In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Openssl is a basic security tool for Linux.
Let's start with some basics:
Openssl features include symmetric encryption (DES, 3DES, AES, etc.), asymmetric encryption (RSA), hash (MD5, SHA1, etc.) and certificate related operations (creation, application, issuance, revocation, etc.)
PKI system becomes public key encryption system, which consists of certificate authority, registration authority, certificate base and certificate revocation list.
Openssl common certificate formats: X509, PKCS7, PKCS12.
Common storage format for certificate files: PEM (BASE64), PFX or P12(binary)
The main practical points of this article:
1. Root CA related operations (private key generation, self-authentication certificate generation)
2. Operation related to user certificate (private key generation, certificate issuance request file generation, root CA approval request issuance of the certificate)
3. Secondary CA certificate related operations (after obtaining the secondary CA certificate and the secondary CA private key from the root CA, issue the certificate to the subordinate user)
Experimental environment:
RHEL 6.3(KVM Virtual Machine) rootca.testlibq.com
RHEL 6.3(KVM virtual machine) apache.testlibq.com (APACHE server as secondary CA)
Windows XP(KVM Virtual Machine) xp.testlibq.com (to display certificates)
Experimental procedure:
1. Generate root CA certificate
Log in to ROOTCA Machine
cd /etc/pki/CA/private
openssl genrsa -des3 -out rootca.key 1024
#Generate ROOTCA private key, rootca.key format is PEM
[Set rootca private key password, for example, type rootca]
touch/etc/pki/CA/index.txt #Create certificate database file
echo "01" > /etc/pki/CA/serial #Create certificate serial number file
openssl req -new -x509 -key rootca.key -out /etc/pki/CA/rootca.crt
#Generate ROOTCA certificate (type X509) in rootca.crt format PEM
[Enter rootca private key password: rootca]
[Fill in a bunch of certificate information]
Since the CA's private key and certificate path are set in/etc/pki/tls/openssl.cnf, soft links are used here.
ln -s /etc/pki/CA/private/rootca.key /etc/pki/CA/private/cakey.pem
ln -s /etc/pki/CA/rootca.crt /etc/pki/CA/cacert.pem
CA is set.
To view certificates and private keys, use the following command:
openssl rsa -in /etc/pki/CA/private/rootca.key -text -noout
openssl x509 -in /etc/pki/CA/rootca.crt -text -noout
2. Operation related to user certificate
PS:
The user certificate can generate the private key and request file at the user end, and then pass it to the CA. After being signed by the CA, it is issued to the user.
The root CA can also generate the user private key and request file, and then issue the private key and certificate to the user after signing.
The latter is demonstrated here.
Log in to rootca machine (continue lab 1)
cd /etc/pki/CA/private
openssl genrsa -des3 -out a.key 1024 #Generate user private key
[set password of a.key]
openssl req -new -key a.key -out a.csr #Generate user request file
[input password of a.key]
[Enter a bunch of certificate information]
openssl ca -in a.csr
[y,y]
The requested URL/etc/pki/CA/newcerts/01.pem was not found on this server.
PS:
The certificate type is X509, if you need PKCS12 type certificate, please use
openssl pkcs12 -export -in /etc/pki/CA/newcerts/01.pem -inkey /etc/pki/CA/private/a.key -out a.pfx[Enter private key password][Set transmission password]
3. Generate certificate chain
There are few articles on this section, and I studied it for a long time before I came up with it.
First of all, the above two experiments are done consecutively. For the third experiment, please remove the environment above.
Log in to ROOTCA
cd /etc/pki/CA/private
touch ../ index.txt
echo "01" > ../ serial
openssl genrsa -des3 -out rootca.key 1024 [rootca]
ln -s rootca.key cakey.pem
openssl req -new -x509 -key rootca.key -out /etc/pki/CA/rootca.crt -extensions v3_ca
ln -s /etc/pki/CA/rootca.crt /etc/pki/CA/cacert.pem
Check out the rootca certificate here:
openssl x509 -in /etc/pki/CA/rootca.crt -text -noout
If basicConstraint CA:TRUE exists in extensions, it means correct.
PS:basicConstraint is called base constraint, if CA: TRUE, it proves that the certificate has CA validity. (Therefore, the above experiments 1 and 2 are not rigorous, which is especially important when a certificate chain is required.)
cd /etc/pki/CA/private
openssl genrsa -des3 -out apache.key 1024 [apache]
openssl req -new -key /etc/pki/CA/private/apache.key -out apache.csr
[apache][a bunch of certificate information]
openssl ca -in apache.csr -extensions v3_ca[y,y]
PS: This extension is critical to apache's eligibility to issue certificates to users.
Log in to apache host
rsync rootca.testlibq.com:/etc/pki/CA/private/apache.key /etc/pki/CA/private/apache.key
[root password of rootca.testlibq.com]
rsync rootca.testlibq.com:/etc/pki/CA/newcerts/01.pem /etc/pki/CA/apache.crt
[root password of rootca.testlibq.com]
ln -s /etc/pki/CA/private/apache.key /etc/pki/CA/private/cakey.pem
ln -s /etc/pki/CA/apache.crt /etc/pki/CA/cacert.pem
Make user certificates below
cd /etc/pki/CA
touch index.txt
echo "01" > serial
openssl genrsa -des3 -out private/user1.key 1024 [user1]
openssl req -new -key private/user1.key -out private/user1.csr[user1][a bunch of certificate information]
openssl ca -in private/user1.csr -extensions usr_cert[y,y]
PS: Here-extensions usr_cert unnecessary.
Create a certificate chain
rsync rootca.testlibq.com:/etc/pki/CA/rootca.crt /etc/pki/CA/certs/rootca.crt
[root password of rootca.testlibq.com]
Consolidate rootca certificates and apache certificates into a single file
cd /etc/pki/CA/certs
cp /etc/pki/CA/apache.crt chain.pem
cat rootca.crt >> chain.pem
Verification certificate chain
openssl verify -CAfile /etc/pki/CA/certs/chain.crt /etc/pki/CA/newcerts/01.pem
(If Verify OK is displayed, the certificate chain is verified successfully)
Convert user certificates to PKCS12
openssl pkcs12 -export -in /etc/pki/CA/newcerts/01.pem -inkey /etc/pki/CA/private/user1.key -out /etc/pki/CA/private/user1.pfx -chain -CAfile /etc/pki/CA/certs/chain.crt
Finally, copy user1.pfx to Windows and import the certificate for easy display.
The results are as follows:
Attachment: down.51cto.com/data/2362193
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
