鸟哥的服务器《十四》OpenSSL

1. OpenSSL

OpenSSL: 

1、创建CA  
    自己生成一对密钥；   
    生成自签证书；     

2、客户端       
    生成一对密钥；     
    生成证书颁发请求, .csr； 
    将请求发给CA；

3、CA端   
    签署此证书；  
    传送给客户端； 

[root@CentOS ~]# openssl --help

Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             ts                verify            version           
x509              

Message Digest commands (see the `dgst' command for more details)
md2               md4               md5               rmd160            
sha               sha1              

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              idea              
idea-cbc          idea-cfb          idea-ecb          idea-ofb          
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            seed              seed-cbc          seed-cfb          
seed-ecb          seed-ofb          zlib              

# 生成私钥讲解（下面是举例而非步骤）：
[root@CentOS ~]# openssl genrsa 2048 > server.key                  #创建私钥
[root@CentOS ~]# openssl genrsa 2048 -out server.key               #创建私钥

# 生成一对密钥
[root@CentOS ~]# (umask 077; openssl genrsa -out server1024.key 1024)  #创建私钥
[root@CentOS ~]# openssl rsa -in server1024.key -pubout                #提取公钥

# 证书申请、生成的工具：req
[root@CentOS ~]# openssl req -new -x509 -key server1024.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN            #证书拥有者的信息
State or Province Name (full name) []:JL
Locality Name (eg, city) [Default City]:CC
Organization Name (eg, company) [Default Company Ltd]:CJ
Organizational Unit Name (eg, section) []:DQ
Common Name (eg, your name or your server's hostname) []:ca.centos.tst  #要被访问的服务器的主机名
Email Address []:admin@centos.tst
[root@CentOS ~]# ll
total 196
-rw-------. 1 root root  4388 Apr  7 03:38 anaconda-ks.cfg
drwxr-xr-x. 2 root root  4096 Apr 16 15:55 ftpuser
-rw-r--r--. 1 root root 34419 Apr 19 13:40 httpd.conf
-rw-r--r--. 1 root root 80547 Apr  7 03:38 install.log
-rw-r--r--. 1 root root 16176 Apr  7 03:34 install.log.syslog
drwxr-xr-x. 2 root root  4096 Apr  7 03:49 Public
-rw-------. 1 root root   891 Apr 20 22:03 server1024.key
-rw-r--r--. 1 root root  1017 Apr 20 22:07 server.crt
-rw-r--r--. 1 root root  1675 Apr 20 21:43 server.key

# 输出证书信息
[root@CentOS ~]# openssl  x509 -text -in server.crt 

# 配置文件
[root@CentOS ~]# vim /etc/pki/tls/openssl.cnf 

# CA服务器（证书颁发机构）生成密钥证书
[root@CentOS CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048 )
Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
.................................................................................................+++
e is 65537 (0x10001)
[root@CentOS CA]# ll private/
total 4
-rw-------. 1 root root 1675 Apr 20 22:28 cakey.pem

[root@CentOS CA]# openssl req -new -x509 -key private/cakey.pem  -out cacert.pem    #信息填写正确
[root@CentOS CA]# mkdir certs newcerts crl      #目录不存在的话需要创建
[root@CentOS CA]# touch index.txt serial        #文件不存在需要创建
[root@CentOS CA]# echo 01 > serial              #给它一个起始号

# Web 服务器建立密钥证书
# 申请生成私钥
[root@CentOS ssl]# pwd
/etc/httpd/ssl
[root@CentOS ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
# 生成证书申请（到CA中申请用的）
[root@CentOS ssl]# openssl req -new -key httpd.key -out httpd.cs        #信息填写正确
# 这个证书拿到CA签名一下。就可以拿回来用了，需要发送给CA后取回

# CA 签署证书请求，CA收到传过来的证书请求
[root@CentOS ~]# openssl ca -in httpd.csr -out httpd.crt -days 365

# make：快速签名的测试工具，自动签署，秘钥和证书在同一个文件，是测试使用的（不建议使用）
[root@CentOS certs]# pwd
/etc/pki/tls/certs
[root@CentOS certs]# vim Makefile