How to generate a free certificate using openssl

1: What is openssl? What is its function? What is the application scenario?

Baidu Encyclopedia says: OpenSSL is an open source software library package that applications can use for secure communications, which can prevent information from being eavesdropped.

SSL is the abbreviation of Secure Sockets Layer, which can provide confidential transmission on the Internet. Netscape proposed the SSL protocol standard when it launched the first Web browser. Its goal is to ensure the confidentiality and reliability of communication between two applications, and it can be supported on both the server and the user side.

Because in the process of network transmission, network data must pass through the WiFi router, right? Then we can get the data by doing some tricks through the router. Therefore, the role of openssl is to prevent information from being eavesdropped.

So how does OpenSSL ensure that information is not eavesdropped? Therefore, we need to understand some basic concepts such as asymmetric encryption, digital signatures, and digital certificates.

1.1 What is asymmetric encryption?

Asymmetric encryption is the process of encrypting data with a key, which can then be decrypted using a different key. The two keys are the public key and the private key.

We can calculate the public key based on the private key, but we cannot calculate the private key based on the public key. The private key is usually held by the server, while the public key is used on the client.

Note: We do not study the specific algorithms of asymmetric encryption.

1.2 What is a digital signature?

According to Baidu Encyclopedia: A digital signature (also called a public key digital signature) is a physical signature similar to that written on paper, but it is implemented using technology from the field of public key encryption. It is a method used to authenticate digital information. Digital signatures have two complementary operations, one for signing and the other for verification.

The function is: it will use a certain HASH algorithm to calculate a fixed-bit summary of the message, then use the private key to encrypt the summary, and then send the previous message to the recipient, and the receiver will decrypt the summary through the public key. The message digest is also calculated through the hash algorithm. If the two digests are consistent, it means that the data has not been tampered with and the data is complete.

1.3 What is a digital certificate?

According to Baidu Encyclopedia: A digital certificate is a string of numbers that marks the identity information of the communicating parties in Internet communications. Provides a way to verify the identity of communication entities on the Internet.
It is a form of identity issued by a CA to a website. It contains the website's public key, validity period, website address, and CA's digital signature.

The function is: it uses the CA's private key to sign the website's public key and other information. When the client requests the server, the website will send the certificate to the client. The client first verifies the CA's identity through the CA's digital signature to prove the authenticity and integrity of the certificate.

After understanding the concepts of asymmetric encryption, digital signatures, and digital certificates, let's see how they ensure that data has not been forged:

SSL implements authentication of users and servers

Now let's think about a question. If we visit our Blog Garden website now, how do we know whether we are visiting a real Blog Garden or a fake Blog Garden? In order to determine whether the server of our blog garden website has been forged, there is such a rule in SSL: if we send a request to the server, the server must return its digital certificate to the recipient. When we get the digital certificate, we can verify the legitimacy of the digital certificate based on the CA digital signature inside. Suppose we can now prove that the digital certificate belongs to Blog Garden, but it does not mean that the server that sent us the certificate is from Blog Garden? In order to solve this problem, the certificate we get actually contains the public key of Blog Garden. In subsequent communications, the client will use the public key to encrypt data to the Blog Garden server. The Blog Garden server must use the private key to decrypt the data inside. As long as he can decipher the data, it means he is legal, otherwise, it is forged. If it is forged, then communication will be impossible. Therefore, SSL solves the problem of server authentication.

How to prevent encrypted data from being stolen during communication?

When the client sends a request to the server for the first time (the request before obtaining the certificate), it will put a random number (for example, A) in the request, and the server's response to the certificate will also include a random number (for example, B). After the client obtains the certificate, it will use the public key to encrypt a random number (for example, C) and send it to the server. Therefore, the client and the server have three random numbers: A, B, and C. Both parties use these random numbers and the same algorithm to generate a key, and all subsequent communications will use this symmetric key.

Generally speaking, these three keys cannot be leaked at the same time because they are randomly generated from three random numbers. And one of the random numbers is encrypted using the public key. Therefore, this is how we ensure that data is not stolen.

The above are some conceptual questions seen on the Internet. Just understand them simply and know that they are concepts. Our openssl is the implementation version of SSL. Therefore, the role of openssl is to prevent information from being stolen, and it does this through the above knowledge points.

Application scenarios of openssl:

When using http websites, we often see some advertisements on the websites. These advertisements are not actually put up by the websites themselves, but are caused by the operators in the middle who have tampered with the content. Now we can use https technology (based on openssl) to encrypt data. It ensures that data is not tampered with.

2: Generate a free certificate using openssl

1 Use the openssl tool to generate an RSA private key

Use command:

openssl genrsa -des3 -out server.key 2048

As above: des3 is the algorithm, 2048 bit strength (for confidentiality). server.key is the key file name -out means: the path and name of the generated file.

As shown below:

Let's check the private key we just generated. Use the following command:

openssl rsa -text -in server.key

As shown in the following figure:

Continue to view server.key using command: cat server.key, as shown below:

2. Create a certificate signing request CSR file

Use the following command:

openssl req -new -key server.key -out server.csr

-key means: specify ca private key
-out means: server.csr generates a certificate file

As shown below:

After running the above command, you will be asked to fill in the following information when generating the CSR:

Country Name (2 letter code) []:CN // Enter the country code. For China, enter CN.
State or Province Name (full name) []:HangZhou // Enter the province, fill in HangZhou here
Locality Name (eg, city) []:HangZhou // Enter the city. We also fill in HangZhou here.
Organization Name (eg, company) []:tbj // Enter the organization name (or company name, I just write tbj here)
Organizational Unit Name (eg, section) []:tbj // Enter the organization department Common Name (eg, fully qualified host name) []:*.abc.com // Enter the domain name, mine is (*.abc.com) 
Email Address []:[email protected] // Your email address Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 // Your certificate password. If you don’t want to set a password, you can just press Enter.

After the above operation, the following two files will be generated in the current directory:

server.key server.csr

As shown in the following figure:

View the csr file as follows:

openssl req -text -in server.csr -noout

As shown in the following figure:

3. Generate CA certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The meaning of x509: specified format
-in means: specify the request file
-signkey meaning: self-signed

As shown in the following figure:

Note: As shown above, server.crt contains the certificate holder's information, the holder's public key, and the signer's signature.

4. Generate a client certificate

Generating a client certificate is similar to generating a CA certificate.

4.1. Generate a private key first

Use command:

openssl genrsa -out client.key 2048

As shown in the following figure:

4.2 Generate request file

Use command:

openssl req -new -key client.key -out client.csr

As shown in the following figure:

4.3 Send to CA for signature

Use command:

openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.crt

As shown in the following figure:

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.