shallow丿ove
ssl原理
- 客户端的浏览器发送一个https的请求给服务器
- 服务器要有一套数字证书,生成公钥和私钥,将公钥传递到客户端
- 客户端的浏览器检查公钥是否合法,若不合法显示https警告,若合法生成一串随机字符串,并用收到的公钥加密
- 客户端把加密后的随机字符串传输到服务器
- 服务器收到加密随机字符串后,先用私钥解密获取到数据,服务器再把这串随机字符串加密后的数据传输给客户端
- 客户端收到数据后,再用自己的私钥也就是随机字符串解密得到信息
生成ssl密钥对
- cd /usr/local/nginx/conf
- openssl genrsa -des3 -out tmp.key 2048 #key文件为私钥
- openssl rsa -in tmp.key -out aminglinux.key #转换key,取消密码
- rm -f tmp.key
- openssl req -new -key aminglinux.key -out aminglinux.csr #生成证书请求文件,需要拿这个文件和密钥一起生产公钥文件
- openssl x609 -req -days 365 -in aminglinux.csr -singkey aminglinux.key -out aminglinux.crt
- 这里的aminglinux.crt为公钥
[root@localhost vhost]# cd /usr/local/nginx/conf/
[root@localhost conf]# rpm -qf `which openssl`
openssl-1.0.2k-8.el7.x86_64
[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
......................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
至少4位
[root@localhost conf]# openssl rsa -in tmp.key -out user.key
Enter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]# rm -f tmp.key
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc engine errstr
gendh gendsa genpkey genrsa
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160
sha sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 rc5 rc5-cbc rc5-cfb
rc5-ecb rc5-ofb seed seed-cbc
seed-cfb seed-ecb seed-ofb zlib
自定义证书
[root@localhost conf]# openssl req -new -key user.key -out user.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:MC
Organizational Unit Name (eg, section) []:user
Common Name (eg, your name or your server's hostname) []:user
Email Address []:user@user.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:user
An optional company name []:user
[root@localhost conf]# openssl x509 -req -days 365 -in user.csr -signkey user.key -out user.crt
Signature ok
subject=/C=11/ST=BeiJing/L=Beijing/O=MC/OU=user/CN=user/emailAddress=user@user.com
Getting Private key
[root@localhost conf]# ls user.
user.crt user.csr user.key