Experiments
OpenSSL is a secure socket layer cryptographic library that includes key and certificate encapsulation management functions and SSL protocols, and provides a wealth of applications for testing or other purposes.
OpenSSL is a suite of open source programs, which consists of three parts: first, libcryto, an encryption library with general functions, which implements many encryption libraries; second, libssl, which implements ssl mechanism, which is used to implement the functions of TLS/SSL; third, openssl, which is a multi-functional command-line tool, which can realize encryption and decryption. It can even be used as a CA to allow you to create and revoke certificates.
II. EXPERIMENTAL ENVIRONMENT
Centos 6.9 x86_64 bit (application signature machine), Centos 7.3 x86_64 bit (self-built CA machine), VMware workstaton 12.
III. EXPERIMENTAL TEXT
1. Check whether OpenSSL is installed on the host of the self-built CA
[root@centos7 ~]# rpm -qa openssl # Check whether openssl is installed
openssl-1.0.1e-60.el7.x86_64
[root@centos7 ~]# rpm -ql openssl # List the files under the openssl installation package. Some of the following directories will be used later
/etc/pki/CA
/etc/pki/CA/certs
/etc/pki/CA/crl # Revoked Certificate Storage Catalogue
/etc/pki/CA/newcerts # Store CA signed (issued) digital certificates (certificate backup directory)
/etc/pki/CA/private # Private key for storing CA
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/usr/bin/openssl
...(The following omissions)...
[root@centos7 ~]# yum install openssl -y # Use this command to install without installation2. Creating Private CA Server
a. Create the required files, only the first time you use CA
[root@centos7 ~]# touch /etc/pki/CA/index.txt # Generating Certificate Index Database
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial # Specify the serial number of the first certificate issuedb. CA Generates Private Key
[root@centos7 ~]# cd /etc/pki/CA/ # Switch to this directory
[root@centos7 CA]# (umask 006; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) # Generating private key
Generating RSA private key, 2048 bit long modulus
.........+++
......................................+++
e is 65537 (0x10001)
[root@centos7 CA]# ls -l private/cakey.pem
-rw-rw----. 1 root root 1675 Jul 17 17:22 cakey.pemc, CA Generate Self-Signing Certificate
[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem # CA Generates Self-Signature
...(Intermediate ellipsis)...
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Hxt
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.hengxia.top
Email Address []:miouqi@qq.com
[root@centos7 CA]# ls -l
total 12
-rw-r--r--. 1 root root 1403 Jul 17 17:59 cacert.pem
drwxr-xr-x. 2 root root 6 Nov 6 2016 certs
drwxr-xr-x. 2 root root 6 Nov 6 2016 crl
-rw-r--r--. 1 root root 0 Jul 17 16:47 index.txt
drwxr-xr-x. 2 root root 6 Nov 6 2016 newcerts
drwx------. 2 root root 23 Jul 17 17:22 private
-rw-rw----. 1 root root 1675 Jul 17 17:18 privatecakey.pem
-rw-r--r--. 1 root root 3 Jul 17 16:48 serial3. Issuance of Certificates
A. Generating a private key to a web server on a host that needs to use a certificate
[root@centos6 ~]# (umask 066; openssl genrsa -out /etc/pki/tls/ private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.........+++
................................................+++
e is 65537 (0x10001)b. Generate certificate requests to web servers on hosts requiring certificates
[root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # The default country should be consistent with CA
State or Province Name (full name) []:Beijing # Default Provisions are consistent with CA
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Hxt # By default, the company name should be consistent with CA
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:*.testweb.com
Email Address []:test@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:c. Transfer certificate files to CA
[root@centos6 ~]# scp /etc/pki/tls/test.csr 172.16.251.124:/tmp
The authenticity of host '172.16.251.124 (172.16.251.124)' can't be established.
RSA key fingerprint is 8e:d7:ac:fd:71:70:22:e7:ff:98:ed:61:96:85:5f:b7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.251.124' (RSA) to the list of known hosts.
root@172.16.251.124's password:
test.csr 100% 1050 1.0KB/s 00:00 d, CA sign certificates and issue certificates to requesters
[root@centos7 ~]# openssl ca -in /tmp/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 17 11:57:46 2017 GMT
Not After : Jul 17 11:57:46 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Hxt
organizationalUnitName = Ops
commonName = *.testweb.com
emailAddress = test@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8
X509v3 Authority Key Identifier:
keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8
Certificate is to be certified until Jul 17 11:57:46 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updatede. View the information in the certificate
[root@centos7 ~]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=Hxt, OU=Ops, CN=www.hengxia.top/emailAddress=miouqi@qq.com
Validity
Not Before: Jul 17 11:57:46 2017 GMT
Not After : Jul 17 11:57:46 2018 GMT
Subject: C=CN, ST=Beijing, O=Hxt, OU=Ops ,
CN=*.testweb.com/emailAddress=test@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e3:84:72:59:14:c2:00:91:6c:d0:b4:f1:b4:6b:
72:bb:a4:05:6c:ae:00:bf:b0:4b:e1:b0:1f:9a:a7:
05:68:b7:73:60:ca:f5:95:59:90:cd:a3:ef:da:29:
fd:83:5d:fc:bc:53:9d:4b:cb:87:c6:d9:00:1f:36:
06:26:a4:15:ac:7f:01:67:4b:60:ee:af:40:30:5c:
60:1c:fb:7c:33:8e:aa:45:f7:5b:55:e8:57:07:40:
05:ab:4a:9e:25:ec:2c:ce:f3:6d:fb:e9:a2:eb:c0:
59:49:84:5f:f7:68:98:16:c2:4e:db:ab:43:50:80:
f0:71:f6:d4:9d:57:1b:a4:4d:89:e3:2f:fa:fe:48:
5e:da:84:d6:64:64:36:fd:2d:03:38:0e:fe:0d:65:
9a:0e:37:66:52:d3:60:ea:5d:dc:5b:36:2c:d1:25:
ef:0b:e6:50:5a:81:78:00:b4:f4:c7:68:ca:d1:d0:
21:d1:37:49:7a:99:1d:2d:2d:3d:7f:9e:4a:5b:87:
83:d6:96:8d:84:d9:88:b7:c0:c9:63:43:4c:06:d9:
19:d7:b9:5a:99:8a:7c:1b:52:04:d7:a1:e0:bb:87:
bc:bd:77:1c:c9:ea:19:2e:97:f2:86:2c:fe:37:95:
1a:df:e1:bb:4a:9e:26:c7:d1:1e:21:d8:1b:cd:ae:
8d:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8
X509v3 Authority Key Identifier:
keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8
Signature Algorithm: sha256WithRSAEncryption
26:21:51:45:0d:8c:f4:75:25:3e:e2:13:fa:d4:7a:60:ea:ba:
78:b7:aa:61:57:a5:80:9d:09:95:0a:e8:09:1d:69:20:43:1c:
ee:54:b2:65:cb:0c:13:5a:e1:59:61:2d:95:ee:c6:09:f3:7d:
cf:e0:dc:7c:5e:11:22:bc:7b:cc:aa:e5:3e:4a:ed:56:5a:9d:
8b:8f:9b:6d:34:85:b1:f6:9e:87:07:c4:b0:5a:61:92:ca:30:
66:29:fb:ea:7d:68:90:ca:30:a9:85:64:8b:90:99:01:7c:27:
d6:62:c7:de:e0:f8:9d:00:6b:7b:39:d3:01:eb:32:9e:71:89:
f6:17:d4:7b:08:8f:9d:48:11:e1:c5:91:91:73:fd:f5:19:b6:
35:a1:15:ad:6c:78:fc:ba:e9:ea:d1:9a:8f:13:8a:bb:ec:cc:
79:c8:c9:f4:0d:a1:a7:c5:f5:90:e8:3b:46:d2:9f:55:85:41:
e6:36:8e:fe:3f:59:33:77:37:95:51:2e:68:cd:93:79:fd:11:
db:71:d0:e7:2c:61:34:bc:db:ef:89:68:f5:ae:42:5f:df:79:
ed:f7:e5:2f:9a:a7:ef:a9:8b:81:d7:32:21:13:59:91:06:4b:
8f:65:82:1a:b6:7c:e6:dc:9c:98:b5:dd:79:c7:9e:49:39:1d:
20:b6:d8:e6
[root@centos7 ~]# openssl ca -status 01 # View the status of the specified number of certificates
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
f, CA transmit the signed certificate to the applicant
[root@centos7 ~]# scp /etc/pki/CA/certs/test.crt 172.16.250.164:/tmp
The authenticity of host '172.16.250.164 (172.16.250.164)' can't be established.
RSA key fingerprint is 46:78:bc:dd:e2:7d:a8:b6:b7:f0:60:53:c4:72:30:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.250.164' (RSA) to the list of known hosts.
root@172.16.250.164's password:
test.crt 100% 4592 4.5KB/s 00:00 g. CA Delete Application Document for Applicant Certificate
[root@centos7 ~]# rm -f /tmp/test.csr 4. Revocation of Certificate
a. Series of certificates to be revoked at the client
[root@centos6 ~]# openssl x509 -in /tmp/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Beijing/O=Hxt/OU=Ops /CN=www.testweb.com/emailAddress=*.testweb.comb. On CA, according to the serial and subject information submitted by customers, check whether it is consistent with the information in index.txt file and revoke the certificate consistently.
[root@centos7 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updatedc. CA specifies the number of the first revoked certificate. Note that the revoked certificate list needs to be executed before it is updated for the first time.
[root@centos7 ~]# echo 01 > /etc/pki/CA/crlnumberd, CA Update Certificate Revocation List
[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 ~]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text # View the crl file
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=Beijing/L=Beijing/O=Hxt/OU=Ops/CN=www.hengxia.top/emailAddress=miouqi@qq.com
Last Update: Jul 17 12:23:07 2017 GMT
Next Update: Aug 16 12:23:07 2017 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Jul 17 12:21:16 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
90:a6:22:84:bf:eb:98:d7:58:bd:22:8d:5c:41:e1:1e:2f:70:
6c:e2:40:68:ce:c4:06:e1:2d:70:59:98:d9:27:6f:24:d4:63:
4c:d6:81:25:ab:ac:70:1b:89:65:4c:cc:2e:20:12:66:78:bc:
3e:60:4f:6d:28:72:53:7f:e0:65:92:c3:86:b2:7c:1f:dc:46:
2b:f6:ba:c1:2e:73:36:4b:60:08:8f:e1:bb:0d:f9:fe:11:bb:
8a:4c:92:1f:aa:a8:9f:ec:f6:45:b9:a4:1e:60:ab:70:4e:f9:
09:23:83:6e:12:ed:42:bd:dd:33:99:e9:ee:a6:44:2b:89:7c:
60:70:0a:1f:0f:ca:0a:62:5a:b9:5c:f9:ea:46:30:f3:1d:2e:
a0:89:c1:85:a8:0f:de:3a:3a:0a:1a:c3:76:99:0b:9f:55:d5:
57:52:65:bc:2e:ff:ee:a6:d0:71:24:02:56:6d:a7:fa:5a:f1:
88:92:53:35:66:46:ab:59:fa:cf:09:6b:37:b6:39:7a:9d:ba:
b2:8d:d5:dc:a0:38:39:76:81:85:16:72:22:39:1d:ae:fd:22:
21:61:00:e9:f2:7e:71:43:e9:a3:f9:44:5b:44:83:a2:1a:82:
82:8f:e1:0f:f6:57:d5:b4:62:3a:c1:5e:35:21:6f:2f:ff:11:
fb:98:95:23
Notes
1. CA Generation Self-Signature Command Resolution: OpenSSL req-new-x509-key/etc/pki/CA/private/cakey.pem-days\\\out/etc/pki/CA/cacert.pem
- New: Generate a new certificate signing request
- x509: Special for CA to generate self-visa
- key: The private key file used to generate the request
- days n: Validity Period of Certificate
- Out/PATH/TO/SOMECRIPTFILE: Certificate Preservation Path