linux-运维进阶-31 OpenSSL实现CA证书

linux-运维进阶-31 OpenSSL实现CA证书

OpenSSL实现CA证书

什么是CA

CA,Catificate Authority,通俗的理解就是一种认证机制。它的作用就是提供证书(也就是服务端证书,由域名,公司信息,序列号,签名信息等等组成)来加强客户端与服务器端访问信息的安全性,同时提供证书的发放等相关工作。国内的大部分互联网公司都在国际CA机构申请了CA证书,并且在用户进行访问的时候,对用户的信息加密,保障了用户的信息安全。理论上来说,任何组织或者个人都可以扮演CA的角色,只不过,难以得到客户端的信任,不能推而广之,最典型应用莫过于12306网站,这个网站就是自己给自己颁发的根证书。

目前能够让浏览器默认支持的CA大厂有很多,Windows 操作系统在安装之初,也默认安装了很多受信任的根证书。可以通过控制面板–Internet选项来进行查看。

另外,可以将证书理解为带有额外信息的公钥。

SSL/TLS

SSL/TLS是网络通信过程中非常重要的两个协议。互联网的通信安全就建立在SSL/TLS协议基础之上。他们通过一系列的加密行为保障了通信的安全,是如今互联网通信最主要的应用之一。

SSL/TLS是一个很大的互联网应用,关于他们的介绍互联网上有很多,我们暂时不做详细的介绍。关于SSL/TLS通信的过程大致可以用下面的这张图来进行描述。

十六字真诀

公钥加密,私钥解密
私钥签章,公钥验签

实验准备

CA服务器:192.168.141.132

客户机:192.168.141.69

物理机(就是你的电脑)

OpenSSL

OpenSSL是一套开源软件,在Linux中可以很容易的安装。它能够很容易的完成密钥生成以及证书管理。我们接下来就利用OpenSSL搭建CA证书,并实现证书的申请与分发。

[root@localhost ~]# yum install openssl –y

CA配置

要手动创建CA证书,就必须首先了解,OpenSSL中关于CA的配置,配置文件位于下面的/etc/pki/tls/openssl.cnf

[root@localhost ~]# cat /etc/pki/tls/openssl.cnf

####################################################################
[ ca ]
default_ca= CA_default      #默认CA
####################################################################
[ CA_default ]

dir=/etc/pki/CA     # CA的工作目录这里其实是定义了一个变量
certs= $dir/certs      # 证书存储路径
crl_dir= $dir/crl      # 证书吊销列表
database= $dir/index.txt   # 证书数据库列表


new_certs_dir= $dir/newcerts       #新的证书路径

certificate = $dir/cacert.pem  # CA自己的证书
serial= $dir/serial        #下一个证书的编号,十六进制,默认00
crlnumber= $dir/crlnumber  #下一个要被吊销的证书编号,十六进制,默认00
crl = $dir/crl.pem         # The current CRL
private_key = $dir/private/cakey.pem # CA 的私钥
RANDFILE= $dir/private/.rand   # private random number file

x509_extensions = usr_cert      # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default       # 命名方式
cert_opt = ca_default       # CA的选项
default_days= 365           # 默认证书的有效期限
default_crl_days= 30            # how long before next CRL
default_md= default     # use public key default MD
preserve= no            # keep passed DN ordering

policy= policy_match    #策略
                                #这里记录的是 将来CA在搭建的时候,以及客户端申请证书的时候,
                                需要提交的信息的匹配程度。

[ policy_match ]                # match意味着CA以及子CA必须一致
countryName = match             # 国家
stateOrProvinceName= match      # 州或者省
organizationName= match         #组织公司
organizationalUnitName  = optional
commonName= supplied
emailAddress= optional

[ policy_anything ]             #可以对外提供证书申请,这时,证书的匹配就可以不用那么严格
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional

找到配置文件中指定的路径

[root@localhost ~]# cat /etc/pki/tls/openssl.cnf | grep dir
dir		= /etc/pki/CA		# Where everything is kept

可以看到路径 /etc/pki/CA

创建所需要的文件

这里有一点需要注意,我们的实验环境中包含了一个主机,如果不提前创建这两个文件,那么在生成证书的过程中会出现错误。
  我们将文件创建在配置文件中指定的路径下面。

生成证书索引数据库文件 
[root@localhost ~]# touch /etc/pki/CA/index.txt

指定第一个颁发证书的序列号 
[root@localhost ~]# echo 01 > /etc/pki/CA/serial

CA 自签名证书(构造根CA)

首先构造根CA的证书。因为没有任何机构能够给根CA颁发证书,所以只能根CA自己给自己颁发证书。

首先生成私钥文件cakey.pem

[root@localhost ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048
Generating RSA private key, 2048 bit long modulus
...............+++
.......................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem:  #这里需要输入密码( pass phrase )
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:    #这里确认密码

更具私钥文件cakey.pem生成自签名证书cacert.pem

[root@localhost ~]# openssl req -new -x509 -key  /etc/pki/CA/private/cakey.pem -days 7300 -out  /etc/pki/CA/cacert.pem
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN			#中国
State or Province Name (full name) []:js		#江苏
Locality Name (eg, city) [Default City]:zj		#镇江
Organization Name (eg, company) [Default Company Ltd]:feng
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:ca.feng.com
Email Address []:[email protected]
[root@localhost ~]# 

查看生成的证书cacert.pem

[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]# cat cacert.pem 

关闭selinux

[root@localhost CA]# cd
[root@localhost ~]# setenforce 0
[root@localhost ~]# 

颁发证书(客户端申请证书)

为客户端颁发ssl证书

  1. 客户端首先产生一个私钥以及证书请求的公钥
  2. 客户端将公钥发给CA服务器
  3. CA服务器为客户端颁发数字签名再传回客户机

我们再开一台虚拟机作为客户端,由于它不是CA服务器,所以就不在/etc/pki/CA/目录下生成私钥和证书等文件了,咱们另外建一个目录来搞。

客户端首先在/root/key/目录下生成一个私钥https.key

[root@localhost ~]# yum install openssl -y 		 #客户端也要装ssl套件
[root@localhost ~]# mkdir key
[root@localhost ~]# openssl genrsa -out /root/key/https.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.................+++
e is 65537 (0x10001)

客户端再用私钥https.key生成证书请求https.csr

[root@localhost ~]#  openssl req -new -key /root/key/https.key -out /root/key/https.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:js
Locality Name (eg, city) [Default City]:zj
Organization Name (eg, company) [Default Company Ltd]:feng
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:192.168.141.69
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:feng
[root@localhost ~]# 

客户端将证书请求文件https.csr传到CA服务器的/etc/pki/CA目录下

[root@localhost ~]# cd key
[root@localhost key]# ls
https.csr  https.key
[root@localhost key]# scp https.csr 192.168.141.132:/etc/pki/CA
The authenticity of host '192.168.141.132 (192.168.141.132)' can't be established.
ECDSA key fingerprint is SHA256:mJVa6J0b/NaWyJ+cbVho0hHnUDY9utS7iWUGq91HvpM.
ECDSA key fingerprint is MD5:d3:6c:dc:1c:76:df:3a:d1:b9:ef:6c:17:82:64:76:6e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.141.132' (ECDSA) to the list of known hosts.
[email protected]'s password: 
https.csr                                                                     100% 1090   699.6KB/s   00:00    
[root@localhost key]#

CA根据客户机发过来的证书请求https.csr生产数字签名https.crt

[root@localhost ~]#  cd /etc/pki/CA
[root@localhost CA]# openssl ca -in https.csr -out https.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 17 08:07:23 2019 GMT
            Not After : Feb 17 08:07:23 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = js
            organizationName          = feng
            organizationalUnitName    = tech
            commonName                = 192.168.141.69
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                5C:83:77:55:09:E6:6F:BF:5A:0E:7A:D4:45:64:8B:28:81:0A:70:6B
            X509v3 Authority Key Identifier: 
                keyid:A0:D2:8C:72:63:CE:16:D6:EE:DF:B6:5F:85:C1:57:06:D1:A2:CA:98

Certificate is to be certified until Feb 17 08:07:23 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@localhost CA]# ls
cacert.pem  crl        https.csr  index.txt.attr  newcerts  serial
certs       https.crt  index.txt  index.txt.old   private   serial.old
[root@localhost CA]# 

CA自己的私钥文件cakey.pem
CA的自签名证书cacert.pem
客户机发过来的证书请求https.csr
CA根据https.csr产生数字签名https.crt

CA将生产好的数字签名再传回客户机

[root@localhost CA]# scp https.crt 192.168.141.69:/root/key
The authenticity of host '192.168.141.69 (192.168.141.69)' can't be established.
ECDSA key fingerprint is SHA256:GxQcqZQLnGUvawOktRB9hLYZZA0ScnEsN3USeyTghgU.
ECDSA key fingerprint is MD5:d6:d5:c1:df:2b:47:22:55:4d:1a:a3:f2:63:50:d9:b7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.141.69' (ECDSA) to the list of known hosts.
[email protected]'s password: 
https.crt                                                                     100% 4551     2.7MB/s   00:00    
[root@localhost CA]#

切换到客户机,看一下的确传过来了

[root@localhost key]# ls
https.crt  https.csr  https.key
[root@localhost key]# 

​ 接下来客户机将自己的密钥https.key传给CA,由CA生成证书cacert.pem传回给客户机。为了不冲突,在CA服务器上新建一个目录/root/test

[root@localhost ~]# mkdir test
[root@localhost ~]# 

客户机将自己的密钥https.key传给CA

[root@localhost key]#  scp https.key 192.168.141.132:/root/test
[email protected]'s password: 
https.key                                                                     100% 1675   447.2KB/s   00:00    
[root@localhost key]# 

由CA生成证书cacert.pem

[root@localhost ~]# openssl req -new -x509 -key  /root/test/https.key  -days 7300 -out  /root/test/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:js
Locality Name (eg, city) [Default City]:zj
Organization Name (eg, company) [Default Company Ltd]:feng
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:192.168.141.69
Email Address []:[email protected]
[root@localhost ~]# 

CA服务器将证书传给客户机

[root@localhost ~]# cd test/
[root@localhost test]# ls
cacert.pem  https.key
[root@localhost test]# scp cacert.pem 192.168.141.69:/etc/pki/CA
[email protected]'s password: 
cacert.pem                                                                    100% 1375     1.0MB/s   00:00    
[root@localhost test]# 

切换到客户机,看一下的确传过来了

[root@localhost key]# cd /etc/pki/CA
[root@localhost CA]# ls
cacert.pem  certs  crl  newcerts  private
[root@localhost CA]# 

客户机使用https保护网站

原理:比如人们访问网站http://test.feng.com,这个网站又搭建在客户机192.168.141.69上,那么客户机就需要向CA服务器申请到数字签名,这样安装了相应证书的电脑就可以访问https://test.feng.com了。刚刚我们的客户机已经成功申请到了数字签名,现在咱们在客户机上搭网站,只有一个默认网页“Testing……”,用来看证书使用效果即可。

安装apache和mod_ssl模块

[root@localhost key]# cd
[root@localhost ~]# yum install httpd mod_ssl -y

修改配置文件

[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf

100 SSLCertificateFile /root/key/https.crt
107 SSLCertificateKeyFile /root/key/https.key
122 SSLCACertificateFile /etc/pki/CA/cacert.pem

放行443端口和https服务,关闭selinux,重启apache服务

[root@localhost ~]# firewall-cmd --add-port={443,80}/tcp --permanent 
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# setenforce 0
[root@localhost ~]# 
[root@localhost ~]# systemctl restart httpd

这里重启apache服务要放到最后,否则会报错。

windows导入根CA证书

将根linux的证书(就是CA服务器生成的自签名证书,ca.feng.com的那个cacert.pem)导出到windows上,然后将后缀名改为.crt,打开后点击安装证书

[root@localhost ~]# yum install lrzsz -y
[root@localhost ~]# sz /etc/pki/CA/cacert.pem
[root@localhost ~]# 
导出到自己电脑,如下图,改其后缀为crt,双击它开始安装证书。

如上图,打开这个CA的自签名证书后就可以看到,颁发者和颁发给都是ca.feng.com,且不受信任,证书信息的标志那里都是一个大大的红色叉叉,我们需要手动安装这个证书,安装到本地计算机后,就受信任了,表示本地计算机信任了这个证书机构给它自己办法的证书。

选择本地计算机,然后点击下一步

安装证书,最后下一步点完成

查看证书

win+r,输入certmgr.msc点击确定即可

我们安装的证书是CA的自签名证书,名字叫做ca.feng.com,安装好之后,我们的电脑会对这个CA机构产生充分的信任,且对于这个CA机构颁发给任何网站的证书都会信任。之前我们的客户机:192.168.141.69搭建了apache服务,也算是有了一个网站了,虽然其网站主页还是下面这个“Testing 123”的页面,但是这个不妨碍我们的浏览器对其网站证书进行安全分析。

如下图,我们打开https://192.168.141.69,会看到它的证书来自于ca.feng.com。之前我们的客户机192.168.141.69向CA服务器申请到的证书,现在就发挥了它的作用了,让我们的浏览器得以信任这个网站的证书,同时,由于mod_ssl模块是支持”https“中的“s”的,所以也能用https打开这个网址。

访问网站

吊销证书

吊销证书是CA机构做的事,我们不用去做,这里只做方法演示。吊销不会立即生效,要等网站重启。

在根CA上根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,然后吊销证书

# 吊销子客户端的证书 使用revoke 命令

[root@localhost CA]# openssl ca -revoke /etc/pki/CA/https.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 01.
Data Base Updated
[root@localhost CA]# 

指定第一个吊销证书的编号

(指定吊销证书的编号,只有在更新证书吊销列表之前,才需要操作)

# 这条命令与生成证书时指定证书serial 号码的作用是一致的。
# 就是说,指定下一个证书吊销时的编号。
[root@localhost CA]# echo 01 > /etc/pki/CA/crlnumber
[root@localhost CA]# cat /etc/pki/CA/crlnumber
01
[root@localhost CA]# 

更新证书吊销列表

前面指定了证书吊销列表编号之后,就可以来更新证书吊销列表了。

[root@localhost CA]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:	#这里提示输入密码
[root@localhost CA]# 

查看证书吊销列表的文件

[root@localhost CA]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text 
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=js/L=zj/O=feng/OU=tech/CN=ca.feng.com/[email protected]
        Last Update: Feb 17 08:55:41 2019 GMT
        Next Update: Mar 19 08:55:41 2019 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Feb 17 08:54:31 2019 GMT
    Signature Algorithm: sha256WithRSAEncryption
         2e:c5:24:2e:00:ec:bb:58:b5:6a:87:49:7a:1d:f9:5d:e6:83:
         bd:af:51:49:63:96:49:7a:c7:74:6d:bd:5f:fb:87:65:35:9d:
         62:98:0a:42:56:19:67:9a:9f:1e:27:e1:dc:70:36:e6:32:c6:
         02:e8:e8:25:1c:15:2e:ab:82:af:54:f7:80:bb:d2:dc:84:a3:
         6f:b2:72:70:95:81:18:55:7e:c7:fc:fd:8b:5b:b2:d6:ab:c3:
         64:64:89:38:86:dd:28:53:ea:36:64:05:84:88:62:77:a3:2f:
         0e:ae:d6:76:64:de:ea:f6:8b:fa:eb:63:0e:ff:13:16:bc:b1:
         62:bf:32:99:50:e5:86:2d:95:b8:e7:15:93:86:78:6f:b3:22:
         6a:af:7b:43:9d:61:33:ac:65:c1:26:a4:6f:6d:74:91:69:69:
         04:36:ca:7e:d0:42:45:12:07:37:4a:f1:2a:a8:45:01:a5:5b:
         43:77:fb:6e:26:fc:16:09:d1:f3:44:2e:d0:e7:96:0a:75:af:
         50:c2:b7:41:f5:9f:d2:0f:58:92:75:0b:81:d2:99:5c:5c:79:
         6a:a8:59:b9:0e:cd:0a:e9:4f:f2:a4:8d:5a:d5:71:8d:6c:b4:
         f2:f8:0b:7a:cf:9f:6e:43:b5:de:2a:15:84:0c:40:c0:3f:5a:
         75:fb:f5:9c
[root@localhost CA]# 

吊销不会立即生效,要等网站重启,这里在客户机重启apache服务

[root@localhost ~]# systemctl restart httpd

查看吊销后的结果

本篇到此结束。

你可能感兴趣的:(Linux-运维进阶)