Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Use OpenSSL to create CA and apply for certificates

2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Introduction to OpenSSL

OpenSSL is a suite of cryptographic tools that implements Secure Sockets Layer (SSL v2 / v3) and Transport Layer Security (TLS v1) network protocols and the associated cryptographic standards they require.

The openssl command-line tool is used to use the various cryptographic features of the OpenSSL cryptographic library from a shell program. It can be used for:

Create and manage private keys, public keys, and parametersPublic key encryption operationsCreate X.509 certificates, CSR, and CRL messageDigest calculationEncrypt and decrypt using cipherSSL/ TLS client and server testingProcess S / MIME signatureor encrypted mail timestamp requestsGenerate and validate openssl profiles and three policy profiles/etc/pki/tls/openssl. cnfThree policy matchsRequired information filled in the application must be consistent with CA settingOptional: Optional, inconsistent with CA setting information supplied: This application information must be filled out to create a private CA Certificate issuing document (The following operations are performed on one machine) 1. Create the required file [root@CentOS7 ~]# cd /etc/pki/CA/[root@CentOS7 CA]# touch index.txt Generate certificate index database file [root@CentOS7 CA]# echo 01 > serial Specify the serial number of the first certificate issued 2.CA Self-issued certificate 2.1 Generate private key [root@CentOS7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus...................................................................................+++.+++ e is 65537 (0x10001)2.2 Generate self-signed certificate [root@CentOS7 CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '. ', the field will be left blank.----- Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:abcOrganizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:hechunpingEmail Address []: root@abc.com Options Description: -new: Generate new certificate signing request-x509: Dedicated to CA Generate self-visa-key: Private key file used when generating request-days n: Certificate validity period-out /PATH/TO/SOMECERTFILE: 3. Issuing certificates 3.1 Generate certificate requests on the host where certificates are required (this lab is on the local machine) 3.1.1 Generate private keys [root@CentOS7 CA]#(umask 066; openssl genrsa -out /data/test.key 2048)Generating RSA private key, 2048 bit long modulus..................................................+++...............................+++ e is 65537 (0x10001)3.1.2 Generate certificate application file [root@CentOS7 CA]# openssl req -new -key /data/test. key-out/data/test.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '. ', the field will be left blank.----- Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:abcOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:hechunpingEmail Address []:root@abc.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []: 3.2 Transfer of certificate request file to CA (Two different hosts can be transmitted using the scp command) 3.3CA signs certificates,# openssl ca -in /data/test.csr -out certs/test.crt -days 100Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 10 13:45:34 2019 GMT Not After : Feb 18 13:45:34 2020 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = abc organizationalUnitName = IT commonName = hechunping emailAddress = root@abc.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 4C:AE:F0:13:F0:CD:8F:B5:F7:3F:1B:C8:E4:77:91:02:9E:88:6B:5A X509v3 Authority Key Identifier: keyid:E3:C1:5E:6D:94:5E:F2:AE:16:67:79:2C:69:B5:B9:10:D9:E0:51:BECertificate is to be certified until Feb 18 13:45:34 2020 GMT (100 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entrancesData Base Updated Note: Default requirements countryName, stateOrProvinceName, organizationName must be consistent with CA 3.4 View information in certificate [root@CentOS7 CA]# openssl x509 -in certs/test.crt -noout -text| issuer| subject| serial| dates3.5 View certificate status for specified number [root@CentOS7CA]# openssl ca -status 01Using configuration from /etc/pki/tls/openssl.cnf01=Valid (V)4. Revoke certificate 4.1 Get serial[root@CentOS7CA]# openssl x509 -in certs/test.crt -noout -serial -subjectserial=01subject= /C=CN/ST=beijing/O=abc/OU=IT/CN=hechunping/emailAddress=root@ abc.com4.2 On CA, check whether the serial and subject information submitted by the customer is consistent with the information in the index.txt file [root@CentOS7 CA]# cat index.txtV 200218134534Z 01 unknown /C=CN/ST=beijing/O=abc/OU=IT/CN=hechunping/emailAddress=root@abc.com4.2.1 Revoke certificates [root@CentOS7 CA]# openssl ca -revoke newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnfRevoking Certificate 01.Data Base Updated4.2 Specify the number of the first revoked certificate, note: this is required before updating the certificate revocation list for the first time. [root@CentOS7 CA]# echo 01 > crlnnumber4.3 Update certificate revocation list [root@CentOS7 CA]# openssl ca -gencrl -out crl.pemUsing configuration from /etc/pki/tls/openssl. cnf4.4 View crl file [root@CentOS7 CA]# openssl crl -in crl.pem -noout -text Export requested certificate to windows View

1. Press "win+R" on windows and run "certmgr.msc" command.

2. Find Trusted Root Certification Authorities, right-click All Tasks---> Import, and follow the wizard to select the certificate requested under Linux.

3. View certificate information

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report