0x00. OpenSSL使用
作为本地环境的实验,可以使用 OpenSSL 生成证书帮助理解证书认证的整个过程,事实上,在应用层面OpenSSL的可靠性是值得考量的,最著名的事件莫过于在 2014 年爆出的心跳漏洞(Heart Bleed),利用该漏洞,黑客坐在自己家里电脑前,就可以实时获取到约 30% 以 https 开头网址的用户登录账号密码,包括大批网银、购物网站、电子邮件等。
1. 获取OpenSSL
- Github
- OpenSSL官网
- Git安装目录下的 /usr/bin/openssl.exe(win10,Linux类似)
比较折腾的方法是到 Github 或者 OpenSSL 官网的官网下载源码,然后自己编译,但我敲下nmake
命令之后,发现这个坑不是一般的大,想想要在我这破电脑上装个VS突然心酸不已,那有没有什么 easy way 呢?有,而且或许在不知不觉中你已经装了,那就是Git,想想Git一套套的安全验证机制,当你在Git安装目录下的 /usr/bin/ 中找到 openssl.exe 这个文件时真的不需要惊奇。
2. 创建私钥
下面命令会生成2048位
的RSA
密钥对, 并且将它存放在exp.key
文件中。
OpenSSL> genrsa -out out.key 2048
如果不指定参数则会创建默认2048位的RSA密钥对, 并且输出到stdout
OpenSSL> genrsa
Generating RSA private key, 2048 bit long modulus
.......................................................................................+++
........+++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAm5FLEgxENOYWzKxs/PNP2/UxmBQjdfURuz3k1QFVw76RMi8i
mQPTdMSdZ3tuEG6r7qZDId4nefJRFCMSJOLbuVoLkLozWnoUAGbvDzQKiXEVE9Bi
ypsm6fHi7zZKpBltHwFiuU0jMSlj1PIcKyd7JYr0dIXyZIYz8z9bfJf+JPefr6sq
WsTl6FzxC+3S8Na6xzCNPl21v9AGsLOIT9roVenN7ewjdhOqpKOyvYwSAev0wOoc
gMiz6qnI0a/2xlrgFP6qb7wofOpBbosDSbYsexg2kFfvlYPTtPFyAUudewtaZ2qm
MzWl5f7vngfLLQ9F8C4cXFpFUVoboDOO+vvXxwIDAQABAoIBABqcDaU2p+wMd1Xn
IHVcAQr0s9j5iN9CXhgTDDNLGSp0TE2zNk3KE79jajErMbZp18rocY83erUnN6sk
HJRmoYLg3h2RW/tb6lPvR3DoS+0ahKpw+JUDWPKnR1P3i2jqWHn3OLXNdfmQxNzF
1P+krzHKxOmxh7aeJgCzk6iKLxSPamCQLSWW8sc3fu+6yBbtXOzifgETXqc5SEbk
UKfn489d4vLU5foLiOLuSWc2FI+c1mDQfzUVo14v/CpnknCSfNIPlDePdvBLr5uG
8YWQ4hftlCQ6hZQodmnxw+HNCqOqJzMs3SMXsuuFu66VVzy48p8+zKzZJ7+uZUOA
Bo1GCgECgYEAyenl8TP6yxW4sKc3pQwL2A9wUJBg3mdcpMOEvJoL66fL1HF2uSz9
/3H/aNJzJb5bfeJytZfgSIt+XwttuKxWzLfBOdpX972xA9iZ0ia3v62wD7oXkrho
+oaETu41y6CIy5t9eTQpk7JeH/MzrXYPIXGPAuLq/DOPZ0aR32N5tYECgYEAxT09
Weee71Z+qKNWIcwBGnq+ko5CRWe1Btl75yeo/kABVH8/jDMJFlZU5otU8W6aPRmX
93nbNZ42u24GBo8xZcrY5/K1qRolMS40faDQqv28pWcRJAfDUyp+iuZ8nulV9fFU
5KaDR1Z2Tq2XX9lAX92itaPeiFrmUL0UO98FAUcCgYAodvWcJzyloo7G6FwgeY+O
F1n861Jef/xzELPzUDP/YDtbMfoHFls47FGxYiutbr7LNayjc/KA12PWDGZK0k76
7ACPZZCnl554FNqO4S+F/HsCS9sZjleLjZXKc7bYPi3sEBdPSQLkFKUEZir/Il/Z
5fYxL+TD8llU6zGkwTzNAQKBgBrooO8cD23doggFyKFxwJDJQCikadwoKuVVVHcT
zRVqzAOoHJZW/B1lB84wIhWSHk7JqBbmNAbbn+HwP7gzXuzhQLhcP3Zjj8Fm6Vhe
UTmSxmLWbds5h+dXu83dZhEUCls0Yn2TTgO0gw1211kHPaYWibU4NwrpQ9SuBw2n
/nnPAoGBAJsQn5SsS97e1D++wHXCduj8mP/oA3xUxVVySwiwh5+equGRMNl/ALfF
v3ok5pLP/j2KbfXwnNAiImNUzY7KJhGrAGwWG9vPloeM3oXjeeBlDuVKcxcNzRat
9DrkTj9IH1YNcFV+z5hMpxNhMWIBEjtlL9YCRpla9W9dpFAwMYG8
-----END RSA PRIVATE KEY-----
下面是genrsa
命令的一些参数 (usage: genrsa [args)][numbits])
参数 | 说明 |
---|---|
-des | encrypt the generated key with DES in cbc mode |
-des3 | encrypt the generated key with DES in ede cbc mode (168 bit key) |
-idea | encrypt the generated key with IDEA in cbc mode |
-seed | encrypt PEM output with cbc seed |
-aes128, -aes192, -aes256 | encrypt PEM output with cbc aes |
-camellia128, -camellia192, -camellia256 | encrypt PEM output with cbc camellia |
-out file | output the key to 'file |
-passout arg | output file pass phrase source |
-f4 | use F4 (0x10001) for the E value |
-3 | use 3 for the E value |
-engine e | use engine e, possibly a hardware device. |
-rand file;file;... | load the file (or the files in the directory) intothe random number generator |
3. 创建证书请求
下面命令使用 exp.key
密钥文件(刚刚创建的) 生成一个新的证书请求文件exp.csr
。 在创建过程中需要输入一些其它参数, 这些参数在下面给出
OpenSSL> req -new -out exp.csr -key exp.key
输出内容如下
Enter pass phrase for root.key: ← 输入前面创建的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN ← 国家代号,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音
Locality Name (eg, city) []:BeiJing ← 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不输入
Common Name (eg, YOUR name) []: ← 创建根证书时不用输入,创建服务器证书时需要认真输入
Email Address []:[email protected] ← 电子邮箱,可随意填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不输入
An optional company name []: ← 可以不输入
下面是req的一些参数
使用:req [options]
参数 | 说明 |
---|---|
-inform arg | input format - DER or PEM |
-outform arg | output format - DER or PEM |
-in arg | input file |
-out arg | output file |
-text | text form of request |
-pubkey | output public key |
-noout | do not output REQ |
-verify | verify signature on REQ |
-modulus | RSA modulus |
-nodes | don't encrypt the output key |
-engine e | use engine e, possibly a hardware device |
-subject | output the request's subject |
-passin | private key password source |
-key file | use the private key contained in file |
-keyform arg | key file format |
-keyout arg | file to send the key to |
-rand file;file;... | load the file (or the files in the directory) into the random number generator |
-newkey rsa:bits | generate a new RSA key of 'bits' in size |
-newkey dsa:file | generate a new DSA key, parameters taken from CA in 'file' |
-newkey ec:file | generate a new EC key, parameters taken from CA in 'file' |
-[digest] | Digest to sign with (md5, sha1, md2, mdc2, md4) |
-config file | request template file. |
-subj arg | set or modify request subject |
-multivalue-rdn | enable support for multivalued RDNs |
-new | new request. |
-batch | do not ask anything during request generation |
-x509 | output a x509 structure instead of a cert. req |
-days | number of days a certificate generated by -x509 is valid for. |
-set_serial | serial number to use for a certificate generated by -x509. |
-newhdr | output "NEW" in the header lines |
-asn1 -kludge | Output the 'request' in a format that is wrong but some CA's |
4. 生成自签名证书
下面命令用证书请求文件exp.csr
, 通过exp.key
签名后生成有效其10年的证书exp.crt
OpenSSL> x509 -req -in exp.csr -out exp.crt -signkey exp.key -days 3650
X509 一些常用参数:
参数 | 说明 |
---|---|
-CAform arg | - CA format - default PEM |
-outform arg | - output format - default PEM (one of DER, NET or PEM) |
-inform arg | - input format - default PEM (one of DER, NET or PEM) |
-keyform arg | - private key format - default PEM |
-CAkeyform arg | - CA key format - default PEM |
-in arg | - input file - default stdin |
-out arg | - output file - default stdout |
-passin arg | - private key password source |
-serial | - print serial number value |
-subject_hash | - print subject hash value |
-subject_hash_old | - print old-style (MD5) subject hash value |
-issuer_hash | - print issuer hash value |
-issuer_hash_old | - print old-style (MD5) issuer hash value |
-hash | - synonym for -subject_hash |
-subject | - print subject DN |
-issuer | - print issuer DN |
- print email address(es) | |
-startdate | - notBefore field |
-enddate | - notAfter field |
-purpose | - print out certificate purposes |
-dates | - both Before and After dates |
-modulus | - print the RSA key modulus |
-pubkey | - output the public key |
-fingerprint | - print the certificate fingerprint |
-alias | - output certificate alias |
-noout | - no certificate output |
-ocspid | - print OCSP hash values for the subject name and public key |
-ocsp_uri | - print OCSP Responder URL(s) |
-trustout | - output a "trusted" certificate |
-clrtrust | - clear all trusted purposes |
-clrreject | - clear all rejected purposes |
-addtrust arg | - trust certificate for a given purpose |
-addreject arg | - reject certificate for a given purpose |
-setalias arg | - set certificate alias |
-days arg | - How long till expiry of a signed certificate - def 30 days |
-checkend arg | check whether the cert expires in the next arg seconds exit 1 if so, 0 if not |
-signkey arg | - self sign cert with arg |
-x509toreq | - output a certification request object |
-req | - input is a certificate request, sign and output. |
-CA arg | - set the CA certificate, must be PEM format. |
-CAcreateserial | - create serial number file if it does not exist |
-CAserial arg | - serial file |
0x01. 根证书
根证书根证书是CA认证中心给自己颁发的证书,是信任链的起始点。安装根证书意味着对这个CA认证中心的信任。
1. 制作根证书密钥root.key
生成2048位的RSA密钥对,并且使用3重DES
对之进行加密,将加密结果输出到root.key
密钥文件
openssl genrsa -des3 -out root.key 2048
2. 创建根证书的申请文件root.csr
使用root.key
文件中的私钥加密请求信息并将加密结果输出到root.csr
文件中
req -new -key root.key -out root.csr
3. 创建一个自当前日期起为期十年的根证书 root.crt
x509 -req -days 3650 -sha256 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
0x02. 服务器证书
1. 创建服务器证书密钥 server.key
genrsa -des3 -out server.key 2048
2. 创建服务器证书的申请文件 server.csr
req -new -key server.key -out server.csr
3. 创建服务器证书
创建自当前日期起有效期为期十年的服务器证书 server.crt
openssl x509 -req -days 3650 -sha256 -extensions v3_req -CA root.crt -CAkey root.key -CAcreateserial -in server.csr -out server.crt
4. 导出.p12文件 server1.p12
openssl pkcs12 -export -in D:\softwares\Git\usr\bin\server.crt -inkey D:\softwares\Git\usr\bin\server.key -out D:\softwares\Git\usr\bin\server1.p12 -name "server1"
根据命令提示,输入server.key密码,创建p12密码。
5. 生成./store文件 server1.keystore
使用JDK自带的密钥工具keytoool
生成密钥存储文件
keytool -importkeystore -v -srckeystore /tmp/ca/server.p12 -srcstoretype pkcs12 -srcstorepass 123456 -destkeystore /tmp/ca/server.keystore -deststoretype jks -deststorepass 123456
// 这里srcstorepass后面的123456为server.p12的密码deststorepass后的123456为keyStore的密码
0x03. 配置Tomcat
将keystore文件
server.keystore
放在tomcat根目录的conf目录下-
修改tomcat配置文件
server.xml
,添加Connector
节点
0x04. 测试
修改C:\Windows\System32\drivers\etc\hosts
文件,使上面配置server.csr
时指定的www.geekeye.com
指向环路地址127.0.0.1
在 IDEA 中使用本地的 Tomcat 运行一个项目进行测试
成功访问登录界面,显示不安全
在 HTTP 协议下登录,输入用户名密码都为 admin,请求的后端接口为user/login.do
,使用 Wireshark 抓包情况如下
在 HTTPS 协议下登录,输入用户名密码都为 admin,请求的后端接口为user/login.do
,使用 Wireshark 抓包情况如下
用户名密码信息已经看不到了,因为数据已经使用加密方法加密了。