這兩天學習了openssl在LInux中的使用,openssl是一款開源的加密工具,在Linux環境下,我們能夠利用它來搭建一個CA來實現證書的發放,可以用於企業內部使用的加密工具。在介紹openssl之前,首先描述一下關於“身份認證+數據加密”的實現方法原理。
如何實現“身份驗證+數據加密”,請看下面的一張流程圖(自己畫得,比較簡陋)
整個加密過程:
發送方: 計算數據特徵值----> 使用私鑰加密特徵值 ---> 隨機生成密碼對稱加密整個數據 ---> 使用接受方公鑰加密密碼
接收方: 使用私鑰解密密碼 ----> 解密整個數據 ----> 使用公鑰驗證身份 ----> 比較數據特徵值
但是存在一個問題,誰來管理公鑰,任何在互聯網上傳播的數據都不安全,更不用說傳遞公鑰,它如果被篡改,那就無法驗證身份,所以不可能由用戶自己頒發公鑰。
這個時候需要有一個具有公信力的中間機構來做這份工作,那就是CA,由此引發了兩個概念:
CA : 證書頒發機構
PKI : 公鑰基礎設施,公鑰基礎構架
證書: 裏面存放了用戶的各種信息,最核心的部分就是公鑰
但是還有一個問題,誰來給CA頒發公鑰,解決方法是,CA自己給自己頒發公鑰。。。
下面是用openssl這個強大的工具,在linux下構建一個CA,來實現證書管理,我們用一個web服務器端作爲需要證書的客戶端
1.首先我們來給CA生成一個私鑰
切換到/etc/pki/CA/目錄,使用openssl命令給自己生成一個私鑰
[root@server56 openssl]# cd /etc/pki/CA/
[root@server56 CA]# ls
private
[root@server56 CA]# (umak 66;openssl genrsa 2046 > private/cakey.pem)
-bash: umak: command not found
Generating RSA private key, 2046 bit long modulus
.............................+++
..+++
e is 65537 (0x10001)
2. CA需要一個自簽證書,所以我們給它使用openssl命令生成一個自簽證書
[root@server56 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN # 輸入你的各項信息,國家 , 省或州,地區,公司,單位,域名,郵箱地址
State or Province Name (full name) [Berkshire]:Henan
Locality Name (eg, city) [Newbury]:Zhengzhou
Organization Name (eg, company) [My Company Ltd]:LINUX
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:www.rhce.com #需要注意的是,這個域名是FQDN(完全限定域名)
Email Address []:[email protected]
[root@server56 CA]# ls
cacert.pem private
3.編輯CA配置文件,它位於etc/pki/tls/openssl.cnf,它的作用是指定你的CA所在目錄,更改默認屬性值
[root@server56 CA]# vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = ../../CA # Where everything is kept **************CA路徑 ,修改爲絕對路徑
certs = $dir/certs # Where the issued certs are kept ×××××××發給其他的人的證書 ,該目錄需要手動創建
crl_dir = $dir/crl # Where the issued crl are kept ××××××證書吊銷列表 不屬於必須創建的目錄
database = $dir/index.txt # database index file. *****************存放生成證書文件索引 需要手動創建的文件
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. ××××××××××x新生成的證書存放地 需要手動創建
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number ××××××序列號,需要自己建每一個證書都有一個序列號需要自己建,並指定從幾開始
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# req_extensions = v3_req # The extensions to add to a certificate request
#########修改證書CSR與自己的匹配
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN #我修改爲CN和CA的自簽證書對應
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Henan #同上
localityName = Locality Name (eg, city)
localityName_default = Zhengzhou #同上
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Tech #同上
4.創建CA的相關目錄和文件,指定序列號起始數字,在上一步已經說明,它們在CA所在目錄創建
[root@server56 ~]# cd /etc/pki/CA/
[root@server56 CA]# mkdir certs crl newcerts
[root@server56 CA]# ls
cacert.pem certs crl newcerts private
[root@server56 CA]# touch index.txt serial
[root@server56 CA]# echo 01 > serial
5. 創建web服務器的私鑰 ,因爲是實驗,所有並不需要安裝web服務器,你可以創建一個ssl目錄,我們假設它是一個web服務器
[root@server56 CA]# cd /etc/httpd/
[root@server56 httpd]# mkdir ssl
[root@server56 httpd]# cd ssl/
[root@server56 ssl]# (umask 66;openssl genrsa 2048 > web.key)
Generating RSA private key, 2048 bit long modulus
6. 客戶端(web服務器)請求獲得證書,客戶端如果想申請獲得證書的話,需要創建一個申請證書,傳遞給CA
[root@server56 ssl]# openssl req -new -key web.key -out web.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Henan]:
Locality Name (eg, city) [Zhengzhou]:
Organization Name (eg, company) [RHCE]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.web.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # 請求證書需要在網絡上傳遞,所以加密防止別人窺探,這裏留空因爲我們只是實驗
An optional company name []:
7. 在CA端給客戶端頒發證書,使用openssl命令
[root@server56 ssl]# openssl ca -in web.csr -out web.crt # 這個命令執行後,會顯示請求證書裏的信息
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 9 04:46:25 2011 GMT
Not After : Aug 8 04:46:25 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = RHCE
organizationalUnitName = Tech
commonName = www.web.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B6:52:27:11:5B:BA:84:C8:56:4D:67:D7:B9:7A:CB:FE:45:CF:5A:02
X509v3 Authority Key Identifier:
keyid:5C:4A:A2:EB:DD:3F:BB:08:41:A2:02:3F:98:A4:59:8B:78:47:AF:4F
Certificate is to be certified until Aug 8 04:46:25 2012 GMT (365 days)
Sign the certificate? [y/n]:y # 是否認同這個請求的客戶端,並授予證書
1 out of 1 certificate requests certified, commit? [y/n]y # 升級證書數據庫
Write out database with 1 new entries
Data Base Updated
好了,看一下我們的證書把!就是那個.crt結尾的文件
[root@server56 ssl]# ls
server.key web.crt web.csr web.key