the certificate

Openssl ca-revoke / PATH/FROM/CRT-FILE

3. Generate the revocation number

Echo 01 > / etc/pki/CA/crlnumber

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.