CA和证书
PKI: Public Key Infrastructure
签证机构:CA(Certificate Authority)
注册机构:RA
证书吊销列表:CRL
证书存取库:
X.509:定义了证书的结构以及认证协议标准
版本号
序列号
签名算法
颁发者
有效期限
主体名称
主体公钥
CRL分发点
扩展信息
发行者签名
证书获取
证书类型:
证书授权机构的证书
服务器
用户证书
获取证书两种方法:
• 使用证书授权机构
生成证书请求(csr)
将证书请求csr发送给CA
CA签名颁发证书
• 自签名的证书
自已签发自己的公钥
证书获取
证书类型:
证书授权机构的证书
服务器
用户证书
获取证书两种方法:
• 使用证书授权机构
生成证书请求(csr)
将证书请求csr发送给CA
CA签名颁发证书
• 自签名的证书
自已签发自己的公钥
安全协议
SSL:Secure Socket Layer,TLS: Transport Layer Security
1995:SSL 2.0 Netscape
1996:SSL 3.0
1999:TLS 1.0
2006:TLS 1.1 IETF(Internet工程任务组) RFC 4346
2008:TLS 1.2 当前使用
2015:TLS 1.3
功能:机密性,认证,完整性,重放保护
两阶段协议,分为握手阶段和应用阶段
握手阶段(协商阶段):客户端和服务器端认证对方身份(依赖于PKI体系,利用数字
证书进行身份认证),并协商通信中使用的安全参数、密码套件以及主密钥。后续通信使
用的所有密钥都是通过MasterSecret生成。
应用阶段:在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密
钥进行安全通信
SSL/TLS
Handshake协议:包括协商安全参数和密码套件、服务器身份认证(客户端身
份认证可选)、密钥交换
ChangeCipherSpec 协议:一条消息表明握手协议已经完成
Alert 协议:对握手协议中一些异常的错误提醒,分为fatal和warning两个级别,
fatal类型错误会直接中断SSL链接,而warning级别的错误SSL链接仍可继续,
只是会给出错误警告
Record 协议:包括对消息的分段、压缩、消息认证和完整性保护、加密等
HTTPS 协议:就是“HTTP 协议”和“SSL/TLS 协议”的组合。HTTP over
SSL”或“HTTP over TLS”,对http协议的文本数据进行加密处理后,成为二
进制形式传输
HTTPS结构
HTTPS工作过程
base64字符表示:
演示base64算法结果:
ab 的base64结果是YWI=
ab 的ascii码是78 79
2^6=64位,因此按6位区分
011000 01 0110 001000(后面补两个0,用输出的=代替)
24 22 8
Y W I=
echo -n ab | base64 ab 的base64输出结果:
openssl命令
对称加密:
工具:openssl enc, gpg
算法:3des, aes, blowfish, twofish
enc命令:
帮助:man enc
示例:对称加密:
加密:
openssl enc -e -des3 -a -salt -in f1 -out f1.bak
解密:
openssl enc -d -des3 -a -salt -in f1.bak -out f1.bak.enc
单向加密:
工具:md5sum, sha1sum, sha224sum,sha256sum…
openssl dgst
dgst命令:
帮助:man dgst
openssl dgst -md5 [-hex默认] /PATH/SOMEFILE 加密工具可以结合md5、sha1等算法
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE
MAC: Message Authentication Code,单向加密的一种延伸应用,用于实现
网络通信中保证所传输数据的完整性机制
CBC-MAC
HMAC:使用md5或sha1算法
示例:
openssl dgst -sha1 f1 等价于 sha1sum f1的加密
openssl dgst -md5 f1 等价于md5sum f1的加密
生成用户密码:
passwd命令:
帮助:man sslpasswd
openssl passwd -1 -salt SALT(最多8位) 其中-1代表的是md5加密的含义
生成随机数:
帮助:man sslrand
openssl rand -base64|-hex NUM NUM: 表示字节数,使用-hex,每个字符为十六进制,相当于4位二进制, 出现的字符数为NUM*2
示例:
openssl passwd -1 -salt 6 (salt加上六位的"盐",可打乱密码顺序)
openssl rand -base64 6 生成base64的6个字节
openssl rand -hex 6 随机生成16进制6个字节
公钥加密: 算法:RSA, ELGamal
工具:gpg, openssl rsautl(man rsautl) u
数字签名: 算法:RSA, DSA, ELGamal
密钥交换: 算法:dh
DSA:Digital Signature Algorithm
DSS:Digital Signature Standard
RSA: openssl命令 u生成密钥对儿:man genrsa
生成私钥 openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS
(umask 077; openssl genrsa -out test.key –des 2048)
openssl rsa -in test.key -out test2.key 将加密key解密
示例:
生成私钥:
(umask 077;openssl genrsa -out test.key -des3 2048) 生成test.key私钥文件并以des3的算法加密
或者直接切换至cd /etc/pki/tls/certs下生成
make /data/test.key 里边有一个makefile文件就可以自动生成私钥文件
解开私钥:
openssl rsa -in test.key -out test2.key.bak 对test.key 私钥进行解密并导出文件起名叫test2.key.bak
从私钥中提取出公钥 openssl rsa -in PRIVATEKEYFILE -pubout -out PUBLICKEYFILE
openssl rsa -in test.key -pubout -out test.key.pub
示例:openssl rsa -in test.bak -pubout -out test.pubkey
随机数生成器:伪随机数字 键盘和鼠标,块设备中断
/dev/random:仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机 数,非阻塞
示例:
tr -dc 'a-zA-Z0-9' < /dev/urandom 将生成的随机大小写字母、数字全部进行打印
tr:参数解释
-c或——complerment:取代所有不属于第一字符集的字符; -d或——delete:删除所有属于第一字符集的字符; -s或--squeeze-repeats:把连续重复的字符以单独一个字符表示; -t或--truncate-set1:先删除第一字符集较第二字符集多出的字符。
CA创建和证书申请实验:
以此表作为参考进行创建:
创建CA:
centos7上创建CA证书:
1) (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) CA生成秘钥
[root@centos7CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................................................+++
.........................................................................+++
e is 65537 (0x10001)
2) openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3650 生成自签名证书
[root@centos7CA]#openssl req -new -x509 -key private/cakey.pem -out cacert1.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 国家名称
State or Province Name (full name) []:shanghai 城市
Locality Name (eg, city) [Default City]:shanghai 省会
Organization Name (eg, company) [Default Company Ltd]:baidu 公司名称
Organizational Unit Name (eg, section) []:yunwei 部门组织名称
Common Name (eg, your name or your server's hostname) []:*baidu.com 域名
Email Address []:
3) touch index.txt
4) echo oF > serial
在centos6(或者web服务器)中进行创建证书:
1) (umask 077;openssl genrsa -out app.key 1024) 生成私钥
[root@centos6CA]#(umask 077;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
............++++++
.......++++++
e is 65537 (0x10001)
2) openssl req -new -key app.key -out app.csr 生成申请证书文件
[root@centos6CA]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 国家:要和根CA的信息一致
State or Province Name (full name) []:shanghai 省会:要和根CA的信息一致
Locality Name (eg, city) [Default City]:shanghai 城市
Organization Name (eg, company) [Default Company Ltd]:baidu要和根CA的公司信息一致
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:*baidu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:centos
An optional company name []:centos
3)scp app.csr 192.168.34.101:/etc/pki/CA 复制到centos7的CA目录下
4)openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 1000 centos7对centos6(服务器)申请的证书文件进行核对并颁发证书
[root@centos7CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Oct 19 15:10:49 2019 GMT
Not After : Jul 15 15:10:49 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = shanghai
organizationName = baidugongsi
organizationalUnitName = yunwei
commonName = *baidu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13
X509v3 Authority Key Identifier:
keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E
Certificate is to be certified until Jul 15 15:10:49 2022 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
注意:默认要求 国家,省,公司名称三项必须和CA一致
证书内容:
[root@centos7CA]#cat certs/app.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shanghai, L=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com
Validity
Not Before: Oct 19 15:10:49 2019 GMT
Not After : Jul 15 15:10:49 2022 GMT
Subject: C=CN, ST=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e1:e6:f8:56:4a:7e:3a:70:10:76:77:1e:bd:93:
05:a4:6e:a5:be:8d:26:35:29:ff:2c:ae:52:a9:35:
4f:61:5e:df:53:3b:90:92:a4:c3:61:0a:18:9c:dc:
66:c2:45:d3:2a:fb:52:78:28:d1:4b:5b:0e:f6:33:
f3:6c:6c:13:cb:30:d7:a7:3c:6a:72:ca:4b:40:70:
8a:7e:f6:c5:10:1c:48:cb:43:b8:ba:32:f9:5a:f3:
21:a6:35:f8:7d:a8:7f:e7:70:85:14:29:9e:40:da:
88:ed:c3:fd:6c:b6:a9:0c:2c:05:28:0a:38:cc:1c:
83:12:a1:19:3f:74:66:8c:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13
X509v3 Authority Key Identifier:
keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E
Signature Algorithm: sha256WithRSAEncryption
18:92:ce:11:2f:d5:bd:76:11:92:43:3a:c7:b9:20:79:ca:66:
e5:e4:ff:8f:e2:d8:d6:76:96:34:63:ef:9b:de:1e:ec:dd:8a:
bf:c0:2f:9a:9d:8a:23:60:8f:6c:65:48:95:a8:a8:62:60:df:
96:93:3b:49:00:28:89:1f:c1:b3:91:0c:5f:21:6b:c8:76:52:
9c:39:81:bc:fd:11:6a:1f:f6:e4:85:04:f2:04:61:81:53:90:
be:f4:5e:bc:8d:c6:c1:bc:17:dc:bb:77:78:53:1a:f6:f3:cb:
db:06:af:64:fd:d8:85:a0:bf:e8:0b:2c:7f:b1:62:09:45:b4:
0f:27:ed:6e:9e:35:da:67:83:b4:9d:d6:8d:e6:a3:0a:e5:36:
ac:6d:23:d4:55:8e:bd:0b:af:1c:b7:e0:58:12:85:16:c1:70:
aa:ea:80:d7:a4:e8:3d:0d:8b:9f:ee:00:25:24:d7:6e:87:89:
11:55:50:d1:09:71:81:c4:64:08:bd:28:9b:8d:25:b5:de:3a:
6d:c6:6f:2a:9c:59:0f:24:73:15:e8:26:29:e8:5e:27:ea:90:
9e:17:6c:ee:ab:6d:2b:00:eb:36:5d:e4:fe:fb:e6:7d:4e:5c:
c4:16:bb:1a:17:73:95:29:ec:60:a8:d7:8e:1d:bf:d3:a9:64:
3e:02:7d:b8
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjER
MA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMRQwEgYDVQQKDAti
YWlkdWdvbmdzaTEPMA0GA1UECwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29t
MB4XDTE5MTAxOTE1MTA0OVoXDTIyMDcxNTE1MTA0OVowXDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCHNoYW5naGFpMRQwEgYDVQQKDAtiYWlkdWdvbmdzaTEPMA0GA1UE
CwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDh5vhWSn46cBB2dx69kwWkbqW+jSY1Kf8srlKpNU9hXt9TO5CS
pMNhChic3GbCRdMq+1J4KNFLWw72M/NsbBPLMNenPGpyyktAcIp+9sUQHEjLQ7i6
Mvla8yGmNfh9qH/ncIUUKZ5A2ojtw/1stqkMLAUoCjjMHIMSoRk/dGaMKwIDAQAB
o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJMS8lKGNwKyhY8+dYdt7+VurWxMwHwYD
VR0jBBgwFoAUAASx0WI1+ZG11lbClhndmtSb1Z4wDQYJKoZIhvcNAQELBQADggEB
ABiSzhEv1b12EZJDOse5IHnKZuXk/4/i2NZ2ljRj75veHuzdir/AL5qdiiNgj2xl
SJWoqGJg35aTO0kAKIkfwbORDF8ha8h2Upw5gbz9EWof9uSFBPIEYYFTkL70XryN
xsG8F9y7d3hTGvbzy9sGr2T92IWgv+gLLH+xYglFtA8n7W6eNdpng7Sd1o3mowrl
NqxtI9RVjr0Lrxy34FgShRbBcKrqgNek6D0Ni5/uACUk126HiRFVUNEJcYHEZAi9
KJuNJbXeOm3GbyqcWQ8kcxXoJinoXifqkJ4XbO6rbSsA6zZd5P775n1OXMQWuxoX
c5Up7GCo144dv9OpZD4Cfbg=
-----END CERTIFICATE-----
5) sz /etc/pki/CA/certs/app.crt文件到桌面可以看看内容
6) sz cacert.pem证书文件是app.crt的上一级证书文件
吊销证书:
1)openssl ca -revoke /etc/pki/CA/certs/app.crt 对app.crt吊销
[root@centos7CA]#openssl ca -revoke /etc/pki/CA/certs/app.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
2)echo FF > /etc/pki/CA/crlnumber 生成证书编号
3)openssl ca -gencrl -out /etc/pki/CA/crl.pem 更新吊销列表信息
[root@centos7CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
4)openssl crl -in /etc/pki/CA/crl.pem -noout -text 查看吊销证书信息
[root@centos7CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL): 注销信息
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=shanghai/L=shanghai/O=baidugongsi/OU=yunwei/CN=*baidu.com 注销的公司相关信息
Last Update: Oct 19 15:18:23 2019 GMT
Next Update: Nov 18 15:18:23 2019 GMT
CRL extensions:
X509v3 CRL Number:
255
Revoked Certificates:
Serial Number: 0F 声明:oF编号的证书已被注销
Revocation Date: Oct 19 15:16:25 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
2e:85:17:e8:aa:e0:56:a9:48:17:99:82:58:71:d5:f1:3c:00:
45:6c:5f:41:5b:56:f7:f6:6a:85:60:08:a5:ac:b4:88:25:91:
21:82:58:f0:45:c9:9b:08:31:81:2f:45:d2:3f:a0:2c:3f:51:
45:e2:0b:8e:6d:2b:2e:fd:43:3a:a3:7e:af:69:b9:23:b6:bc:
5e:b1:b8:58:80:c8:c8:08:09:b1:bb:8b:be:a5:9e:d8:af:28:
1f:5d:51:db:dc:a8:cd:74:df:93:d3:6a:f1:df:1d:2f:75:87:
66:ec:e0:04:13:e4:49:25:31:38:dd:02:0d:70:f1:d3:83:bb:
03:c5:2a:f4:09:6a:1f:6c:f0:1c:3d:6a:4c:e7:06:33:57:39:
e9:91:1b:1d:5a:d4:47:f9:a0:47:7f:7f:0c:f3:35:96:a8:72:
28:e2:fa:94:5f:8c:8e:ad:ae:95:36:b9:e5:12:18:ce:b1:d8:
3a:c4:a7:89:49:83:dc:61:e9:84:65:00:f2:48:d0:98:af:21:
6f:a5:a8:6b:00:fd:18:3c:28:43:38:05:08:84:1a:bf:06:93:
bc:14:4d:a3:d8:19:8b:d5:e6:fd:2b:9f:5a:59:54:ff:3c:6b:
38:ec:05:ca:76:3a:f3:bf:76:e3:1f:8f:67:f7:98:3d:ba:ab:
47:e7:7c:c3
5) sz crl.pem 可以查看windows当前吊销列表图形信息