1.1 SSL介绍:
SSL(Secure Sockets Layer 安全套接层)是为网络通信提供安全及数据完整性的一种安全协议。
1.2 SSL提供的服务有:
- 认证用户和服务器,确保数据发送到正确的客户机和服务器;
- 加密数据以防止数据中途被窃取;
- 维护数据的完整性,确保数据在传输过程中不被改变。
1.3 Openssl是SSL的一个开源项目,其由三部分组成:
- libcryto:具有通用功能的加密库,里面实现了众多的加密库;
- libssl:实现ssl机制的,它是用于实现TLS/SSL的功能;
- openssl:多功能命令行工具,它可以实现加密解密,甚至还可以当CA来用,可以让你创建证书、吊销证书。
1.4 Openssl命令用法
- 标准命令
- 信息摘要命令(dgst子命令)
- 加密命令(env子命令)
- 标准命令:enc,ca,req,genrsa等
1.4.1 对称加密:
工具:
- openssl enc;
- gpg
算法:
- 3des;
- aes;
- blowfish;
- twofish;
enc命令: man enc
特点:
- 加密解密使用同一个密钥;
- 将数据分割成固定大小的块,逐个加密
缺点:
- 密钥过多
- 密钥分发困难
- 主要用于数据加密
加密:
openssl enc -e -des3 -a -salt -in fstab -out a.cipher
解密:
openssl enc -d -des3 -a -salt -in a.cipher -out a-2
1.4.2 单向加密:
工具:
- openssl dgst;
- md5sum;
- sha1sum;
- sha224sum;
- sha256sum,不同的位输出长度的算法
dgst命令:man dgst
- openssl dgst -md5 [-hex默认] /PATH/SOMEFILE
- md5sum /PATH/TO/SOMEFILE
生成用户密码(passwd、openssl passwd)
- passwd命令:man sslpasswd
- openssl passwd -1 -salt SALT(最多8位)(-1表示md5加密算法)
生成随机数:man sslrand
- openssl rand -base64|-hex NUM
- NUM: 表示字节数;-hex时,每个字符4位,出现的字符数为NUM*2
特点:
- 只能加密,不能解密(提取数据指纹,数据特征码)
- 定长输出,雪崩效应
- 验证完整性,验证数据的完整性
单向加密:
[root@CentOS7 /app]#openssl dgst -md5 fstab
MD5(fstab)= f0dff383430026f3105b32cc1f7e5604
[root@CentOS7 /app]#md5sum fstab
f0dff383430026f3105b32cc1f7e5604 fstab
生成用户密码:
[root@CentOS7 /app]#openssl passwd -1 -salt salt
Password:
$1$salt$IbRkpBgAWG4UIV3zweVwG/
生成随机数:
[root@CentOS7 /app]#openssl rand -base64 10
4WO4sR1MLRxtjA==
[root@CentOS7 /app]#openssl rand -hex 15
3f3b95d08d0617979aa67eab5e77e1
1.4.3 公钥加密:
加密解密:
- 算法:RSA,ELGamal
- 工具:gpg,openssl rsautl(man rsautl)
数字签名:
- 算法:RSA,DSA,ELGamal
密钥交换
- 算法:DH
生成密钥对:
- 生成私钥:
openssl genrsa -out /tmp/mykey2.private 1024
(umask 077;openssl genrsa -out /tmp/mykey3.private 2048) 设置权限为600的private - 从私钥中提出公钥:
openssl rsa -in /tmp/mykey2.private -pubout
随机数生成器(伪随机数字):
- 熵池:
- 在操作系统上有一个叫做熵池的地方,他是用来保存硬件中断产生的随机数(每一次硬件中断都会产生一个随机数)
- /dev/random:
- 仅从熵池中返回随机数,随机数耗尽时,取随机数的进程将会被阻塞;
- /dev/unrandom:
- 仅从熵池中取随机数,随机数耗尽时,就通过伪随机数生成器生成伪随机数;(伪随机数不安全)
- 熵池中随机数来源
- 硬盘IO中断时间间隔
- 硬盘IO中断时间间隔
2 创建CA和申请证书
2.1 查看有关ssl证书目录结构:
[root@CentOS7 ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl #吊销的证书
├── newcerts #存放CA签署(颁发)过的数字证书(证书备份目录)
└── private #用于存放CA的私钥
4 directories, 0 files
[root@CentOS7 ~]#tree /etc/pki/tls/
/etc/pki/tls/
├── cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
├── certs # 该服务器上的证书存放目录,可以放置自己的证书和内置证书
ca-bundle.crt 内置信任的证书
│ ├── ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
│ ├── ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
│ ├── make-dummy-cert
│ ├── Makefile
│ └── renew-dummy-cert
├── misc
│ ├── CA
│ ├── c_hash
│ ├── c_info
│ ├── c_issuer
│ └── c_name
├── openssl.cnf #openssl的CA主配置文件
└── private #证书密钥存放目录
2.2 分析openssl.cnf部分配置文件
vim /etc/pki/tls/openssl.cnf
39 ####################################################################
40 [ CA_default ]
41
42 dir = /etc/pki/CA # Where everything is kept
43 certs = $dir/certs # Where the issued certs are kept
44 crl_dir = $dir/crl # Where the issued crl are kept
45 database = $dir/index.txt # database index file.
46 #unique_subject = no # Set to 'no' to allow creation of
47 # several ctificates with same subject.
48 new_certs_dir = $dir/newcerts # default place for new certs.
49
50 certificate = $dir/cacert.pem # The CA certificate
51 serial = $dir/serial # The current serial number
52 crlnumber = $dir/crlnumber # the current crl number
53 # must be commented out to leave a V1 CRL
54 crl = $dir/crl.pem # The current CRL
55 private_key = $dir/private/cakey.pem# The private key
56 RANDFILE = $dir/private/.rand # private random number file
57
58 x509_extensions = usr_cert # The extentions to add to the cert
59
78 # A few difference way of specifying how similar the request should look
79 # For type CA, the listed attributes must be the same, and the optional
80 # and supplied fields are just that :-)
81 policy = policy_anything
修改为policy_anything 后countryName,stateOrProvinceName可以不做强制匹配
2.3 创建所需文件的文件
[root@CentOS7 ~]#touch /etc/pki/CA/index.txt #生成证书索引数据库文件
[root@CentOS7 ~]#echo 01 > /etc/pki/CA/serial #指定第一个颁发证书的序列号
2.4 CA自签证书生成私钥
[root@CentOS7 /etc/pki/CA]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............................................+++
...............................................................................+++
e is 65537 (0x10001)
为了安全起见,修改cakey.pem私钥文件权限为600或400,使用子shell生成
2.5 生成自签名证书
[root@CentOS7 /etc/pki/CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
-new: 生成新证书签署请求
-x509: 专用于CA 生成自签证书
-key: 生成请求时用到的私钥文件
-days n :证书的有效期限
-out / PATH/TO/SOMECERTFILE : 证书的保存路径
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:huizhou
Organization Name (eg, company) [Default Company Ltd]:cnnavy.cn
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:cnnavy.cn
Email Address []:cnnavy.cn
此时即创建了自建CA,可以开始给别人签证了。
2.6 颁发证书,在需要使用的证书的主机生成证书请求
为web服务器生成私钥
[root@CentOS6 ~]#(umask 066;openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
..............................+++
........................................+++
e is 65537 (0x10001)
生成证书申请文件
[root@CentOS6 ~]#openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:huizhou
Organization Name (eg, company) [Default Company Ltd]:cnnavy.cn
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:cnnavy.cn
Email Address []:cnnavy.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
将证书请求文件传输给CA
[root@CentOS6 /etc/pki/tls]#scp test.csr 172.18.254.65:/etc/pki/CA/
[root@CentOS7 /etc/pki/CA]#openssl ca -in /etc/pki/CA/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 05:43:12 2017 GMT
Not After : Sep 10 05:43:12 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = guangdong
localityName = huizhou
organizationName = cnnavy.cn
organizationalUnitName = it
commonName = cnnavy.cn
emailAddress = cnnavy.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C8:C4:D0:46:94:43:B2:C3:3E:02:B0:D4:84:2A:F8:D3:B5:2B:B1:F3
X509v3 Authority Key Identifier:
keyid:65:CD:A0:4C:9B:50:7A:99:B5:66:25:9A:BD:CC:F5:CB:97:1D:07:DA
Certificate is to be certified until Sep 10 05:43:12 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
注意:默认国家,省,公司名称三项必须和CA保持一致,也可通过修改openssl.cnf文件policy = policy_anything 项可不做强制匹配
查看请求申请后的证书
[root@CentOS7 /etc/pki/CA]#openssl x509 -in /etc/pki/CA/certs/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=guangdong/L=huizhou/O=cnnavy.cn/OU=it/CN=cnnavy.cn/emailAddress=cnnavy.cn
自此CA签署之后即生成证书文件,只需将证书发回给申请所在主机就可使用了。