Shulou(Shulou.com)06/02 Report--

Introduction to OpenSSL

OpenSSL is a suite of cryptographic tools that implements Secure Sockets Layer (SSL v2 / v3) and Transport Layer Security (TLS v1) network protocols and the associated cryptographic standards they require.

The openssl command-line tool is used to use the various cryptographic features of the OpenSSL cryptographic library from a shell program. It can be used for:

Create and manage private keys, public keys, and parametersPublic key encryption operationsCreate X.509 certificates, CSR, and CRL messageDigest calculationEncrypt and decrypt using cipherSSL/ TLS client and server testingProcess S / MIME signatureor encrypted mail timestamp requestsGenerate and validate openssl profiles and three policy profiles/etc/pki/tls/openssl. cnfThree policy matchsRequired information filled in the application must be consistent with CA settingOptional: Optional, inconsistent with CA setting information supplied: This application information must be filled out to create a private CA Certificate issuing document (The following operations are performed on one machine) 1. Create the required file [root@CentOS7 ~]# cd /etc/pki/CA/[root@CentOS7 CA]# touch index.txt Generate certificate index database file [root@CentOS7 CA]# echo 01 > serial Specify the serial number of the first certificate issued 2.CA Self-issued certificate 2.1 Generate private key [root@CentOS7 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus...................................................................................+++.+++ e is 65537 (0x10001)2.2 Generate self-signed certificate [root@CentOS7 CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '. ', the field will be left blank.----- Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:abcOrganizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:hechunpingEmail Address []: root@abc.com Options Description: -new: Generate new certificate signing request-x509: Dedicated to CA Generate self-visa-key: Private key file used when generating request-days n: Certificate validity period-out /PATH/TO/SOMECERTFILE: 3. Issuing certificates 3.1 Generate certificate requests on the host where certificates are required (this lab is on the local machine) 3.1.1 Generate private keys [root@CentOS7 CA]#(umask 066; openssl genrsa -out /data/test.key 2048)Generating RSA private key, 2048 bit long modulus..................................................+++...............................+++ e is 65537 (0x10001)3.1.2 Generate certificate application file [root@CentOS7 CA]# openssl req -new -key /data/test. key-out/data/test.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '. ', the field will be left blank.----- Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:abcOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:hechunpingEmail Address []:root@abc.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []: 3.2 Transfer of certificate request file to CA (Two different hosts can be transmitted using the scp command) 3.3CA signs certificates,# openssl ca -in /data/test.csr -out certs/test.crt -days 100Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 10 13:45:34 2019 GMT Not After : Feb 18 13:45:34 2020 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = abc organizationalUnitName = IT commonName = hechunping emailAddress = root@abc.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 4C:AE:F0:13:F0:CD:8F:B5:F7:3F:1B:C8:E4:77:91:02:9E:88:6B:5A X509v3 Authority Key Identifier: keyid:E3:C1:5E:6D:94:5E:F2:AE:16:67:79:2C:69:B5:B9:10:D9:E0:51:BECertificate is to be certified until Feb 18 13:45:34 2020 GMT (100 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entrancesData Base Updated Note: Default requirements countryName, stateOrProvinceName, organizationName must be consistent with CA 3.4 View information in certificate [root@CentOS7 CA]# openssl x509 -in certs/test.crt -noout -text| issuer| subject| serial| dates3.5 View certificate status for specified number [root@CentOS7CA]# openssl ca -status 01Using configuration from /etc/pki/tls/openssl.cnf01=Valid (V)4. Revoke certificate 4.1 Get serial[root@CentOS7CA]# openssl x509 -in certs/test.crt -noout -serial -subjectserial=01subject= /C=CN/ST=beijing/O=abc/OU=IT/CN=hechunping/emailAddress=root@ abc.com4.2 On CA, check whether the serial and subject information submitted by the customer is consistent with the information in the index.txt file [root@CentOS7 CA]# cat index.txtV 200218134534Z 01 unknown /C=CN/ST=beijing/O=abc/OU=IT/CN=hechunping/emailAddress=root@abc.com4.2.1 Revoke certificates [root@CentOS7 CA]# openssl ca -revoke newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnfRevoking Certificate 01.Data Base Updated4.2 Specify the number of the first revoked certificate, note: this is required before updating the certificate revocation list for the first time. [root@CentOS7 CA]# echo 01 > crlnnumber4.3 Update certificate revocation list [root@CentOS7 CA]# openssl ca -gencrl -out crl.pemUsing configuration from /etc/pki/tls/openssl. cnf4.4 View crl file [root@CentOS7 CA]# openssl crl -in crl.pem -noout -text Export requested certificate to windows View

1. Press "win+R" on windows and run "certmgr.msc" command.

2. Find Trusted Root Certification Authorities, right-click All Tasks---> Import, and follow the wizard to select the certificate requested under Linux.

3. View certificate information

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.