Mastering SSL and OpenSSL: From Encryption Basics to Private CA Setup

With the development of network technology and the globalization of the Internet, information sharing has increased, leading to widespread use of e‑government and e‑commerce applications. However, the openness of the Internet makes data transmission vulnerable to eavesdropping and tampering, so mechanisms such as SSL (Secure Socket Layer) have been created to protect data in transit. What is SSL? SSL works between the TCP/IP protocol stack and application‑layer protocols to provide confidentiality, integrity, authentication, and non‑repudiation. OpenSSL is an open‑source implementation of SSL. Encryption and Decryption Methods Data encryption/decryption can be classified into four types: Symmetric encryption – both parties use the same key (e.g., DES, AES, Blowfish, Twofish, IDEA, RC6, CAST5). It requires a shared secret and is vulnerable to dictionary attacks. Asymmetric encryption – also called public‑key encryption (e.g., RSA, DSA, ElGamal). A key pair is generated; data encrypted with the private key can only be decrypted with the public key and vice‑versa. It is mainly used for authentication and key exchange. One‑way (hash) encryption – produces a fixed‑length fingerprint (e.g., MD5, SHA‑1) used for data integrity verification. Combined process – SSL uses a combination of the above methods to secure data transmission. SSL Handshake Process 1. User B sends a request to server A with its certificate. 2. Server A verifies B's certificate using a CA, extracts B's public key, and sends its own certificate to B. 3. User B verifies server A's certificate and extracts A's public key. 4. Server A encrypts data in several steps: a) generate a hash of the data segment; b) encrypt the hash with its private key; c) encrypt the result with a symmetric key; d) encrypt the symmetric key with B's public key and send the package. 5. User B decrypts the package: a) use its private key to recover the symmetric key; b) decrypt the data segment; c) verify the hash using the public key of A, confirming integrity and authenticity. PKI (Public Key Infrastructure) PKI provides the framework for managing keys and certificates. Its components include: Certificate Authority (CA) – issues and revokes certificates. Certificate repository – stores issued certificates and public keys. Key backup and recovery system – safeguards private decryption keys. APIs – allow applications to use encryption and signing services. Certificate revocation system – handles expired or compromised certificates. Using OpenSSL on Linux Install OpenSSL: <code>yum -y install openssl</code> Check version: <code>openssl version</code> Symmetric encryption example: <code>openssl enc -e -ciphername aes-256-cbc -in /path/from/file -out /path/to/file -salt</code> Hash (one‑way) encryption: <code>openssl dgst -md5 -out /path/to/hashfile /path/from/file</code> Generate a password hash: <code>openssl passwd -1 -salt SALT password</code> Generate a private key and self‑signed certificate for a private CA: <code>openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650</code> Sign a certificate request: <code>openssl ca -in /path/from/request.csr -out /path/to/cert.crt -days 365</code> Revoke a certificate: <code>openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem</code> View the revocation list: <code>openssl crl -in /path/from/crlfile.crl -noout -text</code> These commands illustrate how OpenSSL can be used for encryption, decryption, hashing, password handling, key generation, private CA setup, certificate issuance, and revocation, providing a complete toolkit for securing network communications.