Its Certificate Authority - in 5 OpenSSL teams

Why is this needed?


Suppose we have two servers, they work for themselves, and periodically they want to ask something from each other using the HTTP / HTTPS protocol.

The HTTP protocol is not secure and it is logical to use the HTTPS protocol for communication between honey servers.

To organize such communication, we need 2 SSL certificates.

If the servers belong to one organization, then it can be easier and safer to sign certificates on your own, rather than buying.

Create our CA


The first command creates a root key

openssl genrsa -out rootCA.key 2048

For me, the 2048 bit key is sufficient, if you want, you can use the 4096 bit key.

The second command creates a root certificate.

openssl req -x509 -new -key rootCA.key -days 10000 -out rootCA.crt

Here you can answer questions as you please.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

10,000 days its expiration date, approximately the certificate lives with which google requires to sign android applications for Google Play. If you are an alarmist, sign up for a year or two.

All! Now we can create certificates for our servers and install the root certificate on our client machines.

We create a certificate signed by our CA


We generate a key.

openssl genrsa -out server101.mycloud.key 2048

Create a certificate request.

openssl req -new -key server101.mycloud.key -out server101.mycloud.csr

It is important to indicate the server name: domain or IP (for example, server101.mycloud domain )

Common Name (eg, YOUR name) []: server101.mycloud

and sign the certificate request with our root certificate.

openssl x509 -req -in server101.mycloud.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server101.mycloud.crt -days 5000

Now clients need to install the root certificate rootCA.crt

rootCA.crt - you can give it to friends, install, copy not the server, put
rootCA.key in public access - it should be kept secret

Installing a root certificate


Windows

IE, Chrome - use the Windows certificate repository.

My path to it is this:

Chrome - Settings - Manage Certificates ...
Select the Trusted Root Certificate Authorities - Import - rootCA.crt tab
restart Chrome

FireFox on Windows has its own repository.

Java has its own repository.

Mac OS X

Safari, FireFox, Chrome - use the system repository.

Launch KeyChain Access.
Go to the File menu - Import Items (login or System) - select the rootCA.crt file .
When asked, we answer - Always Trust.



For your personal Safari, just select login.


In ubuntu

sudo mkdir /usr/share/ca-certificates/extra
sudo cp rootCA.crt /usr/share/ca-certificates/extra/rootCA.crt
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates

Go server program

Server program on Go myserver.go that uses our signed certificate.
package main
import (
	"log"
	"net/http"
)
func main() {
	http.Handle("/files/", http.StripPrefix("/files/", http.FileServer(http.Dir("./files/"))))
	go func() {
		log.Fatal(http.ListenAndServeTLS(":8443", "server101.mycloud.crt", "server101.mycloud.key", nil))
	}()
	http.ListenAndServe(":8080", nil)
}

go run myserver.go

running the program on server101.mycloud server, your browser will not swear at the page https: //server101.mycloud: 8443 / , and will open it as a native if you installed rootCA.crt on the system as a root certificate.

Server in Python


import BaseHTTPServer, SimpleHTTPServer, ssl
httpd = BaseHTTPServer.HTTPServer(('localhost', 8443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='server101.mycloud.pem', server_side=True)
httpd.serve_forever()


# скопируем клуч и сертификат в один файл
cat server101.mycloud.key server101.mycloud.crt > server101.mycloud.pem
# запустим сервер на питоне
python myserver.py

PS


I consider it important to mention that wildcard certificates are not secure; if an attacker takes possession of a wildcard certificate from one server, this will endanger all other servers. Virtual cloud servers are more popular than ever. Often, background tasks run on separate virtual servers. The number of such servers is constantly growing. Its Certificate Authority is an important security element of the entire system.

Also popular now: