一、數字證書
1、數字證書實際上是存在於計算機上的一個記錄,是由CA簽發的一個聲明,證明證書主體("證書申請者"擁有了證書后即成為"證書主體")與證書中所包含的公鑰的惟一對應關系
2、數字證書包含的內容:
- 申請者的名稱及相關信息
- 申請者的地址信息
- 申請者的公鑰
- 簽發證書的CA的名稱
- 簽發證書的CA的數字簽名(用發證機關的私鑰加密的特征碼)
- 證書有效期
3、x509證書的包含的內容:
- 公鑰及其有效期限
- 證書的合法擁有者
- 證書該如何被使用
- CA的信息
- CA簽名的校驗碼
4、CRL:證書吊銷列表;CRL中記錄的是已經發出去的、沒有過期的但已經被撤銷的證書
二、PKI
1、PKI:Public Key Infrastructure
2、 PKI的核心就是CA及其信任關系
3、PKI的實現架構
- TLS/SSL:使用x509證書
- OpenGPG
- SSL:Secure Socket Layer,安全的套接字層;只是一個庫,可以將http、smtp、ftp等應用層協議封裝成https、smtps、ftps等
- TLS:Transport Layer Security,TLSv1版本相當於SSLv3
三、CA
1、 CA(Certificate Authority)是數字證書認證中心的簡稱,是指發放、管理、廢除數據證書的機構
2、CA的作用是檢查證書持有者身份的合法性,並簽發證書(在證書上簽字),以防證書被偽造或篡改,以及對證書和密鑰進行管理
四、證書申請及簽署步驟
1、生成申請請求
2、RA核驗
3、CA簽署
4、獲取證書
五、openssl
1、對稱加密的實現工具有openssl和gpg兩種
- openssl:OpenSSL是ssl的開源實現,是一個軟件,由三部分組成:
- libcrypto:加密庫
- libssl:TLS/SSL協議的實現。基於會話的實現了身份認證、數據機密性和會話完整性的TLS/SSL庫
- openssl:多用途命令行工具。能夠實現單向加密、對稱加密、非對稱加密、生成一對密鑰、私有證書頒發機構等功能
2、OpenSSL
- 語法:openssl command [ command_opts ] [ command_args ]
- command:
- enc:加密/解密
- -e:加密
- -d:解密
- -new:生成新證書簽署請求
- -x509:專用於CA生成自簽證書
- -key:生成請求時用到的私鑰文件
- -days number:證書的有效期限
- -out /path/to/somecertfile:證書的保存路徑
3、x509證書管理:
- -in /path/from/cert_file -noout -text|-subject|-serial #查看證書中的信息
- crl:管理吊銷證書列表
- -in /path/from/crl_file.crl -noout -text #查看crl文件
- ca:管理CA
六、使用openssl創建私有CA
1、CA的配置文件:/etc/pki/tls/openssl.cnf
-
[root@localhost ~]# cd /etc/pki/tls/
[root@localhost tls]# vim openssl.cnf
............
# Load default TLS policy configuration
openssl_conf = default_modules
[ default_modules ]
ssl_conf = ssl_module
[ ssl_module ]
system_default = crypto_policy
[ crypto_policy ]
.include /etc/crypto-policies/back-ends/opensslcnf.config
[ new_oids ]
.............
2、使用OpenSSL給CA創建一對密鑰
//首先在/etc/pki文件下創建CA目錄
[root@localhost ~]# cd /etc/pki/
[root@localhost pki]# mkdir CA
//進入CA目錄,首先創建private目錄,然后在該目錄下創建密鑰文件(此步驟必須做)
[root@localhost pki]# cd CA/
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) //OpenSSL生成密鑰,括號*必須要*
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
............+++++
e is 65537 (0x010001)
//創建成功
[root@localhost CA]# ls
cakey.pem
//提取公鑰,該步驟是查看公鑰,可以不做
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvhWEEfPKL8rtAuEqVdeu
yXRNHCVVHFimq32RD+YtXXJt63Rgl2/jAkTETxBUSlvmqfxL2WN3AKiRzvyqMpxS
skRwda3HHGezWSMNbSbl9VzL+/7KOOgOgmow+HRuFzWzW17MCy98I12eUpldFWFm
BcjOX/rcBynWJP96r/9wFqzsQ8JpJ5cUeDlUul91pyh5NCsXpr3RhMO0ZaITttj7
r3/yDdNmpVHxVtD6o9oGeNF9ihE1/62vgAsDxoPEmsv7xRbouMQPhlugEeXxgc6L
Z+AfvmuycozyhxaKWTDX+XIubcWd7Wv3i21V5IO36D4sSya/WsWU9CZ34QBkrZ6M
8wIDAQAB
-----END PUBLIC KEY-----
3、使用OpenSSL給CA生成自簽署證書
//生成自簽署證書
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //國家的名稱,使用兩個字母表示
State or Province Name (full name) []:HB //省份的名稱,同樣也使用兩個字母表示
Locality Name (eg, city) [Default City]:WH //城市的名稱,同樣使用兩個字母表示
Organization Name (eg, company) [Default Company Ltd]:www.qiangge.com //公司的名稱(一般設主機名)
Organizational Unit Name (eg, section) []:www.qiangge.com //部門的名稱(一般設與公司名稱一樣)
Common Name (eg, your name or your server's hostname) []:www.qiangge.com //主機的名稱,就是自己的網站的域名
Email Address []:123@123.com //自己的郵箱地址
//讀取證書內容,該步驟可以不做,只是查看一下
[root@localhost CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1b:7d:ab:b9:fd:4a:03:ab:cc:e5:e1:7f:2b:75:7f:66:7b:1d:49:bb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = HB, L = WH, O = www.qiangge.com, OU = www.qiangge.com, CN = www.qiangge.com, emailAddress = 123@123.com
Validity
Not Before: Aug 25 09:18:12 2020 GMT
Not After : Aug 25 09:18:12 2021 GMT
Subject: C = CN, ST = HB, L = WH, O = www.qiangge.com, OU = www.qiangge.com, CN = www.qiangge.com, emailAddress = 123@123.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
.............
4、在CA目錄下創建certs、newcerts、crl三個目錄
[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# ls
cacert.pem certs crl newcerts private
5、在CA目錄下創建index.txt和serial並給予序列號
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts serial private
[root@localhost CA]# cat serial
01
七、使用OpenSSL給客戶端生成證書簽署
1、使用OpenSSL給客戶端(需求者)生成密鑰文件(我這使用httpd作客戶端)
//首先在/etc/httpd/目錄下創建一個ssl目錄,用來存放密鑰文件
[root@localhost ~]# cd /etc/httpd/
[root@localhost httpd]# mkdir ssl
[root@localhost httpd]# ls
conf conf.d conf.modules.d logs modules run ssl state
//使用OpenSSL創建密鑰文件
[root@localhost httpd]# cd ssl
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................................+++++
..............................................................+++++
e is 65537 (0x010001)
[root@localhost ssl]# ls
httpd.key
2、使用OpenSSL給客戶端生成證書簽署(證書簽署來自剛剛創建的CA,由CA頒發數字證書)
[root@localhost ssl]# pwd
/etc/httpd/ssl
[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //跟創建CA自簽證書步驟一樣
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.qiangge.com
Organizational Unit Name (eg, section) []:www.qiangge.com
Common Name (eg, your name or your server's hostname) []:www.qiangge.com
Email Address []:123@123.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //(詢問是否創建給證書創建密碼);直接回車,不需要加密碼
An optional company name []: //直接回車即可
3、客戶端把證書簽署請求文件發送給CA
發送語法
scp httpd.csr root@CA端IP:/root
由於我自己創建的CA,都是在我本地,所以不需要發送證書請求文件
4、CA簽署提交上來的證書請求文件
[root@localhost ssl]# ls
httpd.csr httpd.key
[root@localhost ssl]# openssl ca -in ./httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 25 10:33:13 2020 GMT
Not After : Aug 25 10:33:13 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.qiangge.com
organizationalUnitName = www.qiangge.com
commonName = www.qiangge.com
emailAddress = 123@123.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
56:87:C5:89:88:3D:23:15:50:4E:12:C0:6D:57:97:7B:A7:47:19:9E
X509v3 Authority Key Identifier:
keyid:76:58:7D:1B:66:AD:A2:99:AD:D5:89:14:BF:79:DB:B1:9E:3A:79:4F
Certificate is to be certified until Aug 25 10:33:13 2021 GMT (365 days)
Sign the certificate? [y/n]:y //確認是否需要簽名
1 out of 1 certificate requests certified, commit? [y/n]y //確認證書的請求是否提交
Write out database with 1 new entries
Data Base Updated
5、CA把簽署好的數字證書(http.crt)頒發給客戶端
頒發語法:
scp httpd.crt root@客戶端IP:/etc/httpd/ssl/
由於我是在本地自己給自己頒發證書所以不需要做該步驟
