CA Certificate learning network, record a running account available for future
domain name I used herein is internal, you can build yourself a network, using the same domain name.
Note: The three-terminal at the time the certificate was filled out at national, provincial, city and organization name to be consistent in addition to the information to fill in web server domain name!
End table
| Terminal name | IP addresses | Brief introduction |
|---|---|---|
| Root CA | 10.35.176.1 | A network of centers CA certificate, all certificates of final credit guarantee |
| Child CA | 10.35.176.8 | The terminal needs to get to the root CA a sub-CA certificate, the main duties of the terminal server SSL certificate is issued to the data server. This does not have to end. |
| web server | 10.35.176.6 (domain name: linzopi.vpn) | To receive a sub-CA web server certificate is used to encrypt the data to the end-user terminal. |
| End-user terminals | 10.35.176.5 | The final recipient of the data, the device is true to the CA certificate inquiry, to ensure that data is sent by the actual data server. |
Root CA Configuration
Create a directory structure
mkdir /etc/pki
mkdir /etc/pki/tls
mkdir /etc/pki/CA
mkdir /etc/pki/CA/private
mkdir /etc/pki/CA/newcerts
touch /etc/pki/CA/index.txt #生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial #指定第一个颁发证书的序列号Write configuration file
vim /usr/lib/ssl/openssl.cnfWhich has a CA_default paragraphs, the contents read as follows:
[ CA_default ]
dir = /etc/pki/CA # CA的默认工作目录
certs = $dir/certs # 认证证书的目录
crl_dir = $dir/crl # 证书吊销列表的路径
database = $dir/index.txt # 数据库的索引文件
new_certs_dir = $dir/newcerts # 新颁发证书的默认路径
certificate = $dir/cacert.pem # 此服务认证证书,如果此服务器为根CA那么这里为自颁发证书
serial = $dir/serial # 下一个证书的证书编号
crlnumber = $dir/crlnumber # 下一个吊销的证书编号
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# CA的私钥
RANDFILE = $dir/private/.rand # 随机数文件
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # 命名方式,以ca_default定义为准
cert_opt = ca_default # 证书参数,以ca_default定义为准
default_days = 365 # 证书默认有效期
default_crl_days= 30 # CRl的有效期
default_md = sha256 # 加密算法
preserve = no # keep passed DN ordering
policy = policy_match #policy_match策略生效Usr_cert somewhere there is a paragraph, to read as follows, the CA signed certificate allowing node as a child out of the CA:
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:true,pathlen:3
CA root keys generated
# 这个根秘钥,需要保存在本机器,不可泄露.
# 参数分别是输出的路径(必须和上面配置文件一样)和秘钥位数
openssl genrsa -out /etc/pki/CA/private/cakey.pem 8192Root CA certificate generation
Root CA self-signed certificate, the root CA is the top certification bodies, no one can authenticate him, you can only authenticate themselves generate their own self-signed certificate.
The certificate needs to be installed to the end user terminal, so that the end user and the CA root certificate to the relevant sub-trust
Here the country provinces and cities, need to match the profile
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -subj /C=CN/ST=GD/O=LINZ/CN=RootCA
# -new: 生成新证书签署请求
# -x509: 专用于CA生成自签证书
# -key: 生成请求时用到的私钥文件
# -days n:证书的有效期限
# -out /PATH/TO/SOMECERTFILE: 证书的保存路径If the certificate is generated, you can view certificate information with this command:
openssl x509 -noout -text -in /etc/pki/CA/cacert.pemExport to Windows format
certificate format under linux and windows format is different, need to be converted, the conversion is complete, the crt file, copy with you can think of a way to double-click to install windows equipment.
specific differences, see this
Win10 seems to support PEM certificate format, change the suffix to install.
should install Windows installation to the "trusted root certification Authorities"
openssl x509 -outform der -in /etc/pki/CA/cacert.pem -out /etc/pki/CA/cacert.crtSub CA Configuration
Create a directory structure
mkdir /etc/pki
mkdir /etc/pki/tls
mkdir /etc/pki/tls/private
mkdir /etc/pki/CA
mkdir /etc/pki/CA/private
mkdir /etc/pki/CA/newcerts
touch /etc/pki/CA/index.txt #生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial #指定第一个颁发证书的序列号
echo "unique_subject = no">/etc/pki/CA/index.txt.attr #允许签发多个名称属性一样的证书Write configuration file
vim /usr/lib/ssl/openssl.cnfWhich has a CA_default paragraphs, the contents read as follows:
[ CA_default ]
dir = /etc/pki/CA # CA的默认工作目录
certs = $dir/certs # 认证证书的目录
crl_dir = $dir/crl # 证书吊销列表的路径
database = $dir/index.txt # 数据库的索引文件
new_certs_dir = $dir/newcerts # 新颁发证书的默认路径
certificate = $dir/cacert.pem # 此服务认证证书,如果此服务器为根CA那么这里为自颁发证书
serial = $dir/serial # 下一个证书的证书编号
crlnumber = $dir/crlnumber # 下一个吊销的证书编号
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# CA的私钥
RANDFILE = $dir/private/.rand # 随机数文件
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # 命名方式,以ca_default定义为准
cert_opt = ca_default # 证书参数,以ca_default定义为准
default_days = 365 # 证书默认有效期
default_crl_days= 30 # CRl的有效期
default_md = sha256 # 加密算法
preserve = no # keep passed DN ordering
policy = policy_match #policy_match策略生效Google Chrome requires certificate must contain the "Subject Alternative Names" this parameter. Without this parameter, chrome does not recognize.
Find [req] paragraph is added at the bottom = v3_req req_extentions
Found [v3_req] paragraphs added subjectAltName = @alt_names
adding a paragraph
[alt_names]
DNS.1 = linzopi.vpn (Web server domain name, the domain name need to modify the applicant's)
effect:
Private keys and certificate request file
# 生成秘钥
openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
# 生成证书请求文件
openssl req -new -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/subca1.csr -subj /C=CN/ST=GD/O=LINZ/CN=SubCA1Acquiring sub-CA certificate
After execution of the above command issued to the root CA subca1.csr the / etc / pki / CA / newcerts directory
The following commands are executed in the terminal root CA
openssl ca -in /etc/pki/CA/newcerts/subca1.csr -cert /etc/pki/CA/cacert.pem -keyfile /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/newcerts/cacert.pem -days 3650If there is no problem newcerts directory where you can find a new cacert.pem files, spread sub-CA's / etc / pki / CA / inside. And install the "Intermediate Certification Authorities" Windows of
WEB server
Key and certificate generation request
Note Common Name here, to fill in the domain name, the browser will be considered unsafe!
mkdir ~/cert/
vim /usr/lib/ssl/openssl.cnf
openssl genrsa -out ~/cert/linzopi.key 2048
openssl req -new -key ~/cert/linzopi.key -out ~/cert/linzopi.csr -subj /C=CN/ST=GD/O=LINZ/CN=linzopi.vpncsr spread to sub-CA's / etc / pki / CA / newcerts directory
Child CA:
openssl ca -in /etc/pki/CA/newcerts/linzopi.csr -out /etc/pki/CA/newcerts/linzopi.crt -days 365 -extensions v3_reqGet linzopi.csr file (although generated when the file extension is set crt actually pem format, if needed der format, plus -outform der parameter), passed back to the web server ~ / cert / directory.
Nginx configuration
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
# multi_accept on;
}
http {
server {
listen 443;
server_name linzopi.vpn;
ssl on;
ssl_certificate /root/cert/linzopi.crt;
ssl_certificate_key /root/cert/linzopi.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html;
}
}
}The final client
