碼上快樂

相關內容    簡體    繁體

CA、證書及openssl用法

本文轉載自   查看原文   2019-10-19 23:21   991    Linux服務

CA和證書

摘要:涉及到網絡安全這一塊,想必大家都聽過CA吧。像百度、淘寶、京東等這些知名網站,每年都要花費一筆money來買CA證書。但其實簡單的企業內的CA認證,我們自己就可以實現,今天我就講解一下怎么在企業局部實現CA認證。

PKI: Public Key Infrastructure

簽證機構:CA(Certificate Authority)

注冊機構:RA

證書吊銷列表:CRL

證書存取庫:

X.509:定義了證書的結構以及認證協議標准

版本號、序列號、簽名算法、頒發者、有效期限、主體名稱、主體公鑰、CRL分發點擴展信息、發行者簽名、證書獲

證書類型:

證書授權機構的證書

服務器用戶證書

獲取證書兩種方法:

• 使用證書授權機構生成證書請求(csr),將證書請求csr發送給CA,CA簽名頒發證書

• 自簽名的證書

自已簽發自己的公鑰

安全協議

SSL:Secure Socket Layer,TLS: Transport Layer Security

1995:SSL 2.0 Netscape

1996:SSL 3.0

1999:TLS 1.0

2006:TLS 1.1 IETF(Internet工程任務組) RFC 4346

2008:TLS 1.2 當前使用

2015:TLS 1.3

功能:機密性,認證,完整性,重放保護

兩階段協議,分為握手階段和應用階段

握手階段(協商階段):客戶端和服務器端認證對方身份(依賴於PKI體系,利用數字

證書進行身份認證),並協商通信中使用的安全參數、密碼套件以及主密鑰。后續通信使

用的所有密鑰都是通過MasterSecret生成。

應用階段:在握手階段完成后進入,在應用階段通信雙方使用握手階段協商好的密

鑰進行安全通信

 

SSL/TLS

 

Handshake協議:包括協商安全參數和密碼套件、服務器身份認證(客戶端身

份認證可選)、密鑰交換

ChangeCipherSpec 協議:一條消息表明握手協議已經完成

Alert 協議:對握手協議中一些異常的錯誤提醒,分為fatal和warning兩個級別,

fatal類型錯誤會直接中斷SSL鏈接,而warning級別的錯誤SSL鏈接仍可繼續,

只是會給出錯誤警告

Record 協議:包括對消息的分段、壓縮、消息認證和完整性保護、加密等

HTTPS 協議:就是“HTTP 協議”和“SSL/TLS 協議”的組合。HTTP over

SSL”或“HTTP over TLS”,對http協議的文本數據進行加密處理后,成為二

進制形式傳輸

 

HTTPS結構

 

HTTPS工作過程

 base64字符表示:

演示base64算法結果:

ab 的base64結果是YWI=

ab 的ascii碼是78 79

2^6=64位,因此按6位區分

011000    01  0110    001000(后面補兩個0,用輸出的=代替)

24                 22            8

Y                   W             I=

 echo  -n ab | base64    ab 的base64輸出結果:

 Openssl詳細用法:

OpenSSL 是一個開源項目,其組成主要包括一下三個組件:

  • openssl:多用途的命令行工具

  • libcrypto:加密算法庫

  • libssl:加密模塊應用庫,實現了ssl及tls

openssl可以實現:秘鑰證書管理、對稱加密和非對稱加密 。

1、對稱加密

對稱加密需要使用的標准命令為 enc ,用法如下:

openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64]
       [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md]
       [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]

常用選項有:

-in filename:指定要加密的文件存放路徑

-out filename:指定加密后的文件存放路徑

-salt:自動插入一個隨機數作為文件內容加密,默認選項

-e:可以指明一種加密算法,若不指的話將使用默認加密算法

-d:解密,解密時也可以指定算法,若不指定則使用默認算法,但一定要與加密時的算法一致

-a/-base64:使用-base64位編碼格式
示例:
加密:]# openssl enc -e -des3 -a -salt -in fstab -out fstab.bak
解密:]# openssl enc -d -des3 -a -salt -in fstab.bak -out fstab

2、單向加密

單向加密需要使用的標准命令為 dgst ,用法如下:

openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d] [-hex] [-binary]
       [-out filename] [-sign filename] [-keyform arg] [-passin arg] [-verify filename] [-prverify
       filename] [-signature filename] [-hmac key] [file...]

常用選項有:

[-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] :指定一種加密算法

-out filename:將加密的內容保存到指定文件中

示例如下:

openssl dgst -md5 f1 等價於md5sum f1

單向加密除了 openssl dgst 工具還有: md5sum,sha1sum,sha224sum,sha256sum ,sha384sum,sha512sum

示例如下:

shs512sum fstab

md5sum  fstab

3、生成密碼

生成密碼需要使用的標准命令為 passwd ,用法如下:

openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}

常用選項有:

-1:使用md5加密算法

-salt string:加入隨機數,最多8位隨機數

-in file:對輸入的文件內容進行加密

-stdion:對標准輸入的內容進行加密

示例如下:

openssl passwd -1 -in fstab -salt 11111

4、生成隨機數

生成隨機數需要用到的標准命令為 rand ,用法如下:

openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num

常用選項有:

-out file:將生成的隨機數保存至指定文件中

-base64:使用base64 編碼格式

-hex:使用16進制編碼格式

示例如下:

openssl rand -hex 10

openssl rand -base64 10

openssl rand -base64 10 -out bb

5、生成秘鑰對

首先需要先使用 genrsa 標准命令生成私鑰,然后再使用 rsa 標准命令從私鑰中提取公鑰。

genrsa 的用法如下:

openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]

常用選項有:

-out filename:將生成的私鑰保存至指定的文件中

-des|-des3|-idea:不同的加密算法

numbits:指定生成私鑰的大小,默認是2048

一般情況下秘鑰文件的權限一定要控制好,只能自己讀寫,因此可以使用 umask 命令設置生成的私鑰權限,示例如下:

(umask 077;openssl genrsa -out test.key -des3 2048)  生成test.key私鑰文件並以des3的算法加密

make /data/test.key    或者直接切換至cd /etc/pki/tls/certs下生成私鑰,里邊有一個makefile文件就可以自動生成私鑰文件
openssl rsa -in test.key -out test2.key.bak   對test.key 私鑰進行解密並導出文件起名叫test2.key.bak

ras 的用法如下:

openssl rsa [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg]
       [-sgckey] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-engine id]

常用選項:

-in filename:指明私鑰文件

-out filename:指明將提取出的公鑰保存至指定文件中 

-pubout:根據私鑰提取出公鑰 

示例如下:根據私鑰取出公鑰

openssl rsa -in test.bak -pubout -out test.pubkey

隨機數生成器:偽隨機數字 鍵盤和鼠標,塊設備中斷

/dev/random:僅從熵池返回隨機數;隨機數用盡,阻塞

/dev/urandom:從熵池返回隨機數;隨機數用盡,會利用軟件生成偽隨機 數,非阻塞

示例:

tr -dc 'a-zA-Z0-9'  < /dev/urandom   將生成的隨機大小寫字母、數字全部進行打印

tr:參數解釋

-c或——complerment:取代所有不屬於第一字符集的字符;
-d或——delete:刪除所有屬於第一字符集的字符;
-s或--squeeze-repeats:把連續重復的字符以單獨一個字符表示;
-t或--truncate-set1:先刪除第一字符集較第二字符集多出的字符。
CA創建和證書申請實驗:
以此表作為參考進行創建:

 

 

創建CA:

centos7上創建CA證書:

1) (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)   CA生成秘鑰

[root@centos7CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................................................+++
.........................................................................+++
e is 65537 (0x10001)
2) openssl req -new -x509 -key  /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3650    生成自簽名證書
[root@centos7CA]#openssl req -new -x509 -key private/cakey.pem -out cacert1.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   國家名稱
State or Province Name (full name) []:shanghai  城市
Locality Name (eg, city) [Default City]:shanghai  省會
Organization Name (eg, company) [Default Company Ltd]:baidu  公司名稱
Organizational Unit Name (eg, section) []:yunwei  部門組織名稱
Common Name (eg, your name or your server's hostname) []:*baidu.com  域名
Email Address []:

3) touch index.txt  
4) echo oF > serial

  

 

在centos6(或者web服務器)中進行創建證書:

1) (umask 077;openssl genrsa -out app.key 1024)  生成私鑰

[root@centos6CA]#(umask 077;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
............++++++
.......++++++
e is 65537 (0x10001)

2) openssl req -new -key  app.key -out app.csr  生成申請證書文件
[root@centos6CA]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   國家:要和根CA的信息一致
State or Province Name (full name) []:shanghai   省會:要和根CA的信息一致
Locality Name (eg, city) [Default City]:shanghai   城市
Organization Name (eg, company) [Default Company Ltd]:baidu要和根CA的公司信息一致
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:*baidu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:centos
An optional company name []:centos

3)scp app.csr 192.168.34.101:/etc/pki/CA       復制到centos7的CA目錄下

4)openssl ca -in app.csr  -out  /etc/pki/CA/certs/app.crt  -days 1000  centos7對centos6(服務器)centos7對申請的證書文件進行核對並頒發證書
[root@centos7CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Oct 19 15:10:49 2019 GMT
Not After : Jul 15 15:10:49 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = shanghai
organizationName = baidugongsi
organizationalUnitName = yunwei
commonName = *baidu.com
X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
Netscape Comment: 
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: 
24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13
X509v3 Authority Key Identifier: 
keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E
Certificate is to be certified until Jul 15 15:10:49 2022 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

  

 注意:默認要求 國家,省,公司名稱三項必須和CA一致

證書內容:

[root@centos7CA]#cat certs/app.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shanghai, L=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com
Validity
Not Before: Oct 19 15:10:49 2019 GMT
Not After : Jul 15 15:10:49 2022 GMT
Subject: C=CN, ST=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e1:e6:f8:56:4a:7e:3a:70:10:76:77:1e:bd:93:
05:a4:6e:a5:be:8d:26:35:29:ff:2c:ae:52:a9:35:
4f:61:5e:df:53:3b:90:92:a4:c3:61:0a:18:9c:dc:
66:c2:45:d3:2a:fb:52:78:28:d1:4b:5b:0e:f6:33:
f3:6c:6c:13:cb:30:d7:a7:3c:6a:72:ca:4b:40:70:
8a:7e:f6:c5:10:1c:48:cb:43:b8:ba:32:f9:5a:f3:
21:a6:35:f8:7d:a8:7f:e7:70:85:14:29:9e:40:da:
88:ed:c3:fd:6c:b6:a9:0c:2c:05:28:0a:38:cc:1c:
83:12:a1:19:3f:74:66:8c:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
Netscape Comment: 
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: 
24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13
X509v3 Authority Key Identifier: 
keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E

Signature Algorithm: sha256WithRSAEncryption
18:92:ce:11:2f:d5:bd:76:11:92:43:3a:c7:b9:20:79:ca:66:
e5:e4:ff:8f:e2:d8:d6:76:96:34:63:ef:9b:de:1e:ec:dd:8a:
bf:c0:2f:9a:9d:8a:23:60:8f:6c:65:48:95:a8:a8:62:60:df:
96:93:3b:49:00:28:89:1f:c1:b3:91:0c:5f:21:6b:c8:76:52:
9c:39:81:bc:fd:11:6a:1f:f6:e4:85:04:f2:04:61:81:53:90:
be:f4:5e:bc:8d:c6:c1:bc:17:dc:bb:77:78:53:1a:f6:f3:cb:
db:06:af:64:fd:d8:85:a0:bf:e8:0b:2c:7f:b1:62:09:45:b4:
0f:27:ed:6e:9e:35:da:67:83:b4:9d:d6:8d:e6:a3:0a:e5:36:
ac:6d:23:d4:55:8e:bd:0b:af:1c:b7:e0:58:12:85:16:c1:70:
aa:ea:80:d7:a4:e8:3d:0d:8b:9f:ee:00:25:24:d7:6e:87:89:
11:55:50:d1:09:71:81:c4:64:08:bd:28:9b:8d:25:b5:de:3a:
6d:c6:6f:2a:9c:59:0f:24:73:15:e8:26:29:e8:5e:27:ea:90:
9e:17:6c:ee:ab:6d:2b:00:eb:36:5d:e4:fe:fb:e6:7d:4e:5c:
c4:16:bb:1a:17:73:95:29:ec:60:a8:d7:8e:1d:bf:d3:a9:64:
3e:02:7d:b8
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjER
MA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMRQwEgYDVQQKDAti
YWlkdWdvbmdzaTEPMA0GA1UECwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29t
MB4XDTE5MTAxOTE1MTA0OVoXDTIyMDcxNTE1MTA0OVowXDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCHNoYW5naGFpMRQwEgYDVQQKDAtiYWlkdWdvbmdzaTEPMA0GA1UE
CwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDh5vhWSn46cBB2dx69kwWkbqW+jSY1Kf8srlKpNU9hXt9TO5CS
pMNhChic3GbCRdMq+1J4KNFLWw72M/NsbBPLMNenPGpyyktAcIp+9sUQHEjLQ7i6
Mvla8yGmNfh9qH/ncIUUKZ5A2ojtw/1stqkMLAUoCjjMHIMSoRk/dGaMKwIDAQAB
o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJMS8lKGNwKyhY8+dYdt7+VurWxMwHwYD
VR0jBBgwFoAUAASx0WI1+ZG11lbClhndmtSb1Z4wDQYJKoZIhvcNAQELBQADggEB
ABiSzhEv1b12EZJDOse5IHnKZuXk/4/i2NZ2ljRj75veHuzdir/AL5qdiiNgj2xl
SJWoqGJg35aTO0kAKIkfwbORDF8ha8h2Upw5gbz9EWof9uSFBPIEYYFTkL70XryN
xsG8F9y7d3hTGvbzy9sGr2T92IWgv+gLLH+xYglFtA8n7W6eNdpng7Sd1o3mowrl
NqxtI9RVjr0Lrxy34FgShRbBcKrqgNek6D0Ni5/uACUk126HiRFVUNEJcYHEZAi9
KJuNJbXeOm3GbyqcWQ8kcxXoJinoXifqkJ4XbO6rbSsA6zZd5P775n1OXMQWuxoX
c5Up7GCo144dv9OpZD4Cfbg=
-----END CERTIFICATE-----

5) sz /etc/pki/CA/certs/app.crt文件到桌面可以看看內容

6) sz cacert.pem證書文件是app.crt的上一級證書文件

 

吊銷證書:在centos7(根CA)上執行吊銷

1)openssl ca -revoke /etc/pki/CA/certs/app.crt 對app.crt吊銷

[root@centos7CA]#openssl ca -revoke /etc/pki/CA/certs/app.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated

2)echo FF >  /etc/pki/CA/crlnumber  生成證書編號

3)openssl ca -gencrl  -out /etc/pki/CA/crl.pem  更新吊銷列表信息
[root@centos7CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

4)openssl crl -in /etc/pki/CA/crl.pem -noout -text 查看吊銷證書信息
[root@centos7CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text 
Certificate Revocation List (CRL):  注銷信息
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=shanghai/L=shanghai/O=baidugongsi/OU=yunwei/CN=*baidu.com  注銷的公司相關信息
Last Update: Oct 19 15:18:23 2019 GMT
Next Update: Nov 18 15:18:23 2019 GMT
CRL extensions:
X509v3 CRL Number: 
255
Revoked Certificates:
Serial Number: 0F    聲明:oF編號的證書已被注銷
Revocation Date: Oct 19 15:16:25 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
2e:85:17:e8:aa:e0:56:a9:48:17:99:82:58:71:d5:f1:3c:00:
45:6c:5f:41:5b:56:f7:f6:6a:85:60:08:a5:ac:b4:88:25:91:
21:82:58:f0:45:c9:9b:08:31:81:2f:45:d2:3f:a0:2c:3f:51:
45:e2:0b:8e:6d:2b:2e:fd:43:3a:a3:7e:af:69:b9:23:b6:bc:
5e:b1:b8:58:80:c8:c8:08:09:b1:bb:8b:be:a5:9e:d8:af:28:
1f:5d:51:db:dc:a8:cd:74:df:93:d3:6a:f1:df:1d:2f:75:87:
66:ec:e0:04:13:e4:49:25:31:38:dd:02:0d:70:f1:d3:83:bb:
03:c5:2a:f4:09:6a:1f:6c:f0:1c:3d:6a:4c:e7:06:33:57:39:
e9:91:1b:1d:5a:d4:47:f9:a0:47:7f:7f:0c:f3:35:96:a8:72:
28:e2:fa:94:5f:8c:8e:ad:ae:95:36:b9:e5:12:18:ce:b1:d8:
3a:c4:a7:89:49:83:dc:61:e9:84:65:00:f2:48:d0:98:af:21:
6f:a5:a8:6b:00:fd:18:3c:28:43:38:05:08:84:1a:bf:06:93:
bc:14:4d:a3:d8:19:8b:d5:e6:fd:2b:9f:5a:59:54:ff:3c:6b:
38:ec:05:ca:76:3a:f3:bf:76:e3:1f:8f:67:f7:98:3d:ba:ab:
47:e7:7c:c3

5) sz  crl.pem  可以查看windows當前吊銷列表圖形信息

 

 

 

 

 

 

 

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Openssl配置CA證書及https訪問 OpenSSL生成CA證書及終端用戶證書 openssl證書及配置 數字證書及CA的掃盲介紹 Https、OpenSSL自建CA證書及簽發證書、nginx單向認證、雙向認證及使用Java訪問 數字證書及CA詳解 數字證書及CA的掃盲介紹 openssl 從內存加載ca證書 使用 openssl 生成 CA 證書 openssl 生成自簽證書及查看證書細節
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM