https operation process:
- The client generates a random number random-client and sends it to the server (Say Hello)
- The server generates a random number random-server, and returns it to the client together with the public key (I got it)
- The things received by the client are intact, plus the premaster secret (something generated by random-client and random-server through a certain algorithm), and send it to the server again. This time, the transmitted things will be encrypted with the public key
- The server first decrypts with the private key and obtains the premaster secret. At this time, both the client and the server have three elements: random-client, random-server and premaster secret
- At this point, the secure channel has been established, and future exchanges will check the session key calculated by the algorithm from the three elements above.
.key format: private key
.csr format: certificate signing request (certificate request file), containing public key information, abbreviation of certificate signing
request.crt format: certificate file, abbreviation of certificate.crl
format: certificate revocation list, Certificate Abbreviation of Revocation
List.pem format: the format of the certificate when exporting and importing the certificate, with the format at the beginning and end of the certificate
ca root certificate:
Generate CA private key (.key) --> generate CA certificate request (.csr) --> self-sign to get root certificate (.crt) (the certificate issued by CA to itself).
- # Generate CA private key
- openssl genrsa -out ca.key 2048
- # Generate CSR
- openssl req -new -key ca.key -out ca.csr
- # Generate Self Signed certificate (CA root certificate)
- openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
User certificate generation steps: Generate private key (.key) --> Generate certificate request (.csr) --> Sign with CA root certificate to get certificate (.crt)
Server-side user certificate:
- # private key
- $openssl genrsa -des3 -out server.key 1024
- # generate csr
- $openssl req -new -key server.key -out server.csr
- # generate certificate
- $openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Organization Name (eg, company) [Internet Widgits Pty Ltd]: ca, server, client can be written differently
Common Name (eg server FQDN or YOUR name) []: Fill in the domain name for generating the certificate
Client certificate:
- $openssl genrsa -des3 -out client.key 1024
- $openssl req -new -key client.key -out client.csr
- $openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
Generating a certificate in pem format:
Sometimes a certificate in pem format is required, which can be generated by combining the certificate file (crt) and the private key file (key) in the following ways
$cat client.crt client.key> client.pem
$cat server.crt server.key > server.pem
result:
Server certificate: ca.crt, server.key, server.crt, server.pem
Client certificate: ca.crt, client.key, client.crt, client.pem
Notice:
An error may occur when executing $openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key:
Using configuration from /usr/share/ssl/openssl.cfg I am unable to access the ./demoCA/newcerts directory ./demoCA/newcerts: No such file or directory
Solution:
1)mkdir -p ./demoCA/newcerts
2)touch demoCA/index.txt
3)touch demoCA/serial
4)echo 01 > demoCA/serial
Reference: https://blog.csdn.net/moonhillcity/article/details/52768218
https://www.cnblogs.com/liyulong1982/p/6106129.html