Self-Signed Certificate

Introduction

CA provides certificate to ensure the security of transmitted information. Of course, individuals can also play the role of CA, but the client is not trusted at this time, and the CA certificate, i.e. CA public key, needs to be integrated into the client.

Information Security

The security issues that need to be ensured during information transmission are: confidentiality of information, security of information, and identification of both parties.

Message Confidentiality

Two key pairs are needed, asymmetric encryption key pair A and symmetric encryption key B. The client uses A’s public key to encrypt B’s key to generate C. Then C is transmitted to the server, which uses A’s private key to decrypt C to get B’s key. Then the key of B exists in both the client and the server, then the message can be encrypted and decrypted by the asymmetric encryption key B before transmitting the message. the role of A is to secure the transmission of B and the role of B is to secure the transmission of the message.

Message integrity

Asymmetric encryption key pair B is required. The client uses a hash algorithm to calculate the hash value of the transmitted content, which is the digest H1. The client then encrypts the digest with B’s public key to generate the encrypted digest C. The server transmits C to the server, which decrypts C with B’s private key to obtain the digest H1. The server then uses the same hash algorithm as the client to calculate the hash value of the transmitted content, which is the digest H2, and compares the values of H1 and H2 to ensure the integrity of the message.

Identification of both parties

Asymmetric encryption key pair B. The server sends B’s public key to the client, and the server encrypts its identity content with B’s private key and sends it to the client. The client can authenticate the identity of the server by decrypting it with B’s public key. Of course, this situation can be hijacked by a third party. Third-party hijacking means that the server sends the information and B’s public key to the client, but the middle is hijacked by the third party to B’s public key. Then the third party creates its own asymmetric encryption key pair C, which is used to interact with the client for encryption and decryption. Then the server sends B’s private key to encrypt the content, and the three parties hijack it and use B’s public key to decrypt it, and then send the information and C’s public key to the client. Then the client encrypts the message with C’s public key and the three-party hijacking decrypts it with C’s private key.

Digital Certificate

The digital certificate itself solves the problem of identification/authentication of both parties, and is issued by CA itself, which can be an authoritative vendor or a personal issuer. The difference is that the CA public key of the authoritative vendor is integrated into the client by default, while the CA public key needs to be manually integrated into the client for personal issuance, and the CA only serves to issue the server-side certificate or the subordinate CA certificate. The server-side certificate is used in the encryption process of real information transmission.

The digital certificate is mainly divided into three parts:

  • Certificate content (i.e. identity information, such as information about the issuing authority) C
  • Hash algorithm A
  • encrypted ciphertext S

The main process of digital certificate authentication is :

  • The server calculates hash, i.e. digest, from certificate content C by hashing algorithm A. Then the encryption is performed by the private key of CA, which generates the encrypted ciphertext S.
  • When the client initiates a request, the server sends the digital certificate to the client. The client decrypts the S of the digital certificate with the public key of CA to get the digest H1.
  • The client calculates hash of certificate content by hashing algorithm A, i.e. digest H2.
  • Compare whether the digest H1 and H2 are equal, and if they are equal, the client authenticates the identity of the server.

Self-issued Certificate Generation

Step1 Self-issued CA

Generate CA private key.

1

openssl genrsa -out ca.key 2048

Create the openssl configuration file openssl.conf , note that the CA value of basicConstraints is TRUE, indicating that it is used for CA certificate issuance, and the CA value is TRUE no matter how many levels of CA certificates.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

[ req ]
#default_bits		= 2048
#default_md		= sha256
#default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
extensions               = v3_ca
req_extensions           = v3_ca

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_min			= 2
countryName_max			= 2
stateOrProvinceName		= State or Province Name (full name)
localityName			= Locality Name (eg, city)
0.organizationName		= Organization Name (eg, company)
organizationalUnitName		= Organizational Unit Name (eg, section)
commonName			= Common Name (eg, fully qualified host name)
commonName_max			= 64
emailAddress			= Email Address
emailAddress_max		= 64

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

[ v3_ca ]
basicConstraints         = CA:TRUE

Generate self-signed CA certificate with openssl.conf configuration file and private key, i.e. public key of CA. It is used as a client to decrypt the ciphertext S of the server.

1
2

openssl req -new -key ca.key -nodes -out ca.csr -config openssl.conf
openssl x509 -req -days 36500 -extfile openssl.conf -extensions v3_ca -in ca.csr -signkey ca.key -out ca.crt

View the details of the generated CA certificate.

1

openssl x509 -in ca.crt -text -noout

Step2 Use self-issuing CA to issue server-side certificate

Generate the server-side private key.

1

openssl genrsa -out sca.key 2048

Generate a server-side identity CSR file.

1

openssl req -new -key sca.key -out sca.csr

Generate server-side certificates.

1

openssl x509 -req -in sca.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out sca.crt -days 36500

Step3 Client Integration CA Public Key

The CA public key here is the CA’s certificate.