CA、证书及openssl用法

CA和证书

PKI: Public Key Infrastructure

签证机构:CA(Certificate Authority)

注册机构:RA

证书吊销列表:CRL

证书存取库:

X.509:定义了证书的结构以及认证协议标准

版本号

序列号

签名算法

颁发者

有效期限

主体名称

主体公钥

CRL分发点

扩展信息

发行者签名

证书获取

证书类型:

证书授权机构的证书

服务器

用户证书

获取证书两种方法:

• 使用证书授权机构

生成证书请求(csr)

将证书请求csr发送给CA

CA签名颁发证书

• 自签名的证书

自已签发自己的公钥

 

证书获取

证书类型:

证书授权机构的证书

服务器

用户证书

获取证书两种方法:

• 使用证书授权机构

生成证书请求(csr)

将证书请求csr发送给CA

CA签名颁发证书

• 自签名的证书

自已签发自己的公钥

 

安全协议

SSL:Secure Socket Layer,TLS: Transport Layer Security

1995:SSL 2.0 Netscape

1996:SSL 3.0

1999:TLS 1.0

2006:TLS 1.1 IETF(Internet工程任务组) RFC 4346

2008:TLS 1.2 当前使用

2015:TLS 1.3

功能:机密性,认证,完整性,重放保护

两阶段协议,分为握手阶段和应用阶段

握手阶段(协商阶段):客户端和服务器端认证对方身份(依赖于PKI体系,利用数字

证书进行身份认证),并协商通信中使用的安全参数、密码套件以及主密钥。后续通信使

用的所有密钥都是通过MasterSecret生成。

应用阶段:在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密

钥进行安全通信

 

SSL/TLS

CA、证书及openssl用法_第1张图片

 

Handshake协议:包括协商安全参数和密码套件、服务器身份认证(客户端身

份认证可选)、密钥交换

ChangeCipherSpec 协议:一条消息表明握手协议已经完成

Alert 协议:对握手协议中一些异常的错误提醒,分为fatal和warning两个级别,

fatal类型错误会直接中断SSL链接,而warning级别的错误SSL链接仍可继续,

只是会给出错误警告

Record 协议:包括对消息的分段、压缩、消息认证和完整性保护、加密等

HTTPS 协议:就是“HTTP 协议”和“SSL/TLS 协议”的组合。HTTP over

SSL”或“HTTP over TLS”,对http协议的文本数据进行加密处理后,成为二

进制形式传输

 

HTTPS结构

CA、证书及openssl用法_第2张图片

 

HTTPS工作过程

CA、证书及openssl用法_第3张图片

 

 

 

 base64字符表示:

CA、证书及openssl用法_第4张图片

 

演示base64算法结果:

ab 的base64结果是YWI=

ab 的ascii码是78 79

2^6=64位,因此按6位区分

011000    01  0110    001000(后面补两个0,用输出的=代替)

24                 22            8

Y                   W             I=

 echo  -n ab | base64    ab 的base64输出结果:

CA、证书及openssl用法_第5张图片

 

 

openssl命令

对称加密:

工具:openssl enc, gpg

算法:3des, aes, blowfish, twofish

enc命令:

帮助:man enc

 

示例:对称加密:

加密:

openssl enc -e -des3 -a -salt  -in f1 -out f1.bak

解密:

openssl enc -d -des3 -a -salt  -in f1.bak -out f1.bak.enc

 

单向加密:
工具:md5sum, sha1sum, sha224sum,sha256sum…
openssl dgst
dgst命令:
帮助:man dgst
openssl dgst -md5 [-hex默认] /PATH/SOMEFILE  加密工具可以结合md5、sha1等算法
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE
MAC: Message Authentication Code,单向加密的一种延伸应用,用于实现
网络通信中保证所传输数据的完整性机制
CBC-MAC
HMAC:使用md5或sha1算法

 

示例:

openssl dgst -sha1 f1  等价于 sha1sum  f1的加密

openssl dgst -md5  f1   等价于md5sum f1的加密

 

生成用户密码:

passwd命令:

帮助:man sslpasswd

openssl passwd -1 -salt SALT(最多8位)    其中-1代表的是md5加密的含义 

生成随机数:

帮助:man sslrand

openssl rand -base64|-hex NUM NUM: 表示字节数,使用-hex,每个字符为十六进制,相当于4位二进制, 出现的字符数为NUM*2

 

示例:

openssl  passwd -1 -salt  6 (salt加上六位的"盐",可打乱密码顺序)

openssl rand  -base64 6   生成base64的6个字节

openssl rand  -hex  6 随机生成16进制6个字节

 

 

公钥加密: 算法:RSA, ELGamal

工具:gpg, openssl rsautl(man rsautl) u

数字签名: 算法:RSA, DSA, ELGamal

密钥交换: 算法:dh

DSA:Digital Signature Algorithm

DSS:Digital Signature Standard

RSA: openssl命令 u生成密钥对儿:man genrsa

生成私钥 openssl genrsa -out  /PATH/TO/PRIVATEKEY.FILE NUM_BITS

(umask 077; openssl genrsa -out test.key –des 2048)

openssl rsa -in test.key -out test2.key 将加密key解密

 

示例:

生成私钥:

(umask 077;openssl genrsa -out test.key -des3 2048)  生成test.key私钥文件并以des3的算法加密

或者直接切换至cd /etc/pki/tls/certs下生成

make /data/test.key   里边有一个makefile文件就可以自动生成私钥文件

解开私钥:

openssl rsa -in test.key -out test2.key.bak   对test.key 私钥进行解密并导出文件起名叫test2.key.bak

 

 

从私钥中提取出公钥 openssl rsa -in  PRIVATEKEYFILE  -pubout -out  PUBLICKEYFILE

openssl rsa -in test.key -pubout -out test.key.pub

 

示例:openssl rsa -in test.bak -pubout -out test.pubkey

 

随机数生成器:伪随机数字 键盘和鼠标,块设备中断

/dev/random:仅从熵池返回随机数;随机数用尽,阻塞

/dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机 数,非阻塞

 

示例:

tr -dc 'a-zA-Z0-9'  < /dev/urandom   将生成的随机大小写字母、数字全部进行打印

tr:参数解释

-c或——complerment:取代所有不属于第一字符集的字符;
-d或——delete:删除所有属于第一字符集的字符;
-s或--squeeze-repeats:把连续重复的字符以单独一个字符表示;
-t或--truncate-set1:先删除第一字符集较第二字符集多出的字符。


CA创建和证书申请实验:
以此表作为参考进行创建:

 CA、证书及openssl用法_第6张图片

 

 

 

创建CA:

centos7上创建CA证书:

1) (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)   CA生成秘钥

[root@centos7CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................................................+++
.........................................................................+++
e is 65537 (0x10001)

2) openssl req -new -x509 -key  /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3650    生成自签名证书

[root@centos7CA]#openssl req -new -x509 -key private/cakey.pem -out cacert1.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   国家名称
State or Province Name (full name) []:shanghai  城市
Locality Name (eg, city) [Default City]:shanghai  省会
Organization Name (eg, company) [Default Company Ltd]:baidu  公司名称
Organizational Unit Name (eg, section) []:yunwei  部门组织名称
Common Name (eg, your name or your server's hostname) []:*baidu.com  域名
Email Address []:

3) touch index.txt

4) echo oF > serial

 

在centos6(或者web服务器)中进行创建证书:

1) (umask 077;openssl genrsa -out app.key 1024)  生成私钥

[root@centos6CA]#(umask 077;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
............++++++
.......++++++
e is 65537 (0x10001)

2) openssl req -new -key  app.key -out app.csr  生成申请证书文件

[root@centos6CA]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   国家:要和根CA的信息一致
State or Province Name (full name) []:shanghai   省会:要和根CA的信息一致
Locality Name (eg, city) [Default City]:shanghai   城市
Organization Name (eg, company) [Default Company Ltd]:baidu要和根CA的公司信息一致
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:*baidu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:centos
An optional company name []:centos

3)scp app.csr 192.168.34.101:/etc/pki/CA       复制到centos7的CA目录下

4)openssl ca -in app.csr  -out  /etc/pki/CA/certs/app.crt  -days 1000  centos7对centos6(服务器)申请的证书文件进行核对并颁发证书

[root@centos7CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Oct 19 15:10:49 2019 GMT
Not After : Jul 15 15:10:49 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = shanghai
organizationName = baidugongsi
organizationalUnitName = yunwei
commonName = *baidu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13
X509v3 Authority Key Identifier:
keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E

Certificate is to be certified until Jul 15 15:10:49 2022 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 注意:默认要求 国家,省,公司名称三项必须和CA一致

证书内容:

[root@centos7CA]#cat certs/app.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shanghai, L=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com
Validity
Not Before: Oct 19 15:10:49 2019 GMT
Not After : Jul 15 15:10:49 2022 GMT
Subject: C=CN, ST=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e1:e6:f8:56:4a:7e:3a:70:10:76:77:1e:bd:93:
05:a4:6e:a5:be:8d:26:35:29:ff:2c:ae:52:a9:35:
4f:61:5e:df:53:3b:90:92:a4:c3:61:0a:18:9c:dc:
66:c2:45:d3:2a:fb:52:78:28:d1:4b:5b:0e:f6:33:
f3:6c:6c:13:cb:30:d7:a7:3c:6a:72:ca:4b:40:70:
8a:7e:f6:c5:10:1c:48:cb:43:b8:ba:32:f9:5a:f3:
21:a6:35:f8:7d:a8:7f:e7:70:85:14:29:9e:40:da:
88:ed:c3:fd:6c:b6:a9:0c:2c:05:28:0a:38:cc:1c:
83:12:a1:19:3f:74:66:8c:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13
X509v3 Authority Key Identifier:
keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E

Signature Algorithm: sha256WithRSAEncryption
18:92:ce:11:2f:d5:bd:76:11:92:43:3a:c7:b9:20:79:ca:66:
e5:e4:ff:8f:e2:d8:d6:76:96:34:63:ef:9b:de:1e:ec:dd:8a:
bf:c0:2f:9a:9d:8a:23:60:8f:6c:65:48:95:a8:a8:62:60:df:
96:93:3b:49:00:28:89:1f:c1:b3:91:0c:5f:21:6b:c8:76:52:
9c:39:81:bc:fd:11:6a:1f:f6:e4:85:04:f2:04:61:81:53:90:
be:f4:5e:bc:8d:c6:c1:bc:17:dc:bb:77:78:53:1a:f6:f3:cb:
db:06:af:64:fd:d8:85:a0:bf:e8:0b:2c:7f:b1:62:09:45:b4:
0f:27:ed:6e:9e:35:da:67:83:b4:9d:d6:8d:e6:a3:0a:e5:36:
ac:6d:23:d4:55:8e:bd:0b:af:1c:b7:e0:58:12:85:16:c1:70:
aa:ea:80:d7:a4:e8:3d:0d:8b:9f:ee:00:25:24:d7:6e:87:89:
11:55:50:d1:09:71:81:c4:64:08:bd:28:9b:8d:25:b5:de:3a:
6d:c6:6f:2a:9c:59:0f:24:73:15:e8:26:29:e8:5e:27:ea:90:
9e:17:6c:ee:ab:6d:2b:00:eb:36:5d:e4:fe:fb:e6:7d:4e:5c:
c4:16:bb:1a:17:73:95:29:ec:60:a8:d7:8e:1d:bf:d3:a9:64:
3e:02:7d:b8
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjER
MA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMRQwEgYDVQQKDAti
YWlkdWdvbmdzaTEPMA0GA1UECwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29t
MB4XDTE5MTAxOTE1MTA0OVoXDTIyMDcxNTE1MTA0OVowXDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCHNoYW5naGFpMRQwEgYDVQQKDAtiYWlkdWdvbmdzaTEPMA0GA1UE
CwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDh5vhWSn46cBB2dx69kwWkbqW+jSY1Kf8srlKpNU9hXt9TO5CS
pMNhChic3GbCRdMq+1J4KNFLWw72M/NsbBPLMNenPGpyyktAcIp+9sUQHEjLQ7i6
Mvla8yGmNfh9qH/ncIUUKZ5A2ojtw/1stqkMLAUoCjjMHIMSoRk/dGaMKwIDAQAB
o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJMS8lKGNwKyhY8+dYdt7+VurWxMwHwYD
VR0jBBgwFoAUAASx0WI1+ZG11lbClhndmtSb1Z4wDQYJKoZIhvcNAQELBQADggEB
ABiSzhEv1b12EZJDOse5IHnKZuXk/4/i2NZ2ljRj75veHuzdir/AL5qdiiNgj2xl
SJWoqGJg35aTO0kAKIkfwbORDF8ha8h2Upw5gbz9EWof9uSFBPIEYYFTkL70XryN
xsG8F9y7d3hTGvbzy9sGr2T92IWgv+gLLH+xYglFtA8n7W6eNdpng7Sd1o3mowrl
NqxtI9RVjr0Lrxy34FgShRbBcKrqgNek6D0Ni5/uACUk126HiRFVUNEJcYHEZAi9
KJuNJbXeOm3GbyqcWQ8kcxXoJinoXifqkJ4XbO6rbSsA6zZd5P775n1OXMQWuxoX
c5Up7GCo144dv9OpZD4Cfbg=
-----END CERTIFICATE-----

5) sz /etc/pki/CA/certs/app.crt文件到桌面可以看看内容

6) sz cacert.pem证书文件是app.crt的上一级证书文件

 

吊销证书:

1)openssl ca -revoke /etc/pki/CA/certs/app.crt 对app.crt吊销

[root@centos7CA]#openssl ca -revoke /etc/pki/CA/certs/app.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated

2)echo FF >  /etc/pki/CA/crlnumber  生成证书编号

3)openssl ca -gencrl  -out /etc/pki/CA/crl.pem  更新吊销列表信息

[root@centos7CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

4)openssl crl -in /etc/pki/CA/crl.pem -noout -text 查看吊销证书信息

[root@centos7CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):  注销信息
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=shanghai/L=shanghai/O=baidugongsi/OU=yunwei/CN=*baidu.com  注销的公司相关信息
Last Update: Oct 19 15:18:23 2019 GMT
Next Update: Nov 18 15:18:23 2019 GMT
CRL extensions:
X509v3 CRL Number:
255
Revoked Certificates:
Serial Number: 0F    声明:oF编号的证书已被注销
Revocation Date: Oct 19 15:16:25 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
2e:85:17:e8:aa:e0:56:a9:48:17:99:82:58:71:d5:f1:3c:00:
45:6c:5f:41:5b:56:f7:f6:6a:85:60:08:a5:ac:b4:88:25:91:
21:82:58:f0:45:c9:9b:08:31:81:2f:45:d2:3f:a0:2c:3f:51:
45:e2:0b:8e:6d:2b:2e:fd:43:3a:a3:7e:af:69:b9:23:b6:bc:
5e:b1:b8:58:80:c8:c8:08:09:b1:bb:8b:be:a5:9e:d8:af:28:
1f:5d:51:db:dc:a8:cd:74:df:93:d3:6a:f1:df:1d:2f:75:87:
66:ec:e0:04:13:e4:49:25:31:38:dd:02:0d:70:f1:d3:83:bb:
03:c5:2a:f4:09:6a:1f:6c:f0:1c:3d:6a:4c:e7:06:33:57:39:
e9:91:1b:1d:5a:d4:47:f9:a0:47:7f:7f:0c:f3:35:96:a8:72:
28:e2:fa:94:5f:8c:8e:ad:ae:95:36:b9:e5:12:18:ce:b1:d8:
3a:c4:a7:89:49:83:dc:61:e9:84:65:00:f2:48:d0:98:af:21:
6f:a5:a8:6b:00:fd:18:3c:28:43:38:05:08:84:1a:bf:06:93:
bc:14:4d:a3:d8:19:8b:d5:e6:fd:2b:9f:5a:59:54:ff:3c:6b:
38:ec:05:ca:76:3a:f3:bf:76:e3:1f:8f:67:f7:98:3d:ba:ab:
47:e7:7c:c3

5) sz  crl.pem  可以查看windows当前吊销列表图形信息

 

 

 

 

 

 

 

 

你可能感兴趣的:(CA、证书及openssl用法)