OpenSSL and implementation of private CA to realize certificate application issuing

2 OpenSSL

OpenSSL is an open source software library package, which can be used by applications to communicate securely, avoid eavesdropping, and confirm the identity of the other end of the connection. This package is widely used in web servers on the Internet
The main library is written in C language, which realizes the basic encryption function, SSL and TLS protocol. OpenSSL can run on OpenVMS, Microsoft Windows and most Unix like operating systems (including Solaris, Linux, Mac OS X and various versions of open source BSD operating systems)
OpenSSL started in 1998 with the goal of inventing a free encryption tool for use on the Internet. OpenSSL is based on SSLeay developed by Eric young and Tim Hudson. With the two working for RSA, SSLeay stopped development in December 1998. Therefore, in December 1998, OpenSSL was branched out of the community and continued to be developed
The OpenSSL management board is currently made up of 7 people with 13 developers [3] who have submit rights (many of whom are also part of the OpenSSL management board). There are only two full-time employees (researchers) and the rest are volunteers
The annual budget of the project is less than US $1 million, which mainly depends on donations. TLS 1.3 development sponsored by Akamai
Bleeding heart vulnerability: OpenSSL version 1.0.1 (excluding 1.0.1g) contains a critical vulnerability that allows attackers to read memory information from the server. The vulnerability was made public in April 2014, affecting two-thirds of active websites
There are three components:
1.libcrypto: a library for encryption and decryption
2.libssl: a security library for ssl communication protocol
3.openssl: a multi-purpose command line tool

2.2 Base64 encoding

Base64 is one of the most common encoding methods used to transmit 8Bit bytecode on the network. Base64 is a method to represent binary data based on 64 printable characters

The encoding process of base64 is as follows:
Put every 3 bytes into a 24 bit buffer. If there are less than 3 bytes, the rest of the buffer will be filled with 0. Then take out 6 bits each time (the 6th power of 2 is 64, and use 64 characters to represent all), fill the high 2 bits with 0, form a new byte, calculate the decimal value of the new byte, correspond to the above coding table, and output the corresponding characters. In this way, all data can be encoded continuously.
According to the above rules, the text Man is encoded as follows:

[root@centos8 ~]#echo -n Man | base64 #-n remove carriage return and add carriage return by default
TWFu
[root@centos8 ~]#echo TWFu | base64 -d
Man[root@centos8 ~]#
[root@centos8 ~]#echo -n ab | base64
YWI=
[root@centos8 ~]#echo -n ab | base64 | base64 -d
ab[root@centos8 ~]#

2.3 openssl command

Two modes of operation:

  • Interactive mode
  • Batch mode

Three sub orders:

  • Standard command
  • Message summary command
  • Encryption command
[root@centos8 ~]#openssl version viewing version
OpenSSL 1.1.1 FIPS  11 Sep 2018
[root@centos8 ~]#openssl help
Standard commands
asn1parse     ca        ciphers      cms       
crl        crl2pkcs7     dgst       dhparam     
dsa        dsaparam     ec        ecparam     
enc        engine      errstr      gendsa      
genpkey      genrsa      help       list       
nseq       ocsp       passwd      pkcs12      
pkcs7       pkcs8       pkey       pkeyparam
[root@centos8 ~]#openssl
OpenSSL> help
Standard commands
asn1parse     ca        ciphers      cms       
crl        crl2pkcs7     dgst       dhparam     
......   
OpenSSL> ca --help
Usage: ca [options]
Valid options are:
-help          Display this summary
-verbose        Verbose output during processing
-config val       A config file
......
OpenSSL>q
[root@centos8 ~]#

2.3.1 openssl command symmetric encryption

Tools: openssl enc, gpg
Algorithm: 3des, aes, blowfish, twofish
Enc command: help: man enc
Encryption:

openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher
-e:  encryption
-a:  Use base64 Preservation
-des3 algorithm

Decrypt:

openssl enc -d -des3 -a -salt –in testfile.cipher -out testfile
-d Decrypt

2.3.2 one way encryption of OpenSSL command (hash algorithm)

Tools: openssl dgst
Algorithm: md5sum, sha1sum, sha224sum,sha256sum

Dgst command: help: man dgst

openssl dgst -md5 [-hex default] /PATH/SOMEFILE
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE
//Example:
openssl dgst --md5 testfile
//Equivalent to md5sum testfile MD5 has been cracked suggestion -- sha512

Supplementary knowledge:
MAC: Message Authentication Code, an extended application of one-way encryption, is used to ensure the number of transmitted data in network communication
Integrity mechanism of evidence
HMAC: hash based MAC, using md5 or sha1 algorithm

2.3.3 generating user password with OpenSSL command

passwd command: help: man sslpasswd

openssl passwd -1 -salt SALT(Up to 8 bits.)
openssl passwd -1 –salt centos
-1: md5
-6: sha512

2.3.4 generating random numbers with OpenSSL command

Random number generator: pseudo-random number, using keyboard and mouse, block device interrupt to generate random number
/dev/random: return random number from entropy pool only; random number exhausted, blocking
/Dev / random: return random number from entropy pool; when the random number is exhausted, the software will generate pseudo-random number, non blocking
Help: man sslrand

openssl rand -base64|-hex NUM
NUM: Represents the number of bytes, using-hex,Each character is hexadecimal, equivalent to 4-bit binary, and the number of characters is NUM*2

Example: generate random 10 digit length password

[root@centos8 ~]#openssl rand -base64 9 |head -c10
# Nine bytes, one byte, eight bits, 8 * 9 = 72 bits can be divided by six, base code, six bits, so there is no equal sign
ip97t6qQes[root@centos8 ~]#
[root@centos8 ~]#tr -dc '[:alnum:]' < /dev/urandom |head -c10
DO2mDp3eZu[root@centos8 ~]#

2.3.5 openssl command to realize PKI (asymmetric key encryption)

Public key encryption:
Algorithm: RSA, ELGamal
Tools: gpg, openssl rsautl (man rsautl)
Digital signature:
Algorithm: RSA, DSA, ELGamal
Key exchange:
Algorithm: dh
DSA: Digital Signature Algorithm
DSS: Digital Signature Standard
RSA:
openssl command generates key pair: man genrsa

Generate private key

(centos7 Do not set security 600 permissions)
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE 
NUM_BITS

Case study:

#Generate private key for symmetric key encryption
(umask 077; openssl genrsa –out test.key –des 2048)
The value of the opening sub shell umask in parentheses is 022
 Realize automation, generally with authority and no password
 #Encryption symmetric key
openssl genrsa -out test.key -des3 1024
 #Decrypt the encryption symmetric key
openssl rsa -in test.key –out test2.key

Extract public key from private key (cannot reverse)

openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE

Example:

openssl rsa –in test.key –pubout –out test.key.pub

Example centos7 creates a 600 permission private key directly:

[root@centos7 ~]#(umask 066;openssl genrsa -out /data/app.key)
Generating RSA private key, 2048 bit long modulus
........................+++
.+++
e is 65537 (0x10001)
[root@centos7 ~]#ls -l /data/
total 4
-rw------- 1 root root 1679 Feb  3 15:26 app.key
[root@centos8 ~]#openssl genrsa -out /data/app.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.............................................................................+++
++
..........+++++
e is 65537 (0x010001)
[root@centos8 ~]#ll /data/app.key
-rw------- 1 root root 891 Feb  3 14:52 /data/app.key

Example:

[root@centos8 ~]#openssl rsa -in /data/app.key -pubout -out /data/app.key.pub
writing RSA key
[root@centos8 ~]#ls -l /data/
total 8
-rw------- 1 root root 887 Feb  3 15:28 app.key
-rw-r--r-- 1 root root 272 Feb  3 15:32 app.key.pub
[root@centos8 ~]#cat /data/app.key.pub
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvkS+Z4NWAMoXEwNUyn58J0oI+
ZjXotZUJLfbVHvGd3Ug6Rk52imHp1J629edUn0Cw7KoPfQLegmWsldG4v931HCdl
ELT2vj+QE7KJhc1tGFomzCnX8Q41tRrVVbHPxQYvNmMRXRqIdqXGxFpR758EngxF
zAGcnLTrDz/I2GocrQIDAQAB
-----END PUBLIC KEY-----

Example: generate the encrypted private key and decrypt it

[root@centos8 ~]#openssl genrsa -out /data/app.key -des3 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
......+++++
...........+++++
e is 65537 (0x010001)
Enter pass phrase for /data/app.key:
Verifying - Enter pass phrase for /data/app.key:
[root@centos8 ~]#ls -l /data
total 4
-rw------- 1 root root 963 Feb  3 15:27 app.key
[root@centos8 ~]#cat /data/app.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,577C3B861BAD86B6
VM8P7vx1UUcSJyXCB0pDO9xgmdNgsMOcl6NitdUvBA9Jx2oLyxsT6TYbbvZvlF55
...ellipsis
LGkrFAgl3+6tKXxMuQDLB6Jy9m3SOwW/JoXMVVcYHrSPzTgAl2sgAkgEq8nf4yfm
ZP9WHrDe10yXY+5K2h8UiFhvrnQ+YnH4BcTrKuEa9T7pxToo0cTdqg==
-----END RSA PRIVATE KEY-----
[root@centos8 ~]#openssl rsa -in /data/app.key -out /data/app.key
Enter pass phrase for /data/app.key:
writing RSA key
[root@centos8 ~]#ls -l /data
total 4
-rw------- 1 root root 887 Feb  3 15:28 app.key
[root@centos8 ~]#cat /data/app.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCvkS+Z4NWAMoXEwNUyn58J0oI+ZjXotZUJLfbVHvGd3Ug6Rk52
imHp1J629edUn0Cw7KoPfQLegmWsldG4v931HCdlELT2vj+QE7KJhc1tGFomzCnX
...ellipsis
M/m6Bj0xHgX4Y4JryS0CQQChBua8JXCCUGLle7+IEEcgQZSF4PdLrmnhrRG7Qrrg
yd6pPuvd2jAGv5fMhjROmf9MWc4DFiRK0B6dz7OyF9j/
-----END RSA PRIVATE KEY-----

2.4 establish private CA to realize certificate application issuance

To create a private CA:

  • OpenCA: a set of perfect PKI free software developed by OpenCA open source organization using Perl for OpenSSL
  • openssl

Certificate application and signing steps:
1. Generate request
2, RA verification
3, CA signed
4. Get certificate
Configuration file for openssl:

/etc/pki/tls/openssl.cnf

Three strategies: match matching, optional and supplied
match: the information filled in by the application must be consistent with the CA setting information
Optional: optional, inconsistent with CA setting information
supplied: this application information is required

case

[root@centos8 ~]#cat /etc/pki/tls/openssl.cnf
#
......
####################################################################Default CA information
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept default relevant data path does not exist by default centos7 installation default is
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file. Issue certificate registration record issued certificate number, etc
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs
certificate = $dir/cacert.pem # The CA certificate CA's own certificate
serial = $dir/serial # The current serial number the next certificate number to be issued is automatically increased by 1 after it is issued. No setting is required by default
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL certificate revocation file
private_key = $dir/private/cakey.pem# The file name of The private key CA private key file
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # How long to certificate for
default_crl_days= 30 # how long before next CRL certificate list is released once every 30 days
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match #Whether the key issuing certificate filling information matches what is the same and what is different
# For the CA policy
[ policy_match ] Default policy
countryName = match National agreement
stateOrProvinceName = match Regional consistency
organizationName = match Company unanimous
organizationalUnitName = optional department
commonName = supplied Common name website name
emailAddress = optional E-mail address
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional #No consistency required
stateOrProvinceName = optional#No consistency required
localityName = optional#No consistency required
organizationName = optional#No consistency required
organizationalUnitName = optional#No consistency required
.....

(important) 2.4.1 create private CA

1. Files needed to create CA

#Build certificate index database file
 touch /etc/pki/CA/index.txt does not have the directory and file by default
 #Specifies the serial number of the first issued certificate
 Echo 01 > / etc / PKI / Ca / serial does not have the directory and file by default

2. Generate CA private key

[09:45:53 root@27 pki]#cd /etc/pki/CA
[09:46:01 root@27 CA]#tree
.
├── certs
├── crl
├── newcerts
└── private 
#centos8 has no directory by default
4 directories, 0 files
(umask 066; openssl genrsa -out private/cakey.pem 2048)

3. Generate CA self signed certificate

OpenSSL req - New - x509 - key / etc / PKI / Ca / private / cakey.pem - Days 3650 - out / etc / PKI / Ca / cacert.pem self signed certificate must use this name

Option Description:

-New: generate new certificate signing request
 -x509: special for CA to generate self signed certificate
 -Key: the private key file used to generate the request
 -days n: validity period of certificate
 -out /PATH/TO/SOMECERTFILE: save path of certificate

Country code: https://country-code.cl/
Example: generate self signed certificate

[root@centos8 ~]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.aaa.org" -
keyout app.key -nodes -x509 -out app.crt
Generating a RSA private key
...........................+++++
...+++++
writing new private key to 'app.key'
-----
[root@centos8 ~]#openssl x509 -in app.crt -noout -text
Certificate:
 Data:
   Version: 3 (0x2)
   Serial Number:
      39:9e:7c:e3:9a:0f:e3:d3:62:ea:8f:02:c9:cd:1e:f3:4a:77:cb:ff
   Signature Algorithm: sha256WithRSAEncryption
   Issuer: CN = www.magedu.org
   Validity
     Not Before: Feb  4 15:51:39 2020 GMT
   Not After : Mar  5 15:51:39 2020 GMT
   Subject: CN = www.magedu.org
   Subject Public Key Info:
     Public Key Algorithm: rsaEncryption
       RSA Public-Key: (1024 bit)
       Modulus:
          00:e1:7e:41:d5:50:03:07:73:13:b2:62:a6:cf:c0:
          61:b1:25:1c:54:56:3e:8f:b3:aa:0e:97:49:50:de:
         de:ed:7f:2f:0f:fd:17:22:72:f5:36:19:29:65:ff:
         ad:ce:81:10:f3:23:8c:fb:af:32:7b:da:bc:3a:a5:
          62:1c:8d:e3:f8:1b:a8:1d:82:86:e0:bc:d6:e1:28:
         e0:37:33:16:6c:55:89:76:13:0e:50:37:65:39:da:
          90:99:a0:d3:6f:af:4e:8d:34:6c:21:e1:ba:10:86:
         8e:fd:fb:e2:83:fe:e7:8c:18:14:dc:f2:7d:6c:37:
         fe:4e:e0:8d:99:65:d4:f6:9f
       Exponent: 65537 (0x10001)
   X509v3 extensions:
     X509v3 Subject Key Identifier:
       1F:67:31:48:D6:DA:6E:36:C9:6B:EC:3C:61:85:6A:52:C2:B2:06:17
     X509v3 Authority Key Identifier:
      
keyid:1F:67:31:48:D6:DA:6E:36:C9:6B:EC:3C:61:85:6A:52:C2:B2:06:17
     X509v3 Basic Constraints: critical
       CA:TRUE
 Signature Algorithm: sha256WithRSAEncryption
    4f:75:d5:f8:99:ea:dc:4f:fd:57:05:ba:1e:ad:72:23:ae:b8:
    ea:93:1d:43:21:f8:66:cb:85:49:6c:b8:8f:1e:f4:a0:e5:ac:
    e5:2e:45:03:33:2f:6a:4a:28:97:30:f0:18:dd:c1:f7:46:0b:
    3c:b0:b6:d6:bf:23:7d:3b:74:52:75:61:96:f9:b0:04:99:6c:
    52:f4:5d:1c:76:33:52:48:4f:d4:1f:4e:5e:00:0c:18:75:c3:
    ef:75:bc:c7:ea:37:6e:34:36:b2:a0:f6:6f:06:69:0a:c6:74:
    d8:67:4c:16:81:2a:0b:ea:1c:16:ea:8e:48:dd:ba:0b:67:69:
    19:1e
[root@centos8 ~]#  

(important) 2.4.2 apply for and issue certificate

1. Generate the private key for the host that needs to use the certificate

(umask 066; openssl genrsa -out /data/test.key 2048)

2. Generate certificate request files for hosts that need to use certificates

openssl req -new -key /data/test.key -out /data/test.csr Must be csr Suffix

3. Sign certificate at CA and issue certificate to requester

openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 30

Note: by default, country, province and company name must be consistent with CA

4. To view information in a certificate:

openssl x509 -in /PATH/FROM/CERT_FILE -noout  -text|issuer|subject|serial|dates
openssl x509 -in /data/mysql.cs  -noout  -serial -subject
//Select subject content to view
#View certificate status for the specified number
openssl ca -status SERIAL
cat /etc/pki/CA/index.txt In fact, view this file

5 copy certificate

/etc/pki/CA/crl/index.txt.attr 
unique_subject = yes requires content uniqueness modifiable no
 Reissue to use
cp app.key mysql.key
cp app.csr mysql.csr
 Reissue to use
 openssl ca -in /data/mysql.csr -out /etc/pki/CA/certs/mysql.crt -days 100 default 365 days
 Same content certificate number changed

(understanding) 2.4.3 revocation of certificate

Get the serial of the certificate to revoke on the client

openssl x509 -in /PATH/FROM/CERT_FILE  -noout  -serial -subject

On the CA, according to the serial and subject information submitted by the customer, check whether it is consistent with the information in the index.txt file, and revoke the certificate:

openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
//Example:
openssl ca -revoke /etc/pki/CA/newcerts/11.pem
openssl ca -revoke /etc/pki/CA/certs/docker.crt

Specify the number of the first revocation certificate. Note: you need to execute the

echo 01 > /etc/pki/CA/crlnumber

Update certificate revocation list

openssl ca -gencrl -out /etc/pki/CA/crl.pem

To view a revocation crl file:

openssl crl -in /etc/pki/CA/crl.pem -noout -text
Revocation example:
[11:57:39 root@27 data]#cat /etc/pki/CA/index.txt
V	201204035739Z		01	unknown	/C=CN/ST=hebei/O=magedu/OU=it/CN=www.aa.com
[11:58:28 root@27 data]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[11:59:46 root@27 data]#cat /etc/pki/CA/index.txt
R(Indicates it has been revoked)	201204035739Z	200208035946Z	01	unknown	/C=CN/ST=hebei/O=magedu/OU=it/CN=www.aaa.com
[11:59:49 root@27 data]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
//Or openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf #Error updating revocation list no / etc/pki/CA/crlnumber revocation file needs to be assigned
[12:01:45 root@27 data]#openssl crl -in /etc/pki/CA/crl.pem -noout -text to view the revocation file, which can be transferred to windows to view and need to be modified to CRL suffix
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=hebei/L=zhangjiakou/O=magedu/OU=it/CN=www.magedu.com
        Last Update: Feb  8 04:01:37 2020 GMT
        Next Update: Mar  9 04:01:37 2020 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Feb  8 03:59:46 2020 GMT
    Signature Algorithm: sha256WithRSAEncryption
         86:eb:eb:c8:66:9a:d2:30:52:12:e2:0f:47:1d:30:f2:e9:70:
         d6:c9:da:8f:59:34:b1:c1:d6:b9:a0:5d:f5:b7:7a:ed:c7:34:
         b3:29:1b:76:36:54:a0:72:14:63:55:9a:54:61:02:ff:cc:bb:
         db:88:14:8a:53:38:69:f3:44:ad:8f:1c:e2:da:0b:8d:5a:d5:
         49:d7:4b:90:da:93:04:13:de:dc:b9:b8:32:42:64:66:80:64:
         ad:b2:e4:4f:7a:cc:03:0c:e7:2c:89:7b:29:dc:9d:a8:b8:5f:
         d0:dc:be:e8:80:4a:05:a4:4c:3c:1b:16:a9:f7:61:38:c0:4e:
         f2:39:b0:fc:46:98:22:68:2a:90:fc:94:ac:86:92:8a:10:a9:
         b4:86:58:c2:66:40:2c:a5:d1:c9:01:f8:cd:1e:9d:c3:e2:f0:
         2b:98:92:90:ac:69:19:0d:10:fb:47:4f:a3:1d:fb:d7:4c:a9:
         71:eb:d0:10:aa:5c:ba:98:7b:c9:58:58:37:38:6b:41:f9:84:
         8b:d2:37:20:12:59:19:0b:5c:6e:74:f8:2f:29:16:11:17:2b:
         83:e2:b3:09:a9:4c:39:fa:05:08:fd:4b:58:b6:62:d5:f6:4e:
         0f:85:bc:d5:7d:02:f3:a2:1f:83:27:24:c7:4f:2f:d4:26:4f:
         ed:7c:f4:c8


centos7 create self signed certificate

[root@centos7 ~]#cd /etc/pki/tls/certs
[root@centos7 certs]#make view usage
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than random, add
SERIAL=num
You can also specify key length with KEYLEN=n and expiration in days with DAYS=n
Any additional options can be passed to openssl req via EXTRA_FLAGS
Examples:
 make server.key
 make server.csr
 make server.crt
 make stunnel.pem
 make genkey
 make certreq
 make testcert
 make server.crt SERIAL=1
 make stunnel.pem EXTRA_FLAGS=-sha384
 make testcert DAYS=600
[root@centos7 certs]#ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile(Executive documents) renew-dummy-cert
[root@centos7 certs]#cat Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIAL
EXTRA_FLAGS+=-set_serial $(SERIAL)
endif
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make
SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make
testcert\"."
@echo
@echo "To create a test certificate with serial number other than random,
add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days
with DAYS=n"
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
@echo " make testcert DAYS=600"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ #Generate random file
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -
days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
cat $$PEM1 >  $@ ; \
echo ""  >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@
$(EXTRA_FLAGS)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out
$(CRT) $(EXTRA_FLAGS)
[root@centos7 certs]#
[root@centos7 certs]#make app.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > app.key
Generating RSA private key, 2048 bit long modulus
...............+++
............................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key app.key -x509 -days 365 -out app.crt
Enter pass phrase for app.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter '.', the field will be left blank.
-----

Country Name (2 letter code) [XX]:CN #Import countries in turn
State or Province Name (full name) []:hubei #Province
Locality Name (eg, city) [Default City]:wuhan#City
Organization Name (eg, company) [Default Company Ltd]:magedu #company
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.magedu.org #To whom?
Email Address []:admin@magedu.org #mailbox
[root@centos7 certs]#ls
app.crt app.key ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile
renew-dummy-cert
[root@centos7 certs]#openssl x509 -in app.crt -noout -text view information
Certificate:
 Data:
   Version: 3 (0x2)
   Serial Number:
      90:d7:97:6a:21:21:f8:5e
 Signature Algorithm: sha256WithRSAEncryption
   Issuer: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=admin@magedu.org
   Validity
     Not Before: Feb  5 00:28:31 2020 GMT
     Not After : Feb  4 00:28:31 2021 GMT
   Subject: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=admin@magedu.org
   Subject Public Key Info:
     Public Key Algorithm: rsaEncryption
       Public-Key: (2048 bit)
       Modulus:
          00:f8:dd:d3:ea:0b:f1:97:0f:27:de:44:a2:32:77:
         fb:5c:73:74:17:7b:5f:a4:9c:a2:d4:3b:d4:49:4c:
         da:e0:a2:6a:41:05:6e:10:1e:96:dc:95:34:ed:08:
          05:18:ba:27:c5:e5:f0:7c:65:15:78:f8:9b:bf:ee:
          41:ef:1c:6f:7f:35:29:fd:f5:cf:4a:f1:36:7e:0c:
          37:96:b1:01:e5:aa:7f:6e:a0:56:b0:33:28:ed:db:
         ...ellipsis....
        0b:61:df:37:ed:bd:25:39:4c:5f:27:32:57:9e:d0:
          11:9d
       Exponent: 65537 (0x10001)
   X509v3 extensions:
     X509v3 Subject Key Identifier:
        28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E
     X509v3 Authority Key Identifier:
      
keyid:28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E

​     X509v3 Basic Constraints:
​       CA:TRUE
 Signature Algorithm: sha256WithRSAEncryption
​    a3:66:1b:85:dc:9e:1b:c7:c8:e4:29:3c:32:b2:fc:71:c9:79:
​    9e:ad:db:78:bd:a4:42:1a:ef:d7:7f:4a:84:d9:46:e1:60:fa:
​   ...Process ellipsis
[root@27 certs]# cat app.key 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED Show encrypted key
DEK-Info: AES-128-CBC,9DA9313678745075B8A73ADCF93A7B32

uOAKI0ktWQIMlC1qFXElLl6EU2Pek6iY1ZkInP6y9c2XBCs45h9xuBCsZos3ZpjO
JJGbu8jk+z/ib0/0pijVeRCClfNuqAhGLv1dIwj8yJz/ail2ctF9sDg6amFTvsgx
...Process ellipsis
Cum4k//oLRMSfw6dFc9FxE8L0FWoZ6gmlcm0muJ87QE+ENvrwQV9d/raw0HVIPcT
o01rAW6HDwPABSKYPeVMLGj2PbebqWfWw26e7vgvqP69wHyqF4sdxk8gkAwMIqwP
-----END RSA PRIVATE KEY-----
[root@27 certs]# openssl rsa -in app.key -out app.key #Decrypt
Enter pass phrase for app.key:
writing RSA key
[root@27 certs]# cat app.key 
-----BEGIN RSA PRIVATE KEY-----#Decrypt
MIIEpAIBAAKCAQEAr+bSP6dR5aTzGOO1VnuBTOflzfWT9L56J1KREq6arxogkB5X
...Content ellipsis
ThNl2QKBgQCZ98RcsPfFUFdLn4kya2FMjt5psMHPbpllp50IMvVagYIWyUE9chfH
gPsPNRANn0M5yFWzXgLIAq4SO1ZK2fBwLxXAw7LOSsRh9Xcoi2s+2e/XKi1V6aw9
jLMr3gTtXfDrPXfj825G8/4Kz6qu/4HdJHmtHmIAM6XW4VHfmZMpLQ==
-----END RSA PRIVATE KEY-----
[root@27 certs]# Cat app.crt app.key > app.pem redirect to. PEM
[root@27 certs]# Some software of cat app.pem requires that the certificate and private key should be placed in one file. PEM format can also be used to directly generate PEM file make app.pem
-----BEGIN CERTIFICATE----- #certificate
MIIDjzCCAnegAwIBAgIJAIzsuP9ctsFwMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV
BAYTAkNOMQ4wDAYDVQQIDAVodWJlaTESMBAGA1UEBwwJaHVhbmdnYW5nMQswCQYD
...Process ellipsis
5PT6DfjcRs0M+BtCoune5owhFnO8+1+zuozwk5JzZux3lYu4XbTpiVBirXfVUO7M
0jb3dTDGnfWR+HT2ZAo0gQh3OWwLnMsISbHyNnz735zo8I5fqHOg9eRBYXsSTr7t
6MfU
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----# key
MIIEpAIBAAKCAQEAr+bSP6dR5aTzGOO1VnuBTOflzfWT9L56J1KREq6arxogkB5X
Z7Io6DJuge40h+piMUTkG64mj87xco5WFGYKPsvlFqvQWl3YbQ4v6LIeO3oM5QYi
...Process ellipsis
ThNl2QKBgQCZ98RcsPfFUFdLn4kya2FMjt5psMHPbpllp50IMvVagYIWyUE9chfH
gPsPNRANn0M5yFWzXgLIAq4SO1ZK2fBwLxXAw7LOSsRh9Xcoi2s+2e/XKi1V6aw9
jLMr3gTtXfDrPXfj825G8/4Kz6qu/4HdJHmtHmIAM6XW4VHfmZMpLQ==
-----END RSA PRIVATE KEY-----
[root@27 certs]# 

centos8 does not have this file to send to the target host

scp /etc/pki/tls/certs/Makefile 10.0.0.8:/data/
Published 6 original articles, won praise 0, visited 237
Private letter follow

Tags: OpenSSL Apache Makefile SSL

Posted on Mon, 10 Feb 2020 04:33:27 -0800 by Thoughtless