OpenSSL certificate architecture
Certificate architecture used on most of our Internet protocol http, https and http over ssl, http is a mechanism for data encryption and authentication, the same authentication mechanism that is associated with the use of OpenSSL;
basic concept:
Three components:
Multi-user openssl command-line tool
libcrypto encryption and decryption library
Implement library libssh ssl protocol
PKI(Public Key Infrastructure)
Shared Key Infrastructure
CA certificate authentication server
Registration Authority to issue a certificate to verify the correctness of the data, similar to the Public Security Bureau, it must be a certification authority to act; we are on the Internet, like VeriSign, is the most well-known certificate authority CA;
CA is a certificate authority trusted PKI foundation that manages the entire lifecycle of the public key. Its role includes: issuing certificates prescribed certificate is valid and the certificate released by the abolition of the list (CRL) ensure that the abolition of the certificate if necessary. Later it will be particularly described in CA.
By default, on our computers, there are some default Certification Authority certificates issued:
RA Registration Authority Certificate
Registration Authority RA provides an interface between the user and the CA. It gets authenticated user's identity and presented a certificate request to the CA. It is mainly completed collect user information and confirm the identity of the user function. This refers to the user, means customers will want to Certification Center (ie CA) request a digital certificate can be an individual, can also be a group or groups, some government agencies.
CRL Certificate Revocation List
RA after the revocation of the certificate, ensure that the certificate is invalid, the certificate will be put to the CRL list;
Certificate access library
Maintenance Certificate normal state of a library file
In the company, we sometimes have to achieve for their own internal server security protection, you will need to build internal CA server; and this is only the internal CA server network, including the entry into force, the public network is not authorized;
To build this network the CA server, we use the OpenSSL software program to achieve, for building professional CA server can be selected more powerful OpenCA software program, but we only introduce the OpenSSL;
Signed certificate request and step
Before configuration, we first understand the main configuration file can not [amended]
vim /etc/pki/tls/openssl.cnf
[Ca] // ca configuration directory
default_ca CA_default
certs // store certificates signed
crl // place to be stored revoked certificate
index.txt index file // database of basic information certificates are stored here
unique_subject = no // certificate information is to be unique
certificate // CA server certificate to their
serial // certificate serial number
crlnumber // serial number of revoked certificates
private_key // path only when the private key stored in the certificate
Default_day // valid certificate
Create a private certificate steps
1, the application generates a request (the company's various more delicate, Country State Department of being really name names) that information will be stored in a certificate authority, the certificate of the later application requesting the certificate provided by the server to match the information ;
2, RA registry to verify this information;
3, CA to sign this certificate;
4, issue a certificate
Create a private CA server configuration is as follows:
CA certificate on the server, create a serial number file:
cd / etc / pki / CA / Touch index.txt // certificate index index information echo 01 > Serial // certificate serial number information
Generate a root certificate file
(the umask 0777 ; OpenSSL genrsq -out /etc/pki/CA/private/cakey.pem 2048 ) // create a private certificate request file openssl req -new -x509 -key /etc/pki/CA/private/cakey.epm -days 7300 -out cacert.pem // generate a certificate
-new // generate a new Certificate Signing Request
-x509 // dedicated to generate a self-signed certificate CA
-key // Specify the private key file used when generating request
-days // specify the validity period of the certificate
-out / PATH / TO / SOMECERTFILE // specify the path to save certificate
The only caveat here is that the host name of the server, the server must be the same name;
Issuing a certificate for the client
a, client certificate a certificate request generated by the host
b, the file transmission request to the CA
c, signed certificate and the certificate be returned to the requestor
yum install httpd -y mkdir /etc/httpd/ssl/ cd /etc/httpd/ssl/ (umask 0777;openssl genrsa -out httpd.key 2048) openssl req -new -key httpd.key -days 365 -out httpd.csr
And then transmits the generated certificate request to the server:
scp httpd.csr root@192.168.94.128:/tmp/
The last to do on the server Certificate:
cd /tmp/ openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Here we will verify the information, if there is some information must match does not match, the certificate can not be issued;
At this point, then the directory / etc / pki / CA / newcerts / under, will generate .pem file is a certificate signed by our CA certificate server reserved files;
Then transfer the certificate back to the client;
scp /tmp/httpd.crt root@192.168.94.129:/etc/httpd/ssl/
这时候,可以再客户端上查看证书信息:
openssl x509 -in /PATH/FORM/CERT_FILE -noout -text/-subject/-serial
证书吊销相关操作与步骤
如果证书过期,或者提前吊销这个证书,我们如何做呢?
1、客户端先去获取要调证书的序列号;
openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -subject -serial
2、CA服务器根据客户端提交的serial和subject信息,对比是否于index.txt文件中信息一致;如果一致,就可以开始吊销证书;
对比index.txt的信息:
cat /etc/pki/CA/index.txt
吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
3、生成吊销证书的编号(第一次吊销某证书的时候需要这个步骤,如果之后再次吊销证书的时候,就不要这个步骤了);
echo 01 > /etc/pki/CA/crlnumber
4、更新证书吊销列表CRL;
openssl ca -gencrl -out thisca.crl cat thisca.crl
查看crl文件:
openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
至此,这个证书就已经被吊销;
【关于pki证书架构,在之后配置https服务的时候会结合实际情况再行说明】