https学习笔记一

http 80
https 443 rsa 非对称128加密 安全类交易可以使用rsa 1024位加密算法
https是ssl(secure socket layer)的一种
单向 客户端单向访问服务器(安全)
根证书 rootCA
服务器认证 serverCA




双向认证
根证书
生成一对不对称密钥，公钥public key(加密) 和私钥 private key(解密),一个私钥对应多个公钥
用密钥产生请求，同时交给root机构
root机构进行签名
服务器认证
客户端认证

过程：客户端请求认证，取得证书，每次访问携带证书


md5 和sha指纹加密算法




使用openssl来签证书
1 下载安装文件
http://slproweb.com/products/Win32OpenSSL.html


2 安装完成后，设置环境变量


OPENSSL_CONF
D:\tools\OpenSSL-Win32\bin\openssl.cfg
path
D:\tools\OpenSSL-Win32\bin
3 生成根证书所用密钥
openssl genrsa -des3 -out ca.key 1024
示例
D:\tools\opensslca>openssl genrsa -des3 -out ca.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........++++++
.....................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: 输入密码
Verifying - Enter pass phrase for ca.key: 再次输入密码




去除ca密钥的口令
openssl rsa -in ca.key -out ca.key


D:\tools\opensslca>openssl rsa -in ca.key -out ca.key
Enter pass phrase for ca.key:
writing RSA key


生成rootCA
openssl req -new -x509 -key ca.key -out ca.crt -config D:\tools\OpenSSL-Win32\bin\openssl.cfg


国家:CN
省：SH
市：SH
公司名：yue
主机名：Nemo-20100613CG



D:\tools\opensslca>openssl req -new -x509 -key ca.key -out ca.crt -config D:\too
ls\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SH
Locality Name (eg, city) []:SH
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yue
Organizational Unit Name (eg, section) []:Nemo-20100613CG
Common Name (e.g. server FQDN or YOUR name) []:Nemo-20100613CG
Email Address []:zhenhuayue@sina.com



同时会在C:\WINDOWS\system32\drivers\etc\hosts文件中添加如下行：
127.0.0.1 cn.yue.com


将ROOT CA导入客户端的根级信任域,所有客户端都需要导入
internate 选项-->证书-->导入




生成web服务端的证书使用rootca签名aaaaaa
命令如下：
openssl genrsa -des3 -out server.key 1024




去除密码
openssl rsa -in server.key -out server.key


生成服务端证书签名:
openssl req -new -key server.key -out server.csr


使用rootCA 请求web服务器的证书,进行签名认证
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

出现如下错误：
D:\tools\opensslca>openssl ca -in server.csr -out server.crt -cert ca.crt -keyfi
le ca.key
Using configuration from D:\tools\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
I am unable to access the ./demoCA/newcerts directory
./demoCA/newcerts: No such file or directory


解决方法:
md demoCA
cd demoCA
md newcerts
cd ..
@echo>index.txt
@echo>serial
@echo 01 >serial


重新生成Web服务器的server.crt证书：
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key


结果如下：


Using configuration from D:\tools\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 27 10:51:48 2012 GMT
Not After : Oct 27 10:51:48 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = SH
organizationName = yue
organizationalUnitName = Nemo-20100613CG
commonName = Nemo-20100613CG
emailAddress = zhenhuayue@sina.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
28:B4:50:30:E3:44:5C:51:76:F9:26:E6:FD:F9:C1:1C:84:79:9E:B1
X509v3 Authority Key Identifier:
keyid:3F:CE:E6:09:56:BD:5B:0F:09:22:0B:FA:3B:98:F2:0D:6B:39:1A:0
7


Certificate is to be certified until Oct 27 10:51:48 2013 GMT (365 days)
Sign the certificate? [y/n]:y




1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated