Read catalog
- One: What is the openssl its role is?? What application scenarios are?
- Two: Use openssl to generate free certificate
One: What is the openssl its role is?? What application scenarios are?
That Baidu Encyclopedia says: openssl is an open source software library package, applications can use this package to secure communication, it can avoid information theft hear.
SSL is an abbreviation of Secure Sockets Layer (Secure Sockets Layer) may be provided secrecy transmission over the Internet. Netscape (Netscape) company launched the first in a Web browser at the same time, the proposed standard SSL protocol. The goal is to ensure that the application between the two communication security and reliability, can be achieved simultaneously supports both the server and the client.
Because during network transmission, data network will certainly have to go through wifi router right, then we do something that we can get through the router data, so the role of openssl is to avoid information theft hear.
So openssl is how to ensure that information is not stolen hear it? So we need to understand some basic concepts of asymmetric cryptography, digital signatures, digital certificates and the like.
1.1 What is asymmetric encryption?
Asymmetric encryption is used to encrypt the data key, then we can use a different key to decrypt the data. Both public and private keys is.
We can calculate a public key based on a private key, but we are not calculated according to the private key public key. There is a general private master server, the public key is used by the client.
Note: asymmetric encryption algorithm specific research we do here.
1.2 What is a digital signature?
According to Baidu Encyclopedia, said: digital signature (digital signature and public key can be called) is an ordinary physical signatures on paper of a similar, but uses a public key encryption technology in the field of implementation, which is a method for identification of digital information . There are two complementary digital signature operations, one for signing and another for verifying.
Role: it will use certain message HASH algorithm to calculate a fixed median summary information, and then use the private key to encrypt the digest, then the message will be just sent to the recipient together, the recipient will be by the public Abstract solution out. Also calculated by hash message digest algorithm, if the two digests consistency that the data has not been tampered with, indicating that the data is complete.
1.3 What is a digital certificate?
According to Baidu Encyclopedia says: Digital certificates are Internet communications in the communication parties sign a bunch of digital identity information. It provides a way to verify the identity of the entity communicating on the Internet.
It is a way to kind of identity issued by the CA website. It contains a public key of the site, the effective time, the site address, and the CA's digital signature.
Role: it is using the CA's private key and public key information sites were signed when the client requests the server side, the site will certificate to the client, the client's digital signature verification through CA's CA identity, to prove the true integrity of the certificate.
Learned above asymmetric encryption, digital signature, digital certificate after the concept, let's look at how it is to ensure that the data has not been forged:
SSL for authentication of users and servers
Now let's think of a problem, if we visit our blog site garden, we know how to access the blog is true or false Park Garden blog it? In order to determine our blog park site server has not been falsified, there is such a rule in SSL: If we make a request to the server, the server must return it to the recipient's digital certificate, when we get a digital certificate, we can ca digital signature inside, to examine the legality of digital certificates. If we are now able to prove that the digital certificate is a garden blog, but does not mean that we sent to the server certificate is blog park it? To solve this problem, in fact, we get the certificate with a public key which will blog Park, after the communication, the client uses the public key to encrypt data to the blog server garden, garden blog server must use only the private key which can be solved data. As long as he was able to extract the data out, that he is legitimate, otherwise, it was forged. If it is fake, then you can not communicate. Therefore SSL server authentication to solve the problem.
Encrypted data in the communication process how to prevent data from being stolen it?
Time (before the request to get the certificate) The client sends a request to the server for the first time, it will put in a request inside a random number (for example, called A), the response of the server's certificate of return will also take a random number (for example, called B), get the client certificate, public key encryption uses a random number (such as call C) sent to the server, the client, the server will have three random numbers: a, B, C. These parties use the same random number and an algorithm to generate a key, all subsequent communication uses the key for the symmetric.
In general, these three key can not be leaked simultaneously, because it is composed of three random number generated randomly. And wherein a random number using a public key encryption. So in this way it is to ensure that data is not being stolen.
Some conceptual issues above are in line to see, simple to understand enough to know that such a concept on the line, and we are implementing SSL openssl version. Therefore, the role of openssl to prevent information from being stolen, it is through knowledge of the above points do.
openssl application scenarios:
In use http website, we often see the site of what will be some ads, these ads are not actually put up their own websites, but in the middle of the middle of the operators due to tampering with the contents. Now we can use https technology (based on openssl) to encrypt data. It can ensure that data is not tampered with.
Two: Use openssl to generate free certificate
Using a tool to generate an RSA private key openssl
Use the command:
openssl genrsa -des3 -out server.key 2048
Above: des3 is an algorithm, the intensity of 2048 (for privacy). server.key -out is the meaning of the key file name is: refers to the path and name of the generated files.
As follows:
We view the private key just generated. Use the following command:
openssl rsa -text -in server.key
As shown below:
See server.key continue using the command: cat server.key, as shown below:
2. Create a certificate signing request CSR file
Use the following command:
openssl req -new -key server.key -out server.csr
-key meaning is: ca designated private
-out meaning is: server.csr generate the certificate file
As follows:
Run command as above, you will be asked to fill in the following information generated CSR:
Country Name (2 letter code) []:CN // 输入国家代码,中国填写 CN State or Province Name (full name) []:HangZhou // 输入省份,这里填写 HangZhou Locality Name (eg, city) []:HangZhou // 输入城市,我们这里也填写 HangZhou Organization Name (eg, company) []:tbj // 输入组织机构(或公司名,我这里随便写个tbj) Organizational Unit Name (eg, section) []:tbj // 输入机构部门 Common Name (eg, fully qualified host name) []:*.abc.com // 输入域名,我这边是 (*.abc.com) Email Address []:[email protected] // 你的邮箱地址 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 // 你的证书密码,如果不想设置密码,可以直接回车
如上操作后,会在当前目录下生成以下两个文件:
server.key server.csr
如下图所示:
查看csr文件如下命令:
openssl req -text -in server.csr -noout
如下图所示:
3. 生成CA证书
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
x509的含义: 指定格式
-in的含义: 指定请求文件
-signkey的含义: 自签名
如下图所示:
注意:如上server.crt 是证书持有人的信息,持有人的公钥,以及签署者的签名等信息。
4. 生成客户端证书
生成客户端证书与生成CA证书相似。
4.1. 先要生成私钥
使用命令:
openssl genrsa -out client.key 2048
如下图所示:
4.2 生成请求文件
使用命令:
openssl req -new -key client.key -out client.csr
如下图所示:
4.3 发给ca签名
使用命令:
openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.crt
如下图所示:
