Summary of some facts about self-signed SSL certificates

This article has participated in the “Digitalstar Project” and won a creative gift package to challenge the creative incentive money.

1 problem

• What is a public key and what is a private key?
• keytool 和 opensslWhat is?
• crt/pem/key/csrWhat are they?
• Procedure for issuing Linux certificates

2 Public and private keys

• The public key is public, and the private key is stored locally
• Each communication party has a public key and a private key
• Data encrypted by a public key can be decrypted only by the private key
• Data encrypted by the private key can be decrypted only by the public key

If you use Github, you should notice that Github links in two ways. HTTPS is used, and SSH is used. You often need to enter a password over HTTPS, but you do not need to enter a password over SSH. Recall how you set up SSH by generating a key pair locally and uploading the public key to Github. Each transfer is encrypted with the automatic local private key, and the server decrypts it with the public key you uploaded, so there is no need to manually enter the password.

3 keytool / openssl

Keytool and OpenSSL are two certificate management tools. Keytool is a built-in certificate management tool in the Java JDK. You can use keytool to generate keys and create certificates. With JDK installed and environment variables set correctly, certificates can be managed by executing keytool commands from the command line. Openssl is an open source Secure Socket layer password library with more features than Keytool.

4 What are CRT/PEM /key/ CSR

Certificate: *.cer *.crt Private Key: *.key Certificate signing Request: *.csr

As for pem and DER, these two encoding modes can be used for the above three types, so. Pem and. Der may not be one of the above three types (Cert,Key,CSR)

Pem: base64 encoding

Der: binary encoding

Certificate files with suffix extensions can be easily distinguished by using the following methods:

• DER or.CER file: The certificate file is in binary format and contains only the certificate information, not the private key.
• CRT file: the certificate file can be in binary format or text format. It has the same functions as DER and CER certificate files.
• .pem file: Such certificate files are usually in text format,You can store certificates, private keys, or both. The.PEM file is generally used if it contains only the private key.KEYFile instead.
• PFX or.p12 file: Such a certificate file is in binary format, contains both the certificate and the private key, and is generally password protected.

You can also use Notepad to open the certificate file directly. If regular alphanumeric characters are displayed, for example:

- the BEGIN CERTIFICATE - MIIE5zCCA8 + + whYc2BgzAogau0dc3PtzANBgkqh gAwIBAgIQN... - END CERTIFICATECopy the code

Then, the certificate file is in text format.

• If there is- BEGIN CERTIFICATE, it indicates that the file is a certificate file.
• If there is- the BEGIN RSA PRIVATE KEY --Is a private key file.

5 Linux Generates a self-signed certificate

X509 certificates typically use three types of text: key, CSR, and CRT

*. Key: a key file, usually a private key in SSL, usually an RSA algorithm, with or without a password.

*.CSR: certificate request file, which contains the public key and other information, and can be signed to generate a certificate; This parameter is used when applying for the CRT certificate from the certificate authority, but not when configuring the server. When making a CSR file, you must use your own private key to sign the application, and you can also set a key;

CRT, *. Cert: indicates the certificate file authenticated by the CA, including the public key, signature, and other authentication information, such as the host name (IP address).

*. Pem: contains the private key and certificate information.

Our self-signed certificate configuration, the virtual host needs is the.crt certificate, and the SSL Key file without password. Key file;

5.1 to generate the key

[root@VM-1-14-centos key]# openssl genrsa -des3 -out server.key 2048Generating RSA private key, 2048 bit long modulus ........... + + +... +++ e is 65537 (0x10001) Enter pass phrasefor server.key:
Verifying - Enter pass phrase for server.key:
[root@VM-1-14-centos key]# ls
server.key
Copy the code

This is to generate rsa private key, DES3 algorithm, OpenSSL format, 2048 bit strength. Server. key is the file name of the key. To generate such a key, a password of at least four digits is required.

A key without a password can be generated as follows:

[root@VM-1-14-centos key]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
[root@VM-1-14-centos key]# ls
server.key
Copy the code

Server. key is the version without the password.

5.2 Generating a CRT for the CA

[root@VM-1-14-centos key]# openssl req -new -x509 -key server.key -out ca.crt -days 3650You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank  For some fields there will be a default value, If you enter'. ', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: Email Address []: [root@VM-1-14-centos key]# ls ca.crt server.keyCopy the code

The generated ca.crt file is used to sign the following server.csr file.

5.3 to generate a CSR

[root@VM-1-14-centos key]# openssl req -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank  For some fields there will be a default value, If you enter'. '. the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shaanxi Locality Name (eg, city) [Default City]:Xi'an
Organization Name (eg, company) [Default Company Ltd]:cloudcared
Organizational Unit Name (eg, section) []:section
Common Name (eg, your name or your server's hostname) []:www.ssltest.com
Email Address []:[email protected] 
​
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@VM-1-14-centos key]# ls
ca.crt  server.csr  server.key
Copy the code

You need to enter country, region, organization, Email. The most important is common name, which can write your name or domain name.

For HTTPS applications, this must match the domain name, otherwise the browser will be alerted. The generated CSR file is submitted to the CA for signature to create a server certificate.

5.4 to generate the CRT

A CSR file must be signed by a CA to form a certificate. You can send this file to a place like Verisign for verification and pay a lot of money. Why not make your own CA?

[root@VM-1-14-centos key]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
Signature ok
subject=/C=CN/ST=Shaanxi/L=Xi'an/O=cloudcared/OU=section/CN=www.ssltest.com/[email protected] Getting CA Private Key [root@VM-1-14-centos key]# ls ca.crt ca.srl server.crt server.csr server.keyCopy the code

After you enter the key of the key, the certificate is generated.

The -ca option specifies the CSR certificate to be signed

-CAkey Specifies the key used for signing

-CAserial Specifies the sequence number of the file

-CAcreateserial Specifies that files are automatically generated when they do not exist

Finally, the private key: server.key and SSL certificate: server.crt are generated

Certificate merge:

cat server.key server.crt > server.pem
Copy the code