CA and use OpenSSL to create a certificate request

Introduction to OpenSSL

OpenSSL encryption is a suite of tools to achieve the Secure Sockets Layer (SSL v2 / v3) and Transport Layer Security (TLS v1) network protocols and their associated encryption standard required.

openssl command-line tool for using the various cryptographic functions OpenSSL encryption library from the shell program. It can be used:

  • Create and manage private, public and parameters
  • Public-key cryptographic operations
  • Creating X.509 certificates, CSR and CRL
  • The message digest calculation
  • Use a password to encrypt and decrypt
  • SSL / TLS client and server tests
  • Deal with S MIME signed or encrypted messages /
  • Time stamp request, generate and verify

openssl configuration file and three strategies

配置文件
/etc/pki/tls/openssl.cnf

三种策略
match(匹配):要求申请填写的信息跟CA设置信息必须一致
optional(可选):可有可无,跟CA设置信息可不一致
supplied(提供):必须填写这项申请信息

CA and create private application, issue a certificate file (the following operations are performed on a single machine)

1. Create the required documents

[root@CentOS7 ~]# cd /etc/pki/CA/
[root@CentOS7 CA]# touch index.txt  生成证书索引数据库文件
[root@CentOS7 CA]# echo 01 > serial 指定第一个颁发证书的序列号

2.CA self-signed certificate

2.1 generates a secret key
[root@CentOS7 CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................................................................................+++
.+++
e is 65537 (0x10001)
2.2 generates a self-signed certificate
[root@CentOS7 CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:abc
Organizational Unit Name (eg, section) []:IT  
Common Name (eg, your name or your server's hostname) []:hechunping
Email Address []:[email protected]

选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

3. certificates

3.1 the host generates a certificate using the certificate request requires (in the present machine this experiment)
3.1.1 generated private key
[root@CentOS7 CA]# (umask 066;openssl genrsa -out /data/test.key 2048)
Generating RSA private key, 2048 bit long modulus
..................................................+++
...............................+++
e is 65537 (0x10001)
3.1.2 generated certificate request file
[root@CentOS7 CA]# openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:abc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:hechunping
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.2 File Transfer the certificate request to CA (two different hosts can use scp command to transfer)

3.3CA signed certificate, and a certificate issued to the requestor
[root@CentOS7 CA]# openssl ca -in /data/test.csr -out certs/test.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 10 13:45:34 2019 GMT
            Not After : Feb 18 13:45:34 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = abc
            organizationalUnitName    = IT
            commonName                = hechunping
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                4C:AE:F0:13:F0:CD:8F:B5:F7:3F:1B:C8:E4:77:91:02:9E:88:6B:5A
            X509v3 Authority Key Identifier: 
                keyid:E3:C1:5E:6D:94:5E:F2:AE:16:67:79:2C:69:B5:B9:10:D9:E0:51:BE

Certificate is to be certified until Feb 18 13:45:34 2020 GMT (100 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

注意:默认要求 countryName(国家),stateOrProvinceName(省),organizationName(公司)三项必须和CA一致

3.4 View information in the certificate

[root@CentOS7 CA]# openssl x509 -in certs/test.crt -noout -text|issuer|subject|serial|dates

3.5 check the specified number of certificate status

[root@CentOS7 CA]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)

4. revoked certificates

serial 4.1 to obtain the revocation of the client certificate
[root@CentOS7 CA]# openssl x509 -in certs/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=beijing/O=abc/OU=IT/CN=hechunping/[email protected]
4.2 on CA, according to serial and subject information presented by the customer, the collation is consistent with the information in the file index.txt
[root@CentOS7 CA]# cat index.txt
V   200218134534Z       01  unknown /C=CN/ST=beijing/O=abc/OU=IT/CN=hechunping/[email protected]
4.2.1 revoke certificates
[root@CentOS7 CA]# openssl ca -revoke newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

4.2 Specify the first revoked certificate serial number, note: first update only needs to be performed before the certificate revocation list.

[root@CentOS7 CA]# echo 01 > crlnumber

4.3 updates certificate revocation lists

[root@CentOS7 CA]# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

4.4 View crl file

[root@CentOS7 CA]# openssl crl -in crl.pem -noout -text

The certificate request is exported to the windows down view

1. On the windows press "win + R" key, and then run "certmgr.msc" command.
2. Find the certificate "Trusted Root Certification Authorities" right-click "All Tasks" ---> "Import", then follow the wizard to select the application down in Linux.
3. Review the certificate information
CA and use OpenSSL to create a certificate request

Guess you like

Origin blog.51cto.com/hexiaoshuai/2449310