CA認證過程及https實現方法
一、CA認證過程
CA概述:Certificate Authority的縮寫,通常翻譯成認證權威或者認證中心,主要用途是為用戶發放數字證書。CA認證的流程和公安局派出所頒發身份證的流程一樣
認證中心(CA)的功能有:證書發放、證書更新、證書撤銷和證書驗證。
CA證書作用:身份認證,實現數據的不可否認性。
證書請求文件:CSR是Cerificate Signing Request的英文縮寫,即證書請求文件,也就是證書申請者在申請數字證書時由CSP(加密服務提供者)在生成私鑰的同時也生成證書請求文件,證書申請者只要把CSR文件提交給證書頒發機構后,證書頒發機構使用其根證書的私鑰簽名就生成了證書文件,也就是頒發給用戶的證書。
1.1:證書簽名過程
1、 生成請求文件
2、 CA確認申請者的身份真實性
3、 CA使用根證書的私鑰加密請求文件,生成證書
4、 把證書傳給申請者
1.2 用戶使用CA證書確認服務器身份過程(K7 CA認證服務器 k6 是申請方)
1、請求文件發給k7CA認證中心
2、CA認證 (用CA的私鑰加密k6的請求文件), 得到加密后的文件,這個文件就是k6的證書 ),CA認證中心頒發給k6加密后的數字證書
3、用戶訪問k6並向k6索要數字證書
4、用戶拿到數字證書后,用瀏覽器中CA的公鑰解密k6的證書,解開后得到k6的公鑰和標識(主機名,國家,省,組織等信息),從而確認k6的身份。
二、搭建CA認證中心
搭建CA認證中心
1、安裝CA認證軟件包中心:
[root@k7 ~]# rpm -qf `which openssl`
openssl-1.0.2k-16.el7_6.1.x86_64
2、配置一個自己的CA認證中心。生成CA的根證書和私鑰。
[root@k7 ~]# vim /etc/pki/tls/openssl.cnf
改:172 basicConstraints=CA:FALSE
為:172 basicConstraints=CA:TRUE #讓自己成為CA認證中心
3、生成CA的公鑰證書和私鑰。
[root@k7 ~]# /etc/pki/tls/misc/CA -h #查看幫助
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
選項 :
-newcert 新證書
-newreq 新請求
-newreq-nodes 新請求節點
-newca 新的CA證書
-sign 簽證
-verify 驗證
[root@k7 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
...............................................................+++
.......+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:sichuan
Locality Name (eg, city) [Default City]:chengdu
Organization Name (eg, company) [Default Company Ltd]:kezibky
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:kezibky.com
Email Address []:keizibky@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ca:7e:0b:7a:b3:65:5a:f3
Validity
Not Before: Sep 12 06:40:28 2019 GMT
Not After : Sep 11 06:40:28 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = sichuan
organizationName = kezibky
organizationalUnitName = IT
commonName = kezibky.com
emailAddress = keizibky@163.com
X509v3 extensions:
X509v3 Subject Key Identifier:
11:13:F7:A1:F6:9E:DA:3F:52:A1:4F:D0:BC:D5:F6:B4:78:C9:FB:E7
X509v3 Authority Key Identifier:
keyid:11:13:F7:A1:F6:9E:DA:3F:52:A1:4F:D0:BC:D5:F6:B4:78:C9:FB:E7
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 11 06:40:28 2022 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
4、查看生成的CA根證書,根證書中包括CA公鑰
[root@k7 ~]# vim /etc/pki/CA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ca:7e:0b:7a:b3:65:5a:f3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=sichuan, O=kezibky, OU=IT, CN=kezibky.com/emailAddress=keizibky@163.com
Validity
Not Before: Sep 12 06:40:28 2019 GMT
Not After : Sep 11 06:40:28 2022 GMT
Subject: C=CN, ST=sichuan, O=kezibky, OU=IT, CN=kezibky.com/emailAddress=keizibky@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:ee:c5:e0:5e:8a:4c:8a:7e:2d:e2:d4:53:a9:
6c:b3:36:f6:f3:1f:00:cb:b6:a2:88:67:af:8c:03:
4e:56:a5:3d:79:eb:d8:0e:f1:d0:8c:d6:b8:a8:8f:
11:ae:ec:c6:fd:6a:a9:cf:bf:fc:bd:c9:6b:55:fb:
ea:88:20:e7:ca:58:e3:22:6d:4d:f5:ae:d2:6e:e9:
81:fd:16:38:d4:0b:7b:85:60:5c:0c:c9:9b:6d:2a:
8c:26:01:42:24:18:1c:46:73:4b:9d:98:58:f0:37:
cc:29:ae:db:e5:40:dc:26:d6:4c:fc:c8:ff:d4:6e:
aa:f4:21:c7:54:45:ae:5a:15:96:c8:b6:b4:b7:66:
25:f4:35:b7:5a:88:39:95:16:5d:77:ac:86:7d:f2:
1d:b4:ec:97:1b:21:a2:7a:35:fd:b1:23:11:b2:80:
80:49:9b:66:73:45:94:7a:bf:bb:9c:9b:bd:9f:e7:
e4:3d:77:8e:91:9b:ec:81:c2:90:98:f9:7d:e5:75:
77:51:9d:7d:96:58:52:4c:84:88:a3:92:b5:b3:4b:
dc:06:96:c1:64:12:ad:6d:df:f8:5d:71:46:14:96:
"/etc/pki/CA/cacert.pem" 81L, 4465C
5、查看根證書的私鑰
[root@k7 ~]# vim /etc/pki/CA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQITCjptF6WslUCAggA
MBQGCCqGSIb3DQMHBAhl/0pgVa0ZGASCBMilfCLbo7qiXVpZKj6levYLA611Pa4a
Wl5DlOdZ/AdIjROvYS7Va5lYdj5jWfky0Tyz6+XNA08xNugPTmLPcmvR0GeSJPwe
NIgpzSqFPaT+d1K1FJ7abKZgPvfcIOhejX+sST9h75KTgkN8XruJHeDrFclg1z0C
804g9Nb7SElDmIfwpxDf1glngwW+hqkTcZUInI92pslIGQ8uuXbXYa+l5ZCKpfbL
A4b0avxA6D5ktEa+WPcuzn10ShQH4oPSYwteq8+l7ODXheqgrLSJJov4HyB+tk+G
三、在apache上搭建https
基於apache搭建https的整體流程如下:
(1)、在k6上安裝httpd
(2)、k6生成證書請求文件,發給k7 CA認證中心進行簽名,k3下發證書 給k6
(3)、把證書和httpd相結合,實現https
(4)、測試https認證效果
2、安裝:httpd web服務器
[root@k6 ~]# yum install httpd -y
[root@k6 ~]# vim /etc/httpd/conf/httpd.conf
改:95 #ServerName www.example.com:80 #指定ServerName
為:95 ServerName 10.27.17.36:80
[root@k6 ~]# systemctl start httpd
[root@k6 ~]# iptables -F
3、k6生成證書請求文件,獲得證書
[root@k6 ~]# openssl genrsa -h #查看幫助
生一個私鑰密鑰(此時還沒有生成公鑰):
[root@k6 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
參數:-des3 encrypt the generated key with DES in ede cbc mode (168 bit key) #加密 一下私鑰
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456 #輸入保護私鑰的密碼,保護私 鑰時,使用的加密算法是 -des3
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456
注: 有私鑰可以推出來公鑰,但是公鑰不可以推出私鑰。公鑰由私鑰生成
4、使用私鑰生成證書請求文件
[root@k6 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr #注意后期添加的國家,省,組織等信息要和CA保持一致
Enter pass phrase for /etc/httpd/conf.d/server.key:123456 #輸入私鑰的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:sichuan
Locality Name (eg, city) [Default City]:chengdu
Organization Name (eg, company) [Default Company Ltd]:kezibky
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:kezibky.cn
#這里要求輸入的CommonName必須與通過瀏覽器訪問您網站的 URL 完全相同,否則用戶會發 現您服務器證書的通用名與站點的名字不匹配,用戶就會懷疑您的證書的真實性。可以使域名也可以 使IP地址。
Email Address []:kezibky@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #不輸密碼直接回車
An optional company name []:
注:證書請求文件中有k6的公鑰。 這個公鑰是在生成證書請求文件時,通過指定的私鑰 /etc/httpd/conf.d/server.key生成的。
常識: 通過私鑰可以生成公鑰的,通過公鑰不可以推出來私鑰。
5、將證書請求文件發給CA服務器:
[root@k6 ~]# scp /server.csr 10.27.17.36/tmp/
6、CA簽名
[root@k7 ~]# openssl ca -h
[root@k7 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ca:7e:0b:7a:b3:65:5a:f4
Validity
Not Before: Sep 12 07:28:18 2019 GMT
Not After : Sep 11 07:28:18 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = sichuan
organizationName = kezibky
organizationalUnitName = It
commonName = kezibky.com
emailAddress = kezibky@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
21:A0:46:0A:00:96:74:3D:62:12:30:66:19:E1:66:9B:39:4E:74:6D
X509v3 Authority Key Identifier:
keyid:11:13:F7:A1:F6:9E:DA:3F:52:A1:4F:D0:BC:D5:F6:B4:78:C9:FB:E7
Certificate is to be certified until Sep 11 07:28:18 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7、將證書復制到k6
[root@k7 /]# scp server.crt 10.27.17.36:/
四、使用證書實現https
.4.1 SSL四次握手實現安全傳輸數據
1、SSL概述:(Secure Socket Layer)安全套接字層,通過一種機制在互聯網上提供密鑰傳輸。其主要目標是保證兩個應用間通信數據的保密性和可靠性,可在服務器端和用戶端同時支持的一種加密算法。目前主流版本SSLV2、SSLV3(常用)。
注:SSL作用,可以讓你在一個不安全的公網環境中,安全傳輸你的密鑰。
SSL四次握手安全傳輸流程如下:
C(client客戶端) ------------------------------> S(server服務端)
(1)、 客戶端請求一個安全的會話,協商加密算法
C <------------------------------------------------- S
(2)、服務端將自己的證書傳給客戶端
C -------------------------------------------------> S
(3)、客戶端用瀏覽中存放CA的根證書檢測k6證書,確認k6是我要訪問的網站。
客戶端使用CA根證書中的公鑰解密k6的證書,從而得到k6的公鑰;
然后客戶端生成一把對稱的加密密鑰,用k6的公鑰加密這個對稱加密的密鑰發給k6。 后期使用對稱密鑰加密數據
C <------------------------------------------------> S
(4)、k6使用私鑰解密,得到對稱加密的密鑰。從而,使用對稱加密密鑰來進行安全快速傳輸數據。這里使用對稱加密數據,是因為對稱加密和解密速度快
總結SSL四次握手流程整體分兩個過程:
過程1: 確認身份;過程2:生成一把對稱加密密鑰,傳輸數據。
4.2 在k6上配置HTTPS web服務器
1、安裝SSL模塊
[root@k6 ~]# yum install mod_ssl -y
2、配置apache加載證書文件
[root@k6 ~]# cp /server.crt /etc/httpd/conf.d/ #復制證書
[root@k6 ~]# ls /etc/httpd/conf.d/server.key #查看私鑰
/etc/httpd/conf.d/server.key
[root@k6 ~]# vim /etc/httpd/conf.d/ssl.conf
改:100 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
為:100 SSLCertificateFile /etc/httpd/conf.d/server.crt
改:107 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
為:107 SSLCertificateKeyFile /etc/httpd/conf.d/server.key
3、啟動服務:
[root@k6 ~]# systemctl restart httpd
Enter SSL pass phrase for k6.cn:443 (RSA) : 123456 #httpd私鑰密碼
4、測試https,查看端口
[root@k6 ~]# netstat -antup | grep 443
tcp 0 0 :::443 :::* LISTEN 5138/httpd
5、通過瀏覽器測試https效果
訪問:https://10.27.17.36/
