(1).CA認證
CA全稱Certificate Authority,通常翻譯成認證權威或者認證中心,主要用途是為用戶發放數字證書。認證中心(CA)的功能:證書發放、證書更新、證書撤銷和證書驗證。CA證書的作用:身份認證,實現數據的不可否認性。
CSR全稱Cerificate Signing Request,中文名證書請求文件,是證書申請者在申請數字證書時由CSP(加密服務提供者)在生成私鑰的同時也生成證書請求文件,證書申請者只要把CSR文件提交給證書頒發機構后,證書頒發機構使用其根證書的私鑰簽名就生成了證書文件,也就是頒發給用戶的證書。
證書簽名過程:1、服務器生成證書請求文件;2、認證中心確認申請者的身份真實性;3、認證中學使用根證書的私鑰加密證書請求文件,生成證書;4、把證書傳給申請者。
申請免費的CA認證可以選擇:阿里雲https://www.aliyun.com/product/cas?spm=5176.10695662.1171680.1.58564c0dMNos55,或FreeSSLhttps://freessl.cn/
1)實驗環境
youxi1 192.168.5.101 CA認證中心
youxi2 192.168.5.102 服務器
2)由於沒有真實域名,所以自己搭建一個CA認證中心,實際只要去申請一個就好了。
[root@youxi1 ~]# rpm -qf `which openssl`
openssl-1.0.2k-12.el7.x86_64 //openssl一般默認安裝的
[root@youxi1 ~]# vim /etc/pki/tls/openssl.cnf
basicConstraints=CA:TRUE //第172行,讓當前服務器成為CA認證中心
[root@youxi1 ~]# /etc/pki/tls/misc/CA -newca //新的CAche證書
CA certificate filename (or enter to create) //證書文件名,可以直接回車
Making CA certificate ...
Generating a 2048 bit RSA private key
................................+++
...................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: //保護私鑰的密碼,123456
Verifying - Enter PEM pass phrase: //重復密碼,123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //國家,只能2個字符
State or Province Name (full name) []:beijing //地區
Locality Name (eg, city) [Default City]:haidian //城市
Organization Name (eg, company) [Default Company Ltd]:test //組織名稱,公司
Organizational Unit Name (eg, section) []:IT //部門
Common Name (eg, your name or your server's hostname) []:test.cn //通用名,名字或服務器主機名等
Email Address []:test@qq.com //郵箱
Please enter the following 'extra' attributes
to be sent with your certificate request //添加一個額外屬性,讓客戶端發送CA證書請求文件時,要輸入的密碼
A challenge password []: //直接回車
An optional company name []: //回車
Using configuration from /etc/pki/tls/openssl.cnf //CA服務器的配置文件,上面修改的內容會添加到該配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: //輸入私鑰密碼,123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
af:e0:dd:ca:39:32:8e:56
Validity
Not Before: Aug 15 07:30:27 2019 GMT
Not After : Aug 14 07:30:27 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = test
organizationalUnitName = IT
commonName = test.cn
emailAddress = test@qq.com
X509v3 extensions:
X509v3 Subject Key Identifier:
08:F1:6F:02:F1:A0:BD:71:1E:DF:F5:D1:F3:7B:40:05:3A:02:B5:7C
X509v3 Authority Key Identifier:
keyid:08:F1:6F:02:F1:A0:BD:71:1E:DF:F5:D1:F3:7B:40:05:3A:02:B5:7C
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Aug 14 07:30:27 2022 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated //搭建完成
[root@youxi1 ~]# cat /etc/pki/CA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
af:e0:dd:ca:39:32:8e:56
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, O=test, OU=IT, CN=test.cn/emailAddress=test@qq.com //CA機構信息
Validity
Not Before: Aug 15 07:30:27 2019 GMT
Not After : Aug 14 07:30:27 2022 GMT
Subject: C=CN, ST=beijing, O=test, OU=IT, CN=test.cn/emailAddress=test@qq.com
Subject Public Key Info: //CA認證中心公鑰信息
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f5:b0:8d:1f:fd:12:2b:7c:d4:6d:75:c1:da:3e:
2c:92:87:22:1e:41:c9:21:bc:c7:bb:65:1f:1a:a4:
46:7f:d0:0d:22:11:fc:bf:49:9a:2a:b9:56:9a:14:
18:b9:6e:55:3b:06:25:49:80:38:58:1d:f8:89:62:
e6:e5:09:6a:61:7c:e8:c7:bc:be:f1:7c:86:e3:de:
1e:49:cf:6e:09:ac:cb:5a:58:f3:62:71:c7:05:4e:
5a:d7:ab:bb:03:35:49:f1:81:07:7b:82:99:75:a6:
28:c7:6d:aa:88:7b:82:d8:ac:ee:e7:e4:28:aa:8d:
e6:62:45:b9:6a:5a:49:49:40:65:e7:2f:69:d8:48:
2f:cb:a3:c3:01:af:b5:8e:0f:b5:68:0a:7b:64:4b:
6a:46:58:d6:f2:4d:02:51:ea:5c:4c:38:70:38:b6:
5d:fd:d7:da:af:3c:99:46:cb:40:02:7f:4d:a8:30:
98:4c:72:fd:80:7d:13:f5:42:6b:dd:3d:52:02:4b:
c2:6f:eb:5c:ca:63:76:1f:b4:5a:6c:e5:0c:fb:bc:
b6:32:44:d7:c4:7d:8a:6b:3f:58:56:9b:72:fd:74:
66:d9:a2:43:36:5c:a5:ea:91:49:07:14:a4:51:a8:
bb:94:9b:5d:72:1d:01:7e:89:eb:f5:ec:2b:3e:f5:
73:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
08:F1:6F:02:F1:A0:BD:71:1E:DF:F5:D1:F3:7B:40:05:3A:02:B5:7C
X509v3 Authority Key Identifier:
keyid:08:F1:6F:02:F1:A0:BD:71:1E:DF:F5:D1:F3:7B:40:05:3A:02:B5:7C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
3d:c4:ae:3d:ee:22:c7:ff:e7:c2:54:9d:b1:f5:4b:a4:c9:46:
58:ec:e7:50:d8:48:66:39:8e:99:12:1b:f0:0a:37:86:03:61:
8d:21:dc:26:ca:48:9b:43:82:4a:fa:4f:ff:fb:04:66:ee:b2:
0f:44:63:e8:fc:d2:49:26:2a:4c:8a:3b:98:56:e5:86:70:3e:
b8:5b:be:91:e5:b5:8a:6b:1f:00:bc:15:b8:91:b4:66:ad:bf:
fe:1b:2e:83:3a:5e:6f:df:c5:96:38:8a:ba:b8:be:37:e7:2b:
77:e7:af:a8:c7:84:a8:09:0b:1a:b0:43:2d:c2:ae:56:8c:81:
09:d3:c0:52:63:e9:ec:04:f1:4e:23:c9:eb:16:36:7c:56:4f:
d3:11:06:a9:1c:27:b8:ed:84:04:7a:77:56:ca:8b:f2:1a:42:
c1:2f:8c:8d:06:ea:15:e5:08:d9:35:cb:c4:f1:c9:6a:f5:8b:
7e:be:46:71:2e:56:00:e7:c4:fe:18:98:cf:72:16:bd:da:fb:
b3:9b:03:fc:3c:e4:43:74:04:20:cf:7d:9f:6c:dd:76:bf:8c:
b7:e0:44:8a:2a:d7:c5:60:82:c9:cb:1d:80:5b:d1:de:04:d6:
dc:19:5a:aa:a9:1b:9d:d6:ed:d1:81:6d:68:10:90:e0:b5:7b:
e7:b6:64:42
-----BEGIN CERTIFICATE----- //私鑰
MIIDpTCCAo2gAwIBAgIJAK/g3co5Mo5WMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
BAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMQ0wCwYDVQQKDAR0ZXN0MQswCQYDVQQL
DAJJVDEQMA4GA1UEAwwHdGVzdC5jbjEaMBgGCSqGSIb3DQEJARYLdGVzdEBxcS5j
b20wHhcNMTkwODE1MDczMDI3WhcNMjIwODE0MDczMDI3WjBpMQswCQYDVQQGEwJD
TjEQMA4GA1UECAwHYmVpamluZzENMAsGA1UECgwEdGVzdDELMAkGA1UECwwCSVQx
EDAOBgNVBAMMB3Rlc3QuY24xGjAYBgkqhkiG9w0BCQEWC3Rlc3RAcXEuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9bCNH/0SK3zUbXXB2j4skoci
HkHJIbzHu2UfGqRGf9ANIhH8v0maKrlWmhQYuW5VOwYlSYA4WB34iWLm5QlqYXzo
x7y+8XyG494eSc9uCazLWljzYnHHBU5a16u7AzVJ8YEHe4KZdaYox22qiHuC2Kzu
5+Qoqo3mYkW5alpJSUBl5y9p2Egvy6PDAa+1jg+1aAp7ZEtqRljW8k0CUepcTDhw
OLZd/dfarzyZRstAAn9NqDCYTHL9gH0T9UJr3T1SAkvCb+tcymN2H7RabOUM+7y2
MkTXxH2Kaz9YVpty/XRm2aJDNlyl6pFJBxSkUai7lJtdch0Bfonr9ewrPvVzIQID
AQABo1AwTjAdBgNVHQ4EFgQUCPFvAvGgvXEe3/XR83tABToCtXwwHwYDVR0jBBgw
FoAUCPFvAvGgvXEe3/XR83tABToCtXwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAPcSuPe4ix//nwlSdsfVLpMlGWOznUNhIZjmOmRIb8Ao3hgNhjSHc
JspIm0OCSvpP//sEZu6yD0Rj6PzSSSYqTIo7mFblhnA+uFu+keW1imsfALwVuJG0
Zq2//hsugzpeb9/FljiKuri+N+crd+evqMeEqAkLGrBDLcKuVoyBCdPAUmPp7ATx
TiPJ6xY2fFZP0xEGqRwnuO2EBHp3VsqL8hpCwS+MjQbqFeUI2TXLxPHJavWLfr5G
cS5WAOfE/hiYz3IWvdr7s5sD/DzkQ3QEIM99n2zddr+Mt+BEiirXxWCCycsdgFvR
3gTW3Blaqqkbndbt0YFtaBCQ4LV757ZkQg==
-----END CERTIFICATE-----
說明:/etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
-newcert 新證書
-newreq 新請求
-newreq-nodes 新請求節點
-newca 新的CA證書
-sign 簽證
-verify 驗證
(2).Apache實現https
准備一個httpd,需要包含ssl模塊
[root@youxi2 ~]# yum -y install httpd mod_ssl [root@youxi2 ~]# vim /etc/httpd/conf/httpd.conf ServerName 192.168.5.102:80 //第95行 [root@youxi2 ~]# systemctl start httpd.service [root@youxi2 ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp success [root@youxi2 ~]# firewall-cmd --reload success
生成證書請求文件,並發給CA認證中心youxi1
//-des3使用des3加密算法;-out輸出到指定地址 [root@youxi2 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key Generating RSA private key, 2048 bit long modulus ................................................................................................+++ ....................+++ e is 65537 (0x10001) Enter pass phrase for /etc/httpd/conf.d/server.key: //輸入保護私鑰的密碼,123456 Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: //重復密碼 //-key指定私鑰 [root@youxi2 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr Enter pass phrase for /etc/httpd/conf.d/server.key: //輸入保護私鑰的密碼(/etc/httpd/conf.d/server.key的),123456 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- //通用名不能和CA一樣,一般寫域名 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:haidian Organization Name (eg, company) [Default Company Ltd]:test Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:test.com Email Address []:test@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: //回車 An optional company name []: //回車 [root@youxi2 ~]# scp /server.csr 192.168.5.101:/ //發給CA認證中心 root@192.168.5.101's password: server.csr 100% 1029 127.4KB/s 00:00
CAche認證中心進行簽名,再回傳
[root@youxi1 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: //cakey.pem的保護私鑰的密碼,123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
af:e0:dd:ca:39:32:8e:57
Validity
Not Before: Aug 15 08:45:17 2019 GMT
Not After : Aug 14 08:45:17 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = test
organizationalUnitName = IT
commonName = test.com
emailAddress = test@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B3:F5:B0:FE:43:AC:44:C9:7F:C6:B5:6F:5C:EA:B8:D1:04:36:1E:40
X509v3 Authority Key Identifier:
keyid:08:F1:6F:02:F1:A0:BD:71:1E:DF:F5:D1:F3:7B:40:05:3A:02:B5:7C
Certificate is to be certified until Aug 14 08:45:17 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@youxi1 ~]# scp /server.crt 192.168.5.102:/ //回傳給服務器
root@192.168.5.102's password:
server.crt 100% 4547 1.8MB/s 00:00
配置Apache加載證書文件
[root@youxi2 ~]# cp /server.crt /etc/httpd/conf.d/ [root@youxi2 ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/conf.d/server.crt //第100行,簽名證書 SSLCertificateKeyFile /etc/httpd/conf.d/server.key/ /第107行,私鑰 [root@youxi2 ~]# systemctl restart httpd Enter SSL pass phrase for 192.168.5.102:443 (RSA) : ****** [root@youxi2 ~]# yum -y install net-tools.x86_64 [root@youxi2 ~]# netstat -antup | grep 443 //查看443端口 tcp6 0 0 :::443 :::* LISTEN 2126/httpd [root@youxi2 ~]# firewall-cmd --permanent --zone=public --add-port=443/tcp success [root@youxi2 ~]# firewall-cmd --reload success
最后使用Windows查看
(3).nginx實現https
停掉Apache,安裝nginx
[root@youxi2 ~]# systemctl stop httpd [root@youxi2 ~]# netstat -antup | grep 443 [root@youxi2 ~]# yum -y install nginx
配置nginx加載證書文件
[root@youxi2 ~]# vim /etc/nginx/conf.d/default.conf
server {
listen 443 ssl;
keepalive_timeout 70;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSL支持的版本
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /etc/httpd/conf.d/server.crt;
ssl_certificate_key /etc/httpd/conf.d/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
}
[root@youxi2 ~]# nginx -t
Enter PEM pass phrase:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@youxi2 ~]# nginx
Enter PEM pass phrase:
[root@youxi2 ~]# netstat -antup | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2436/nginx: master
最后在Windows上查看
(4).SSL四次握手
SSL全稱Secure Socket Layer,中文名安全套接字層,通過一種機制在互聯網上提供密鑰傳輸。其主要目標是保證兩個應用間通信數據的保密性和可靠性,可在服務器端和用戶端同時支持的一種加密算法。目前主流版本SSLV2、SSLV3(常用)。
四次握手安全傳輸流程:
client---1.客戶端請求一個安全的會話,協商加密算法--->server
<----------2.服務端將自己的證書傳給客戶端----------
3.客戶端用瀏覽中存放CA的根證書檢測server證書,確認server是我要訪問的網站。客戶端使用CA根證書中的公鑰解密server的證書,從而得到server的公鑰;然后客戶端生成一把對稱的加密密鑰,用server的公鑰加密這個對稱的加密密鑰發給server。 后期使用對稱密鑰加密數據。
------------------------------------------------->
4.server使用私鑰解密,得到對稱的加密密鑰。從而,使用對稱的加密密鑰來進行安全快速傳輸數據。這里使用對稱加密數據,是因為對稱加密和解密速度快。
<------------------------------------------------>
總結:SSL四次握手流程整體分兩個過程。過程1, 確認身份;過程2,生成一把對稱加密密鑰,傳輸數據。