CA certificate production practice

demand ：

         build by oneself CA Issue certificate

Use self signed certificates to build a secure network , The so-called self signed certificate , Is to play CA Institutions , Issue certificates to your server by yourself .

1、OpenSSL

        OpenSSL It's an example. C Language writing now SSL And TLS Open source software library package of the Protocol , Applications can use this package for secure communication , Avoid eavesdropping , At the same time, confirm the identity of the other end of the connection . This package is widely used in web servers on the Internet .OpenSSL Support Linux、Windows、BSD（Unix Derived system of ）、Mac Such as platform , This makes OpenSSL It has a wide range of applicability . 

OpenSSL The whole software package can be divided into three main functional parts ：

• Encryption algorithm library
  • Symmetric encryption algorithm ：
  • Asymmetric encryption algorithm
  • Information digest algorithm
• SSL Protocol library
  • OpenSSL Realized SSL Agreed SSLv2 and SSLv3, It supports most of them
  • OpenSSL It has also been realized. TLSv1.0+
• Applications
  • Versatile command line tools , Encryption and decryption can be realized 、 Key generation 、 Key and certificate management 、 build by oneself CA And signature  

2、 The process

1. CA Generate the root key
2. CA Generate root certificate
3. Nginx Generate private key
4. Nginx Apply for a certificate
5. CA Issue
6. Nginx Installation certificate , To configure

3、 Issue certificate

By default Linux The operating system has been built in OpenSSL, Can pass openssl version View version number

         But before using it , Need to pay attention to the current OpenSSL Version of the library for , Because of the version 1.0.1 It is a very important version of Feng Shui ridge ,1.0.1 Is the first to support TLS1.1 and 1.2 Version of .

Modify the configuration ：

stay CA Create two initial files under the directory , Maintain serial number . adopt CA Each certificate issued by the institution has a unique serial number .

cd /etc/pki/CA
touch index.txt serial
echo 01 > serial

Generate the root key

It means CA The private key of the organization ,CA Each certificate issued by the structure must be signed by its own private key .

cd /etc/pki/CA
# Generate a 2048 A key
openssl genrsa -out private/cakey.pem 2048

Generate root certificate

Use req The command is generated from the visa document

• -new： Indicates a new application
• -x509： Means to generate a self signed certificate
• -key： Specify private key file
• -out： Where to save the certificate
• -days： Specify the certificate period

openssl req -new -x509 -key private/cakey.pem -out cacert.pem

You will be prompted to enter some content , Because it's private , So you can enter （ Previously modified openssl.cnf Will be presented here ）, It's best to remember to be consistent with the following . The self signed certificate above cacert.pem Should be generated in /etc/pki/CA Next .

For our Nginx Server generation SSL secret key

Environmental Science ：
        192.168.200.16 CA Institutional server
        192.168.200.16 Nginx The server
apply SSL Certificates are essentially server upgrade support HTTPS, Asymmetric encryption （ Public and private keys ）.
All of the above are in CA Operations done on the server , And it only needs to be done once , Now turn to nginx Execute on the server ：

install Nginx

#1. Install the rpm
rpm -ivh
http://nginx.org/packages/centos/7/noarch/RPMS/nginx-releasecentos-7-0.el7.ngx.noarch.rpm
# Install the rpm after , We can be in /etc/yum.repos.d/  In the directory, I see a file named nginx.repo  The file of .
#2. installed Nginx After source , You can install it Nginx 了 .
yum install -y nginx
#3. Check the directory 
whereis nginx

cd /etc/nginx/ssl
# For our nginx web Server generation ssl secret key
openssl genrsa -out nginx.key 2048

by nginx Generate the certificate signing request

This process will generate a file , Contains information about certificates , But this file is not a certificate , Request file for certificate generation .

This file needs to be sent to CA Institutions , from CA Generate a certificate file after signing .

openssl req -new -key nginx.key -out nginx.csr
...
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty
Ltd]:COMPANY
Organizational Unit Name (eg, section) []:IT_SECTION
Common Name (e.g. server FQDN or YOUR name)
[]:your.domain.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
...

You will also be prompted to enter some content , Others casually , except Commone Name Be sure to grant the server domain name or hostname of the certificate ,challenge password No .

private CA Sign the certificate upon request

Next, the certificate request generated in the previous step csr file , Send to CA Server , stay CA On the implementation ：

openssl ca -in nginx.csr -out nginx.crt

         The above signing process actually uses -cert cacert.pem -keyfile cakey.pem , These two files are generated in the previous two steps and are located in /etc/pki/CA Root key and root certificate under . The generated crt Certificate sending back nginx Server usage . 

         So far, we have established SSL All files required for secure connection , And the server's crt and key Are located in the configured directory , The rest is how to use certificates .

4、 Use SSL certificate

Nginx Use SSL certificate

         Install the completion certificate locally （ stay Nginx Server configuration ） That means Java Web The application has been completed from http To https Upgrade of the agreement

         With Nginx For example , stay Nginx New China ssl Folder , The generated crt and key Into it , Add the following code to the configuration file ：

# modify Nginx Configuration file for , install SSL certificate 
cd /etc/nginx/conf.d
vi default.conf
listen 443 ssl http2;#https The port number of protocol listening is 443 port , be based on http2 Carrying out the work .
ssl_certificate /etc/nginx/ssl/nginx.crt; #  Point to  ssl In folder  crt  file 
ssl_certificate_key /etc/nginx/ssl/nginx.key; #  Point to ssl  In folder  key  file 
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Enable false start Speed up 
ssl_ciphers
AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;

start-up Nginx

# Switch to the executable directory
cd /usr/sbin/
./nginx
# View startup status
ps -ef|grep nginx 

Access test

curl https://192.168.200.21

         however , The certificate issued by ourselves , Is not trusted by other servers , When initiated curl When asked , The following will happen ： Certificate invalid or unverifiable error . Now , We need to put us CA The root certificate of the server is imported into this server . 

Add Certificate ：

# install  ca-certificates package:
yum install ca-certificates
# Enable dynamic CA configuration feature:
update-ca-trust force-enable
# Put the certificate file in  /etc/pki/ca-trust/source/anchors/  Under the table of contents 
mv /etc/pki/CA/cacert.pem /etc/pki/ca-trust/source/anchors/
# Perform the update :
update-ca-trust extract

Modify local host file

cd /etc
vi hosts

127.0.0.1 localhost localhost.localdomain localhost4localhost4.localdomain4
::1 localhost localhost.localdomain localhost6localhost6.localdomain6
192.168.200.21 yj.com # Added fields

Access test

curl https://yj.com