大纲
一、加密类型
二、CA及SSL
三、OpenSSL实现私有CA
一、加密类型
(1)、信息安全三要素
机密性(Confidentiality)
完整性(Integrity)
可用性(Availability)
(2)、加密类型
对称加密:加密和解密使用同一个密钥,DES, 3DES, AES
非对称加密:每个密钥都成对儿出现,一个为私钥(secret key),一个为公钥(public key),DSA,RSA
单向加密,散列加密:提取数据特征码,常用于数据完整性校验,特点:①雪崩效应 ②定长输出 ③不可逆
MD5:Message Digest, 信息摘要算法,128位定长输出
SHA1:Secure Hash Algorithm, 安全的hash算法,160位定长输出
(3)、两台主机密钥交换过程(Diffie-hellman)
①A和B随机选择p(大素数),g(生成数)
②A选择一个随机数x,B选择一个随机数y
③A将g^x%p结果发给B,B将g^y%p结果发送给A,p、g、g^x%p、g^y%p这四个数所有人都可以看到,但是x只有A知道;同理y只有B知道
④于是A收到B发来的g^y%p之后进行幂运算,即(g^y%p)^x生成的即为密钥,B也做相同的运算,于是两人就完成了密钥交换的过程。数学原理:(g^x%p)^y=(g^y%p)^x
发送方用自己的私钥加密,接收方能用发送方的公钥解密,即可实现身份验证
发送方用对方的公钥加密,接收方能使用自己的私钥解密,即可保证数据的机密性
非对称密钥一般不用于加密数据,因为速度太慢,所以一般只用于密钥交换
二、CA及SSL
1、CA(Certificate Authority)
CA是PKI系统中通信双方都信任的实体,被称为可信第三方(Trusted Third Party,简称TTP)。CA作为可信第三方的重要条件之一就是CA的行为具有非否认性。作为第三方而不是简单的上级,就必须能让信任者有追究自己责任的能力。CA通过证书证实他人的公钥信息,证书上有CA的签名。用户如果因为信任证书而导致了损失,证书可以作为有效的证据用于追究CA的法律责任。正是因为CA愿意给出承担责任的承诺,所以也被称为可信第三方。
2、CRL(Certificate Revocation List)
证书具有一个指定的寿命,但 CA 可通过称为证书吊销的过程来缩短这一寿命。CA 发布一个证书吊销列表 (CRL),列出被认为不能再使用的证书的序列号。CRL 指定的寿命通常比证书指定的寿命短得多。CA 也可以在 CRL 中加入证书被吊销的理由。它还可以加入被认为这种状态改变所适用的起始日期。
3、SSL
Secure Socket Layer,为Netscape所研发,用以保障在Internet上数据传输之安全,利用数据加密(Encryption)技术,可确保数据在网络上之传输过程中不会被截取及窃听。一般通用之规格为40 bit之安全标准,美国则已推出128 bit之更高安全标准,但限制出境。只要3.0版本以上之I.E.或Netscape浏览器即可支持SSL。
当前版本为3.0。它已被广泛地用于Web浏览器与服务器之间的身份认证和加密数据传输。
SSL协议位于TCP/IP协议与各种应用层协议之间,为数据通讯提供安全支持。SSL协议可分为两层: SSL记录协议(SSL Record Protocol):它建立在可靠的传输协议(如TCP)之上,为高层协议提供数据封装、压缩、加密等基本功能的支持。 SSL握手协议(SSL Handshake Protocol):它建立在SSL记录协议之上,用于在实际的数据传输开始前,通讯双方进行身份认证、协商加密算法、交换加密密钥等。
4、x509证书格式
1.公钥及有效期限
2.证书的合法拥有者
3.证书该如何被使用
4.CA信息(CA的私钥,机构名,地址,服务器等信息)
5.CA签名的效验码
5、加密过程详解
A发送方:
1、计算数据的特征码(单向加密) 2、用自己的私钥加密特征码,并附加在数据后面(实现身份验证) 3、生成一个临时对称密钥 4、用此密钥结合某算法加密数据及加密后的特征码 5、用接收方的公钥加密此对称密钥,并附加加密后的数据后面(实现数据的机密性) 6、发送至接收方
B接收方:
1、用自己的私钥解密加密的对称密钥 2、用对称密钥解密数据 3、用对方的公钥解密加密的特征码 4、用同样的算法计算数据的特征码,并与解密而来的特征码进行比较
6、OpenSSL
openssl - OpenSSL command line tool SYNOPSIS openssl command [ command_opts ] [ command_args ] libcrypto:加密库 libssl:tls/ssl的实现 基于会话的,实现了身份认证,数据机密性的库 openssl:多功能多用途的命令行工具 实现私有证书颁发机构(免费)
(1)、测试openssl支持算法的加密速度
[root@CentOS6 ~]# openssl speed Doing md2 for 3s on 16 size blocks: 261208 md2's in 3.00s Doing md2 for 3s on 64 size blocks: 131119 md2's in 2.99s Doing md2 for 3s on 256 size blocks: 44892 md2's in 3.00s Doing md2 for 3s on 1024 size blocks: 12238 md2's in 3.00s Doing md2 for 3s on 8192 size blocks: 1620 md2's in 3.00s Doing md4 for 3s on 16 size blocks: 5600036 md4's in 2.99s Doing md4 for 3s on 64 size blocks: 4186996 md4's in 3.00s Doing md4 for 3s on 256 size blocks: 2495339 md4's in 3.00s Doing md4 for 3s on 1024 size blocks: 938887 md4's in 2.99s Doing md4 for 3s on 8192 size blocks: 140462 md4's in 3.00s Doing md5 for 3s on 16 size blocks: 3786618 md5's in 3.00s Doing md5 for 3s on 64 size blocks: 2855947 md5's in 2.99s Doing md5 for 3s on 256 size blocks: 1634778 md5's in 3.00s Doing md5 for 3s on 1024 size blocks: 600414 md5's in 3.00s Doing md5 for 3s on 8192 size blocks: 90639 md5's in 2.99s Doing hmac(md5) for 3s on 16 size blocks: 3209254 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 64 size blocks: 2595565 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 256 size blocks: 1520569 hmac(md5)'s in 2.99s Doing hmac(md5) for 3s on 1024 size blocks: 589775 hmac(md5)'s in 3.00s Doing hmac(md5) for 3s on 8192 size blocks: 87370 hmac(md5)'s in 3.00s Doing sha1 for 3s on 16 size blocks: 4175670 sha1's in 2.99s Doing sha1 for 3s on 64 size blocks: 2869772 sha1's in 3.00s Doing sha1 for 3s on 256 size blocks: 1468191 sha1's in 3.00s Doing sha1 for 3s on 1024 size blocks: 504671 sha1's in 2.99s Doing sha1 for 3s on 8192 size blocks: 70025 sha1's in 3.00s Doing sha256 for 3s on 16 size blocks: 3125679 sha256's in 3.00s Doing sha256 for 3s on 64 size blocks: 1724282 sha256's in 2.99s Doing sha256 for 3s on 256 size blocks: 752185 sha256's in 3.00s Doing sha256 for 3s on 1024 size blocks: 227031 sha256's in 3.00s Doing sha256 for 3s on 8192 size blocks: 30242 sha256's in 2.99s Doing sha512 for 3s on 16 size blocks: 2514625 sha512's in 3.00s Doing sha512 for 3s on 64 size blocks: 2517946 sha512's in 3.00s Doing sha512 for 3s on 256 size blocks: 962455 sha512's in 3.00s Doing sha512 for 3s on 1024 size blocks: 320695 sha512's in 2.99s Doing sha512 for 3s on 8192 size blocks: 46550 sha512's in 3.00s Doing whirlpool for 3s on 16 size blocks: 1955917 whirlpool's in 2.99s Doing whirlpool for 3s on 64 size blocks: 1064849 whirlpool's in 3.00s Doing whirlpool for 3s on 256 size blocks: 445578 whirlpool's in 3.00s Doing whirlpool for 3s on 1024 size blocks: 133491 whirlpool's in 3.00s Doing whirlpool for 3s on 8192 size blocks: 18129 whirlpool's in 2.99s Doing rmd160 for 3s on 16 size blocks: 2785766 rmd160's in 3.00s Doing rmd160 for 3s on 64 size blocks: 1699290 rmd160's in 3.00s Doing rmd160 for 3s on 256 size blocks: 764229 rmd160's in 2.99s Doing rmd160 for 3s on 1024 size blocks: 249209 rmd160's in 3.00s Doing rmd160 for 3s on 8192 size blocks: 33187 rmd160's in 3.00s Doing rc4 for 3s on 16 size blocks: 31800333 rc4's in 2.99s Doing rc4 for 3s on 64 size blocks: 10184165 rc4's in 3.00s Doing rc4 for 3s on 256 size blocks: 2649175 rc4's in 3.00s Doing rc4 for 3s on 1024 size blocks: 689091 rc4's in 2.99s Doing rc4 for 3s on 8192 size blocks: 86832 rc4's in 3.00s Doing des cbc for 3s on 16 size blocks: 4916829 des cbc's in 3.00s Doing des cbc for 3s on 64 size blocks: 1114468 des cbc's in 2.66s Doing des cbc for 3s on 256 size blocks: 323898 des cbc's in 3.00s Doing des cbc for 3s on 1024 size blocks: 80167 des cbc's in 2.99s Doing des cbc for 3s on 8192 size blocks: 10041 des cbc's in 2.99s Doing des ede3 for 3s on 16 size blocks: 1692318 des ede3's in 2.61s Doing des ede3 for 3s on 64 size blocks: 484073 des ede3's in 2.98s Doing des ede3 for 3s on 256 size blocks: 123399 des ede3's in 3.00s Doing des ede3 for 3s on 1024 size blocks: 30595 des ede3's in 3.00s Doing des ede3 for 3s on 8192 size blocks: 3891 des ede3's in 2.99s Doing aes-128 cbc for 3s on 16 size blocks: 7292590 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 64 size blocks: 1954513 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 256 size blocks: 499133 aes-128 cbc's in 2.99s Doing aes-128 cbc for 3s on 1024 size blocks: 322121 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 8192 size blocks: 41120 aes-128 cbc's in 2.99s Doing aes-192 cbc for 3s on 16 size blocks: 6132950 aes-192 cbc's in 3.00s Doing aes-192 cbc for 3s on 64 size blocks: 1626555 aes-192 cbc's in 3.00s Doing aes-192 cbc for 3s on 256 size blocks: 407669 aes-192 cbc's in 2.99s Doing aes-192 cbc for 3s on 1024 size blocks: 277378 aes-192 cbc's in 3.00s Doing aes-192 cbc for 3s on 8192 size blocks: 34688 aes-192 cbc's in 3.00s Doing aes-256 cbc for 3s on 16 size blocks: 5207344 aes-256 cbc's in 2.99s Doing aes-256 cbc for 3s on 64 size blocks: 1388855 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 256 size blocks: 349836 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 1024 size blocks: 233280 aes-256 cbc's in 3.00s Doing aes-256 cbc for 3s on 8192 size blocks: 28687 aes-256 cbc's in 2.99s Doing aes-128 ige for 3s on 16 size blocks: 7186864 aes-128 ige's in 3.00s Doing aes-128 ige for 3s on 64 size blocks: 1846987 aes-128 ige's in 3.00s Doing aes-128 ige for 3s on 256 size blocks: 478922 aes-128 ige's in 2.99s Doing aes-128 ige for 3s on 1024 size blocks: 118332 aes-128 ige's in 3.00s Doing aes-128 ige for 3s on 8192 size blocks: 14824 aes-128 ige's in 3.00s Doing aes-192 ige for 3s on 16 size blocks: 6110709 aes-192 ige's in 2.99s Doing aes-192 ige for 3s on 64 size blocks: 1560934 aes-192 ige's in 3.00s Doing aes-192 ige for 3s on 256 size blocks: 399823 aes-192 ige's in 3.00s Doing aes-192 ige for 3s on 1024 size blocks: 98950 aes-192 ige's in 2.99s Doing aes-192 ige for 3s on 8192 size blocks: 12548 aes-192 ige's in 3.00s Doing aes-256 ige for 3s on 16 size blocks: 5113774 aes-256 ige's in 3.00s Doing aes-256 ige for 3s on 64 size blocks: 1323906 aes-256 ige's in 3.00s Doing aes-256 ige for 3s on 256 size blocks: 331020 aes-256 ige's in 2.99s Doing aes-256 ige for 3s on 1024 size blocks: 83003 aes-256 ige's in 3.00s Doing aes-256 ige for 3s on 8192 size blocks: 10497 aes-256 ige's in 2.99s Doing ghash for 3s on 16 size blocks: 17738429 ghash's in 3.00s Doing ghash for 3s on 64 size blocks: 6819063 ghash's in 2.99s Doing ghash for 3s on 256 size blocks: 1925432 ghash's in 3.00s Doing ghash for 3s on 1024 size blocks: 510285 ghash's in 2.99s Doing ghash for 3s on 8192 size blocks: 64039 ghash's in 3.00s Doing camellia-128 cbc for 3s on 16 size blocks: 8427525 camellia-128 cbc's in 3.00s Doing camellia-128 cbc for 3s on 64 size blocks: 3239512 camellia-128 cbc's in 2.99s Doing camellia-128 cbc for 3s on 256 size blocks: 913364 camellia-128 cbc's in 3.00s Doing camellia-128 cbc for 3s on 1024 size blocks: 241513 camellia-128 cbc's in 3.00s Doing camellia-128 cbc for 3s on 8192 size blocks: 30148 camellia-128 cbc's in 2.99s Doing camellia-192 cbc for 3s on 16 size blocks: 7351256 camellia-192 cbc's in 3.00s Doing camellia-192 cbc for 3s on 64 size blocks: 2492718 camellia-192 cbc's in 3.00s Doing camellia-192 cbc for 3s on 256 size blocks: 712100 camellia-192 cbc's in 3.00s Doing camellia-192 cbc for 3s on 1024 size blocks: 182166 camellia-192 cbc's in 2.99s Doing camellia-192 cbc for 3s on 8192 size blocks: 23060 camellia-192 cbc's in 3.00s Doing camellia-256 cbc for 3s on 16 size blocks: 7342730 camellia-256 cbc's in 2.99s Doing camellia-256 cbc for 3s on 64 size blocks: 2523612 camellia-256 cbc's in 3.00s Doing camellia-256 cbc for 3s on 256 size blocks: 670313 camellia-256 cbc's in 2.81s Doing camellia-256 cbc for 3s on 1024 size blocks: 187423 camellia-256 cbc's in 2.99s Doing camellia-256 cbc for 3s on 8192 size blocks: 24073 camellia-256 cbc's in 2.95s Doing idea cbc for 3s on 16 size blocks: 5375268 idea cbc's in 2.98s Doing idea cbc for 3s on 64 size blocks: 1434472 idea cbc's in 2.97s Doing idea cbc for 3s on 256 size blocks: 371844 idea cbc's in 3.00s Doing idea cbc for 3s on 1024 size blocks: 92935 idea cbc's in 2.98s Doing idea cbc for 3s on 8192 size blocks: 11649 idea cbc's in 2.99s Doing seed cbc for 3s on 16 size blocks: 6451957 seed cbc's in 2.92s Doing seed cbc for 3s on 64 size blocks: 1660194 seed cbc's in 2.96s Doing seed cbc for 3s on 256 size blocks: 415250 seed cbc's in 2.97s Doing seed cbc for 3s on 1024 size blocks: 105226 seed cbc's in 3.00s Doing seed cbc for 3s on 8192 size blocks: 13338 seed cbc's in 2.99s Doing rc2 cbc for 3s on 16 size blocks: 3036189 rc2 cbc's in 2.98s Doing rc2 cbc for 3s on 64 size blocks: 816369 rc2 cbc's in 2.99s Doing rc2 cbc for 3s on 256 size blocks: 199839 rc2 cbc's in 2.98s Doing rc2 cbc for 3s on 1024 size blocks: 48773 rc2 cbc's in 2.89s Doing rc2 cbc for 3s on 8192 size blocks: 6146 rc2 cbc's in 2.95s Doing blowfish cbc for 3s on 16 size blocks: 9307259 blowfish cbc's in 2.99s Doing blowfish cbc for 3s on 64 size blocks: 2492620 blowfish cbc's in 3.00s Doing blowfish cbc for 3s on 256 size blocks: 600008 blowfish cbc's in 2.84s Doing blowfish cbc for 3s on 1024 size blocks: 160210 blowfish cbc's in 3.00s Doing blowfish cbc for 3s on 8192 size blocks: 19743 blowfish cbc's in 2.98s Doing cast cbc for 3s on 16 size blocks: 8591058 cast cbc's in 3.00s Doing cast cbc for 3s on 64 size blocks: 2261535 cast cbc's in 2.99s Doing cast cbc for 3s on 256 size blocks: 578019 cast cbc's in 2.99s Doing cast cbc for 3s on 1024 size blocks: 144731 cast cbc's in 3.00s Doing cast cbc for 3s on 8192 size blocks: 17646 cast cbc's in 2.92s Doing 512 bit private rsa's for 10s: 62197 512 bit private RSA's in 9.98s Doing 512 bit public rsa's for 10s: 838558 512 bit public RSA's in 9.98s Doing 1024 bit private rsa's for 10s: 17472 1024 bit private RSA's in 9.98s Doing 1024 bit public rsa's for 10s: 312301 1024 bit public RSA's in 9.98s Doing 2048 bit private rsa's for 10s: 2830 2048 bit private RSA's in 9.70s Doing 2048 bit public rsa's for 10s: 94714 2048 bit public RSA's in 9.99s Doing 4096 bit private rsa's for 10s: 406 4096 bit private RSA's in 10.01s Doing 4096 bit public rsa's for 10s: 25224 4096 bit public RSA's in 9.99s Doing 512 bit sign dsa's for 10s: 63053 512 bit DSA signs in 9.97s Doing 512 bit verify dsa's for 10s: 68487 512 bit DSA verify in 9.99s Doing 1024 bit sign dsa's for 10s: 29015 1024 bit DSA signs in 9.99s Doing 1024 bit verify dsa's for 10s: 26484 1024 bit DSA verify in 9.99s Doing 2048 bit sign dsa's for 10s: 9511 2048 bit DSA signs in 10.00s Doing 2048 bit verify dsa's for 10s: 8147 2048 bit DSA verify in 9.99s Doing 256 bit sign ecdsa's for 10s: 32929 256 bit ECDSA signs in 9.99s Doing 256 bit verify ecdsa's for 10s: 8247 256 bit ECDSA verify in 9.99s Doing 384 bit sign ecdsa's for 10s: 16966 384 bit ECDSA signs in 10.00s Doing 384 bit verify ecdsa's for 10s: 3825 384 bit ECDSA verify in 9.99s Doing 256 bit ecdh's for 10s: 9944 256-bit ECDH ops in 9.99s Doing 384 bit ecdh's for 10s: 4612 384-bit ECDH ops in 9.99s OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Fri Nov 22 12:17:22 UTC 2013 options:bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes md2 1393.11k 2806.56k 3830.78k 4177.24k 4423.68k mdc2 0.00 0.00 0.00 0.00 0.00 md4 29966.75k 89322.58k 212935.59k 321545.25k 383554.90k md5 20195.30k 61130.64k 139501.06k 204941.31k 248332.67k hmac(md5) 17116.02k 55372.05k 130189.19k 201309.87k 238578.35k sha1 22344.72k 61221.80k 125285.63k 172837.16k 191214.93k rmd160 14857.42k 36251.52k 65432.32k 85063.34k 90622.63k rc4 170169.01k 217262.19k 226062.93k 235996.38k 237109.25k des cbc 26223.09k 26814.27k 27639.30k 27455.19k 27510.33k des ede3 10374.36k 10396.20k 10530.05k 10443.09k 10660.56k idea cbc 28860.50k 30911.18k 31730.69k 31934.71k 31915.92k seed cbc 35353.19k 35896.09k 35792.59k 35917.14k 36543.44k rc2 cbc 16301.69k 17474.12k 17167.38k 17281.51k 17067.13k rc5-32/12 cbc 0.00 0.00 0.00 0.00 0.00 blowfish cbc 49804.73k 53175.89k 54085.23k 54685.01k 54273.37k cast cbc 45818.98k 48407.44k 49489.25k 49401.51k 49505.49k aes-128 cbc 38893.81k 41696.28k 42735.13k 109950.63k 112660.55k aes-192 cbc 32709.07k 34699.84k 34904.10k 94678.36k 94721.37k aes-256 cbc 27865.39k 29628.91k 29852.67k 79626.24k 78596.62k camellia-128 cbc 44946.80k 69340.73k 77940.39k 82436.44k 82599.47k camellia-192 cbc 39206.70k 53177.98k 60765.87k 62387.29k 62969.17k camellia-256 cbc 39292.20k 53837.06k 61067.66k 64187.68k 66849.50k sha256 16670.29k 36907.71k 64186.45k 77493.25k 82857.01k sha512 13411.33k 53716.18k 82129.49k 109829.99k 127112.53k whirlpool 10466.45k 22716.78k 38022.66k 45564.93k 49669.82k aes-128 ige 38329.94k 39402.39k 41004.69k 40390.66k 40479.40k aes-192 ige 32699.45k 33299.93k 34118.23k 33887.89k 34264.41k aes-256 ige 27273.46k 28243.33k 28341.51k 28331.69k 28759.67k ghash 94604.95k 145959.88k 164303.53k 174759.81k 174869.16k sign verify sign/s verify/s rsa 512 bits 0.000160s 0.000012s 6232.2 84023.8 rsa 1024 bits 0.000571s 0.000032s 1750.7 31292.7 rsa 2048 bits 0.003428s 0.000105s 291.8 9480.9 rsa 4096 bits 0.024655s 0.000396s 40.6 2524.9 sign verify sign/s verify/s dsa 512 bits 0.000158s 0.000146s 6324.3 6855.6 dsa 1024 bits 0.000344s 0.000377s 2904.4 2651.1 dsa 2048 bits 0.001051s 0.001226s 951.1 815.5 sign verify sign/s verify/s 256 bit ecdsa (nistp256) 0.0003s 0.0012s 3296.2 825.5 384 bit ecdsa (nistp384) 0.0006s 0.0026s 1696.6 382.9 op op/s 256 bit ecdh (nistp256) 0.0010s 995.4 384 bit ecdh (nistp384) 0.0022s 461.7
(2)、des3加密文本文件
[root@soysauce scripts]# openssl enc -des3 -salt -a -in issue -out issue.des3 enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password: [root@soysauce scripts]# cat issue.des3 U2FsdGVkX198hL/w+gkOKgxxCN/m33n2MSNsH/vDq6lY7Zg65DEbMaB+JIekKOg1 pBgmqIHBQVULxhUJu74+rg==
(3)、des3解密文本文件
[root@CentOS6 scripts]# openssl enc -des3 -d -salt -a -in issue.des3 -out issue enter des-ede3-cbc decryption password: [root@CentOS6 scripts]# cat issue CentOS release 6.5 (Final) Kernel \r on an \m
(4)、MD5、SHA1实现单向加密
[root@soysauce scripts]# md5sum issue 4fb618250a86f68ebb9af971bdc5123c issue [root@soysauce scripts]# openssl dgst -md5 issue MD5(issue)= 4fb618250a86f68ebb9af971bdc5123c [root@soysauce scripts]# sha1sum issue 9ea9d086146a8c9fe45f540d3a3f140cce56edfd issue [root@soysauce scripts]# openssl dgst -sha1 issue SHA1(issue)= 9ea9d086146a8c9fe45f540d3a3f140cce56edfd [root@soysauce scripts]# echo "." >> issue [root@soysauce scripts]# openssl dgst -md5 issue MD5(issue)= 629036a646635cde027b6f76a776afd7
(5)、生成密码串
passwd - compute password hashes SYNOPSIS openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password} [root@soysauce scripts]# openssl passwd -1 Password: Verifying - Password: $1$souUr1q/$aL2cAUn/oWGjVPinPEt7Y0 [root@soysauce scripts]# openssl passwd -1 -salt 'souUr1q/' # salt一样,密码一样,结果必然一样 Password: $1$souUr1q/$aL2cAUn/oWGjVPinPEt7Y0
(6)、生成随机数
rand - generate pseudo-random bytes SYNOPSIS openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num [root@soysauce scripts]# openssl rand -base64 30 # base64编码,30为随机数长度 bMJf7bDX0hdo/L3hDLy7v0X93UbQpT53vSsJVEpD [root@soysauce scripts]# openssl rand -base64 128 81Vld+kPbbmRca4bXp8jvvg/u7i+aqleShglnSJLsmKZCp/bepudnXuWZdEwc+aJ B3awGNPqd7uUKDS+Z9ueXRaqCw+bsSNj9vGO8jSlOvhvZg1AJm+hBrXv4vljBwQA Fn3uFo1vVGDs7O+i/1QwfB9fhIzyGmln3/kjY2/yjqU=
三、OpenSSL实现私有CA
1、CA配置文件修改
[root@soysauce scripts]# cd /etc/pki/tls/ [root@soysauce tls]# ls cert.pem certs misc openssl.cnf private [root@soysauce tls]# vim openssl.cnf [root@soysauce tls]# cat openssl.cnf # 修改如下默认项 [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = HuBei localityName = Locality Name (eg, city) localityName_default = HuangGang 0.organizationName = Organization Name (eg, company) 0.organizationName_default = NetWork # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Tech
2.CA生成自己的私钥
[root@soysauce CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...........................................+++ ..................................................................................+++ e is 65537 (0x10001) [root@soysauce CA]# ll -h total 16K drwxr-xr-x. 2 root root 4.0K Nov 22 2013 certs drwxr-xr-x. 2 root root 4.0K Nov 22 2013 crl drwxr-xr-x. 2 root root 4.0K Nov 22 2013 newcerts drwx------. 2 root root 4.0K Dec 3 06:10 private [root@soysauce CA]# ll -h private/ total 4.0K -rw------- 1 root root 1.7K Dec 3 06:10 cakey.pem # 权限为600
3、CA生成自签署证书
[root@soysauce CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [HuBei]: Locality Name (eg, city) [HuangGang]: Organization Name (eg, company) [NetWork]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:ca.NetWork.com Email Address []:[email protected] [root@soysauce CA]# touch index.txt [root@soysauce CA]# touch serial [root@soysauce CA]# echo 01 > serial
4.为http服务器申请CA证书
[root@CentOS5 ~]# cd /etc/httpd/ [root@CentOS5 httpd]# mkdir ssl [root@CentOS5 httpd]# cd ssl/ [root@CentOS5 ssl]# (umask 077;openssl genrsa -out httpd.key 2048) # 生成自己的私钥 Generating RSA private key, 2048 bit long modulus ..........................................................................................+++ .......................................+++ e is 65537 (0x10001) [root@CentOS5 ssl]# openssl req -new -key httpd.key -out httpd.csr # 证书签署申请 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [HuBei]: Locality Name (eg, city) [HuangGang]: Organization Name (eg, company) [NetWork]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:www.network.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: CA签署证书 [root@CentOS5 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 2 22:30:58 2015 GMT Not After : Dec 1 22:30:58 2016 GMT Subject: countryName = CN stateOrProvinceName = HuBei organizationName = NetWork organizationalUnitName = Tech commonName = www.network.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 65:F4:30:2A:88:59:FB:E6:89:CB:E2:67:75:3F:55:EF:18:C9:81:30 X509v3 Authority Key Identifier: keyid:36:27:20:73:62:A7:F5:E6:29:4B:12:83:E1:C5:21:02:19:B1:2F:4E Certificate is to be certified until Dec 1 22:30:58 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@CentOS5 ssl]# ll total 16 -rw-r--r-- 1 root root 4624 Dec 3 06:31 httpd.crt -rw-r--r-- 1 root root 1058 Dec 3 06:26 httpd.csr -rw------- 1 root root 1679 Dec 3 06:25 httpd.key [root@CentOS5 ssl]# cd /etc/pki/CA/ [root@CentOS5 CA]# cat index.txt V 161201223058Z 01 unknown /C=CN/ST=HuBei/O=NetWork/OU=Tech/CN=www.network.com/[email protected]
证书申请流程:
1、创建CA
自己生成一对密钥
生成自签证书
2、客户端
生成一对密钥
生成证书颁发请求,.crs
将请求发送给CA
3、CA
签署此请求
传送给客户端