CA、证书及openssl用法

CA和证书

摘要:涉及到网络安全这一块,想必大家都听过CA吧。像百度、淘宝、京东等这些知名网站,每年都要花费一笔money来买CA证书。但其实简单的企业内的CA认证,我们自己就可以实现,今天我就讲解一下怎么在企业局部实现CA认证。

PKI: Public Key Infrastructure

签证机构:CA(Certificate Authority)

注册机构:RA

证书吊销列表:CRL

证书存取库:

X.509:定义了证书的结构以及认证协议标准

版本号、序列号、签名算法、颁发者、有效期限、主体名称、主体公钥、CRL分发点扩展信息、发行者签名、证书获

证书类型:

证书授权机构的证书

服务器用户证书

获取证书两种方法:

• 使用证书授权机构生成证书请求(csr),将证书请求csr发送给CA,CA签名颁发证书

• 自签名的证书

自已签发自己的公钥

安全协议

SSL:Secure Socket Layer,TLS: Transport Layer Security

1995:SSL 2.0 Netscape

1996:SSL 3.0

1999:TLS 1.0

2006:TLS 1.1 IETF(Internet工程任务组) RFC 4346

2008:TLS 1.2 当前使用

2015:TLS 1.3

功能:机密性,认证,完整性,重放保护

两阶段协议,分为握手阶段和应用阶段

握手阶段(协商阶段):客户端和服务器端认证对方身份(依赖于PKI体系,利用数字

证书进行身份认证),并协商通信中使用的安全参数、密码套件以及主密钥。后续通信使

用的所有密钥都是通过MasterSecret生成。

应用阶段:在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密

钥进行安全通信

 

SSL/TLS

 

Handshake协议:包括协商安全参数和密码套件、服务器身份认证(客户端身

份认证可选)、密钥交换

ChangeCipherSpec 协议:一条消息表明握手协议已经完成

Alert 协议:对握手协议中一些异常的错误提醒,分为fatal和warning两个级别,

fatal类型错误会直接中断SSL链接,而warning级别的错误SSL链接仍可继续,

只是会给出错误警告

Record 协议:包括对消息的分段、压缩、消息认证和完整性保护、加密等

HTTPS 协议:就是“HTTP 协议”和“SSL/TLS 协议”的组合。HTTP over

SSL”或“HTTP over TLS”,对http协议的文本数据进行加密处理后,成为二

进制形式传输

 

HTTPS结构

 

HTTPS工作过程

 base64字符表示:

演示base64算法结果:

ab 的base64结果是YWI=

ab 的ascii码是78 79

2^6=64位,因此按6位区分

011000    01  0110    001000(后面补两个0,用输出的=代替)

24                 22            8

Y                   W             I=

 echo  -n ab | base64    ab 的base64输出结果:

 Openssl详细用法:

OpenSSL 是一个开源项目,其组成主要包括一下三个组件:

  • openssl:多用途的命令行工具

  • libcrypto:加密算法库

  • libssl:加密模块应用库,实现了ssl及tls

openssl可以实现:秘钥证书管理、对称加密和非对称加密 。

1、对称加密

对称加密需要使用的标准命令为 enc ,用法如下:

openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64]
       [-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md]
       [-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]

常用选项有:

-in filename:指定要加密的文件存放路径

-out filename:指定加密后的文件存放路径

-salt:自动插入一个随机数作为文件内容加密,默认选项

-e:可以指明一种加密算法,若不指的话将使用默认加密算法

-d:解密,解密时也可以指定算法,若不指定则使用默认算法,但一定要与加密时的算法一致

-a/-base64:使用-base64位编码格式
示例:
加密:]# openssl enc -e -des3 -a -salt -in fstab -out fstab.bak
解密:]# openssl enc -d -des3 -a -salt -in fstab.bak -out fstab

2、单向加密

单向加密需要使用的标准命令为 dgst ,用法如下:

openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d] [-hex] [-binary]
       [-out filename] [-sign filename] [-keyform arg] [-passin arg] [-verify filename] [-prverify
       filename] [-signature filename] [-hmac key] [file...]

常用选项有:

[-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] :指定一种加密算法

-out filename:将加密的内容保存到指定文件中

示例如下:

openssl dgst -md5 f1 等价于md5sum f1

单向加密除了 openssl dgst 工具还有: md5sum,sha1sum,sha224sum,sha256sum ,sha384sum,sha512sum

示例如下:

shs512sum fstab

md5sum  fstab

3、生成密码

生成密码需要使用的标准命令为 passwd ,用法如下:

openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}

常用选项有:

-1:使用md5加密算法

-salt string:加入随机数,最多8位随机数

-in file:对输入的文件内容进行加密

-stdion:对标准输入的内容进行加密

示例如下:

openssl passwd -1 -in fstab -salt 11111

4、生成随机数

生成随机数需要用到的标准命令为 rand ,用法如下:

openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num

常用选项有:

-out file:将生成的随机数保存至指定文件中

-base64:使用base64 编码格式

-hex:使用16进制编码格式

示例如下:

openssl rand -hex 10

openssl rand -base64 10

openssl rand -base64 10 -out bb

5、生成秘钥对

首先需要先使用 genrsa 标准命令生成私钥,然后再使用 rsa 标准命令从私钥中提取公钥。

genrsa 的用法如下:

openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]

常用选项有:

-out filename:将生成的私钥保存至指定的文件中

-des|-des3|-idea:不同的加密算法

numbits:指定生成私钥的大小,默认是2048

一般情况下秘钥文件的权限一定要控制好,只能自己读写,因此可以使用 umask 命令设置生成的私钥权限,示例如下:

(umask 077;openssl genrsa -out test.key -des3 2048)  生成test.key私钥文件并以des3的算法加密

make /data/test.key    或者直接切换至cd /etc/pki/tls/certs下生成私钥,里边有一个makefile文件就可以自动生成私钥文件
openssl rsa -in test.key -out test2.key.bak   对test.key 私钥进行解密并导出文件起名叫test2.key.bak

ras 的用法如下:

openssl rsa [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg]
       [-sgckey] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-engine id]

常用选项:

-in filename:指明私钥文件

-out filename:指明将提取出的公钥保存至指定文件中 

-pubout:根据私钥提取出公钥 

示例如下:根据私钥取出公钥

openssl rsa -in test.bak -pubout -out test.pubkey

随机数生成器:伪随机数字 键盘和鼠标,块设备中断

/dev/random:仅从熵池返回随机数;随机数用尽,阻塞

/dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机 数,非阻塞

示例:

tr -dc 'a-zA-Z0-9'  < /dev/urandom   将生成的随机大小写字母、数字全部进行打印

tr:参数解释

-c或——complerment:取代所有不属于第一字符集的字符;
-d或——delete:删除所有属于第一字符集的字符;
-s或--squeeze-repeats:把连续重复的字符以单独一个字符表示;
-t或--truncate-set1:先删除第一字符集较第二字符集多出的字符。
CA创建和证书申请实验:
以此表作为参考进行创建:

 

 

创建CA:

centos7上创建CA证书:

1) (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)   CA生成秘钥

[root@centos7CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................................................+++
.........................................................................+++
e is 65537 (0x10001)
2) openssl req -new -x509 -key  /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3650    生成自签名证书
[root@centos7CA]#openssl req -new -x509 -key private/cakey.pem -out cacert1.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   国家名称
State or Province Name (full name) []:shanghai  城市
Locality Name (eg, city) [Default City]:shanghai  省会
Organization Name (eg, company) [Default Company Ltd]:baidu  公司名称
Organizational Unit Name (eg, section) []:yunwei  部门组织名称
Common Name (eg, your name or your server's hostname) []:*baidu.com  域名
Email Address []:
3) touch index.txt 4) echo oF > serial

  

 

在centos6(或者web服务器)中进行创建证书:

1) (umask 077;openssl genrsa -out app.key 1024)  生成私钥

[root@centos6CA]#(umask 077;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
............++++++
.......++++++
e is 65537 (0x10001)

2) openssl req -new -key  app.key -out app.csr  生成申请证书文件
[root@centos6CA]#openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   国家:要和根CA的信息一致
State or Province Name (full name) []:shanghai   省会:要和根CA的信息一致
Locality Name (eg, city) [Default City]:shanghai   城市
Organization Name (eg, company) [Default Company Ltd]:baidu要和根CA的公司信息一致
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:*baidu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:centos
An optional company name []:centos

3)scp app.csr 192.168.34.101:/etc/pki/CA       复制到centos7的CA目录下

4)openssl ca -in app.csr  -out  /etc/pki/CA/certs/app.crt  -days 1000  centos7对centos6(服务器)centos7对申请的证书文件进行核对并颁发证书
[root@centos7CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Oct 19 15:10:49 2019 GMT
Not After : Jul 15 15:10:49 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = shanghai
organizationName = baidugongsi
organizationalUnitName = yunwei
commonName = *baidu.com
X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
Netscape Comment: 
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: 
24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13
X509v3 Authority Key Identifier: 
keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E
Certificate is to be certified until Jul 15 15:10:49 2022 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

  

 注意:默认要求 国家,省,公司名称三项必须和CA一致

证书内容:

[root@centos7CA]#cat certs/app.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shanghai, L=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com
Validity
Not Before: Oct 19 15:10:49 2019 GMT
Not After : Jul 15 15:10:49 2022 GMT
Subject: C=CN, ST=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e1:e6:f8:56:4a:7e:3a:70:10:76:77:1e:bd:93:
05:a4:6e:a5:be:8d:26:35:29:ff:2c:ae:52:a9:35:
4f:61:5e:df:53:3b:90:92:a4:c3:61:0a:18:9c:dc:
66:c2:45:d3:2a:fb:52:78:28:d1:4b:5b:0e:f6:33:
f3:6c:6c:13:cb:30:d7:a7:3c:6a:72:ca:4b:40:70:
8a:7e:f6:c5:10:1c:48:cb:43:b8:ba:32:f9:5a:f3:
21:a6:35:f8:7d:a8:7f:e7:70:85:14:29:9e:40:da:
88:ed:c3:fd:6c:b6:a9:0c:2c:05:28:0a:38:cc:1c:
83:12:a1:19:3f:74:66:8c:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
Netscape Comment: 
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: 
24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13
X509v3 Authority Key Identifier: 
keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E

Signature Algorithm: sha256WithRSAEncryption
18:92:ce:11:2f:d5:bd:76:11:92:43:3a:c7:b9:20:79:ca:66:
e5:e4:ff:8f:e2:d8:d6:76:96:34:63:ef:9b:de:1e:ec:dd:8a:
bf:c0:2f:9a:9d:8a:23:60:8f:6c:65:48:95:a8:a8:62:60:df:
96:93:3b:49:00:28:89:1f:c1:b3:91:0c:5f:21:6b:c8:76:52:
9c:39:81:bc:fd:11:6a:1f:f6:e4:85:04:f2:04:61:81:53:90:
be:f4:5e:bc:8d:c6:c1:bc:17:dc:bb:77:78:53:1a:f6:f3:cb:
db:06:af:64:fd:d8:85:a0:bf:e8:0b:2c:7f:b1:62:09:45:b4:
0f:27:ed:6e:9e:35:da:67:83:b4:9d:d6:8d:e6:a3:0a:e5:36:
ac:6d:23:d4:55:8e:bd:0b:af:1c:b7:e0:58:12:85:16:c1:70:
aa:ea:80:d7:a4:e8:3d:0d:8b:9f:ee:00:25:24:d7:6e:87:89:
11:55:50:d1:09:71:81:c4:64:08:bd:28:9b:8d:25:b5:de:3a:
6d:c6:6f:2a:9c:59:0f:24:73:15:e8:26:29:e8:5e:27:ea:90:
9e:17:6c:ee:ab:6d:2b:00:eb:36:5d:e4:fe:fb:e6:7d:4e:5c:
c4:16:bb:1a:17:73:95:29:ec:60:a8:d7:8e:1d:bf:d3:a9:64:
3e:02:7d:b8
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjER
MA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMRQwEgYDVQQKDAti
YWlkdWdvbmdzaTEPMA0GA1UECwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29t
MB4XDTE5MTAxOTE1MTA0OVoXDTIyMDcxNTE1MTA0OVowXDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCHNoYW5naGFpMRQwEgYDVQQKDAtiYWlkdWdvbmdzaTEPMA0GA1UE
CwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDh5vhWSn46cBB2dx69kwWkbqW+jSY1Kf8srlKpNU9hXt9TO5CS
pMNhChic3GbCRdMq+1J4KNFLWw72M/NsbBPLMNenPGpyyktAcIp+9sUQHEjLQ7i6
Mvla8yGmNfh9qH/ncIUUKZ5A2ojtw/1stqkMLAUoCjjMHIMSoRk/dGaMKwIDAQAB
o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJMS8lKGNwKyhY8+dYdt7+VurWxMwHwYD
VR0jBBgwFoAUAASx0WI1+ZG11lbClhndmtSb1Z4wDQYJKoZIhvcNAQELBQADggEB
ABiSzhEv1b12EZJDOse5IHnKZuXk/4/i2NZ2ljRj75veHuzdir/AL5qdiiNgj2xl
SJWoqGJg35aTO0kAKIkfwbORDF8ha8h2Upw5gbz9EWof9uSFBPIEYYFTkL70XryN
xsG8F9y7d3hTGvbzy9sGr2T92IWgv+gLLH+xYglFtA8n7W6eNdpng7Sd1o3mowrl
NqxtI9RVjr0Lrxy34FgShRbBcKrqgNek6D0Ni5/uACUk126HiRFVUNEJcYHEZAi9
KJuNJbXeOm3GbyqcWQ8kcxXoJinoXifqkJ4XbO6rbSsA6zZd5P775n1OXMQWuxoX
c5Up7GCo144dv9OpZD4Cfbg=
-----END CERTIFICATE-----

5) sz /etc/pki/CA/certs/app.crt文件到桌面可以看看内容

6) sz cacert.pem证书文件是app.crt的上一级证书文件

 

吊销证书:在centos7(根CA)上执行吊销

1)openssl ca -revoke /etc/pki/CA/certs/app.crt 对app.crt吊销

[root@centos7CA]#openssl ca -revoke /etc/pki/CA/certs/app.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated

2)echo FF >  /etc/pki/CA/crlnumber  生成证书编号

3)openssl ca -gencrl  -out /etc/pki/CA/crl.pem  更新吊销列表信息
[root@centos7CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

4)openssl crl -in /etc/pki/CA/crl.pem -noout -text 查看吊销证书信息
[root@centos7CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text 
Certificate Revocation List (CRL):  注销信息
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=shanghai/L=shanghai/O=baidugongsi/OU=yunwei/CN=*baidu.com  注销的公司相关信息
Last Update: Oct 19 15:18:23 2019 GMT
Next Update: Nov 18 15:18:23 2019 GMT
CRL extensions:
X509v3 CRL Number: 
255
Revoked Certificates:
Serial Number: 0F    声明:oF编号的证书已被注销
Revocation Date: Oct 19 15:16:25 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
2e:85:17:e8:aa:e0:56:a9:48:17:99:82:58:71:d5:f1:3c:00:
45:6c:5f:41:5b:56:f7:f6:6a:85:60:08:a5:ac:b4:88:25:91:
21:82:58:f0:45:c9:9b:08:31:81:2f:45:d2:3f:a0:2c:3f:51:
45:e2:0b:8e:6d:2b:2e:fd:43:3a:a3:7e:af:69:b9:23:b6:bc:
5e:b1:b8:58:80:c8:c8:08:09:b1:bb:8b:be:a5:9e:d8:af:28:
1f:5d:51:db:dc:a8:cd:74:df:93:d3:6a:f1:df:1d:2f:75:87:
66:ec:e0:04:13:e4:49:25:31:38:dd:02:0d:70:f1:d3:83:bb:
03:c5:2a:f4:09:6a:1f:6c:f0:1c:3d:6a:4c:e7:06:33:57:39:
e9:91:1b:1d:5a:d4:47:f9:a0:47:7f:7f:0c:f3:35:96:a8:72:
28:e2:fa:94:5f:8c:8e:ad:ae:95:36:b9:e5:12:18:ce:b1:d8:
3a:c4:a7:89:49:83:dc:61:e9:84:65:00:f2:48:d0:98:af:21:
6f:a5:a8:6b:00:fd:18:3c:28:43:38:05:08:84:1a:bf:06:93:
bc:14:4d:a3:d8:19:8b:d5:e6:fd:2b:9f:5a:59:54:ff:3c:6b:
38:ec:05:ca:76:3a:f3:bf:76:e3:1f:8f:67:f7:98:3d:ba:ab:
47:e7:7c:c3

5) sz  crl.pem  可以查看windows当前吊销列表图形信息

 

 

 

 

 

 

 

 

posted @ 2019-10-19 23:21  一叶知秋~~  阅读(5910)  评论(0编辑  收藏  举报