当你用到私有CA自签证书的时候,那意味着你的数据需要加密了(在互联网上或者其他使用场景下传输数据)。
要想做到数据安全必须具备以下因素:数据的机密性(数据在传输的过程中必须加密,一般用对称加密算法)、数据的完整性(数据传输过程中不能出错或者被人修改,一般用单项加密算法)、身份认证(明确数据传输双方身份,一般用公钥加密)。
证书是怎么被使用的呢?
以https为例,用户(浏览器端)向服务器发送连接请求->服务器端将自己的证书传送给浏览器端->浏览器获取到服务器的证书并验证证书来源的合法性、是否过期、及完整性(有时需要到CA验证该证书是否被吊销,但是大部分应用场景都没有这一步)->验证通过后浏览器将使用服务器证书中的公钥将自己随机产生的对称加密秘钥发送给服务端(数据加密传输一般使用对称加密,公钥加密实在是太慢了。)->服务器端接收到浏览器的数据包,并用自己的私钥解密出浏览器随机生成的对称加密秘钥->之后服务器将使用这个对称加密秘钥和浏览器进行加密数据互传。
总结顺序:私有CA实现简介;快速签署生成证书(测试环境使用的证书,一般不用于生产环境。合理的生成证书也可以用于生产环境);生产环境中真正的证书签署;使用自签证书的例子(https的配置过程)。
1、私有CA实现简介
名词解释:
CA:certificate authority 即证书颁发机构。类比生活中的公安局
后缀名为crt或者pem的文件: certificate 即CA签发的证书。 类比生活中公安局给你签发个身份证
“公开的证书” 是需要花钱找CA给你签发的。当然如果是自己公司内部需要证书的话直接自己设立私有的CA——证书颁发机构,自己签发证书就可以了,不需要花钱就能实现数据的加密传输。
一般我们用OpenSSL这个软件——开源的ssl/tls协议的实现。来实现私有CA并给其他主机服务签发证书。
2、快速签署生成证书,一般测试使用
方法一:在Redhat和CentOs中有现成的工具。
cd /etc/pki/tls/certs
make server.pem
下边是这个被签证书拥有人的信息。随便就是,这些信息会被记录到证书当中。注意在生产环境汇总Common Name需要填写提供机器的域名。测试环境写你的名字就可以了。
Country Name (2 letter code) [XX]:CN #国家代码
State or Province Name (full name) []:HeBei #你所在的省份
Locality Name (eg, city) [Default City]:TangShan#你所在的市
Organization Name (eg, company) [Default Company Ltd]:Horizoom#你所在的公司
Organizational Unit Name (eg, section) []:Tec#你所在的部门
Common Name (eg, your name or your server's hostname) []:lidonghai#你的姓名或你服务器的域名,注意这个在生产环境中是很重要的,必须填写你服务器的域名,要不浏览器无法使用这个证书访问你的服务器。前边的国家省份什么的随意(但用私有CA签证书时需要和服务器的证书填写的一样,要不然签署不成功)
Email Address []:lidonghai@qq.com#你的email地址
到这里证书就生成完毕了,直接拿给某个需要证书的服务使用即可。(比如https,直接给他用就可以了)。
注意:这个server.pem文件既包含了秘钥又包含了所需要的证书。这个证书只能在测试环境下使用切不可拿到生产环境,因为私钥就在证书当中,被人获取到你的证书也就获取到了你的私钥,这对数据加密是极不安全的(和没加密一样,数据包可轻易被破解)。
当然如果有的服务需要server.key 和server.crt文件。你可以将server.pem文件打开将里边的秘钥部分和证书部分分别拷出来保存成server.key和server.crt文件。这样就可以在生产环境中使用了,因为你的证书和秘钥是分离的,只有证书会被传递给客户端,秘钥不会。(特别注意秘钥文件是最总要的,千万不可随意被别人获取到。可将秘钥加密存放或设置600权限)
####################################
上边使用server.perm切成的server.key和server.crt文件。下面我们用这个命令直接生成server.key和server.crt文件
cd /etc/pki/tls/certs
make server.csr
下边是生成证书签发请求,需要输入被签发人的信息
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
............................................+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase:#输入请求人的秘钥的加密密码,这个秘钥是被加密的,并且会被用来生成server.csr请求文件
Verifying - Enter pass phrase: #再次输入密码用于校验
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
Enter pass phrase for server.key: #这里需要再次输入秘钥的密码,这里是正在问你生成server.csr请求文件,需要你解密你的秘钥文件。这个密码和之前的两个使用一个密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #请求签署人的信息
State or Province Name (full name) []:HeBei #请求签署人的省份名字
Locality Name (eg, city) [Default City]:TangShan # 请求签署人的城市名字
Organization Name (eg, company) [Default Company Ltd]:Horizoom #请求签署人的公司名字
Organizational Unit Name (eg, section) []:Tec #请求签署人的部门名字
Common Name (eg, your name or your server's hostname) []:lidongha #这里一般填写请求人的的服务器域名,测试的时候用自己的名字即可
Email Address []:lidonghai@qq.com #你的邮箱。
以上信息将会被记录到server.csr文件中。
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #是不是要将你的server.csr请求加密存放。这两项保持为空,直接回车即可。
An optional company name []:
到这里服务的证书签发请求server.csr文件就生成完毕了。
生成ca端的证书。用于签署server.csr文件
cd /etc/pki/tls/certs
make ca.crt
下边是生成ca.crt证书需要填写的CA的机构的信息。
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > ca.key
Generating RSA private key, 2048 bit long modulus
......+++
................+++
e is 65537 (0x10001)
Enter pass phrase: #CA的私钥加密密码
Verifying - Enter pass phrase: #再次输入密码校验
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key ca.key -x509 -days 365 -out ca.crt -set_serial 0
Enter pass phrase for ca.key: #这里正在生成ca.crt文件需要解密使用你上边加密的秘钥文件,所以再次输入秘钥加密密码。和上边两个密码一样
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #CA的国家代码
State or Province Name (full name) []:HeBei#CA的省份
Locality Name (eg, city) [Default City]:TangShan #CA的城市
Organization Name (eg, company) [Default Company Ltd]:Horizoom#CA的公司名
Organizational Unit Name (eg, section) []:Tec #CA的部门
Common Name (eg, your name or your server's hostname) []:lidonghai #CA的姓名或CA服务器的域名,测试环境下写名字,生产环境下写机器域名或机器名
Email Address []:lidonghai@qq.com #CA的邮箱
上边虽然是CA的信息,但因为你的是私有CA所以一般大部分保持一致就可以了。这些信息将会记录到ca.crt文件当中。
到这里目录下已经生成了CA的证书ca.crt和CA的秘钥ca.key
下面签署server.csr请求即可
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
参数和子命令说明:x509是即将生成的server.crt证书的格式 , -days 是致命证书的有效期 -in 指明要签发的请求文件 -CA 指明需要用到的签发机构的证书 -CAcreateserial指明序列文件不存在时自动生成。这里只需要输入ca.key秘钥文件的加密密码之后即可签发完毕生成server.crt文件
结束,这是你只需要将server.crt和server.key拿给需要证书的服务并配置好即可使用,注意server,key的保管,千万不能泄露,否则数据加密就没有意义了。
方法二:
1>CA的私钥ca.key的生成
openssl genrsa -des3 -out ca.key 2048 #生成CA颁发机构的私钥 。不加-des3生成的ca.key 是没加密的私钥。
openssl rsa -in ca.key -outca.key #刚才上边用到了-des3算法加密了私钥,转换成不加密的私钥。不转换也没事,只不过生成ca.crt的时候输入下密钥加密密码就可以了。
2>CA的证书ca.crt的生成。用来签署server.csr请求文件。
下边填写CA证书颁发机构的信息,和上边的解释一样,不再写了。参考上边
openssl req -new -x509 -key ca.key -out ca.crt -days 3650 #-x509格式 有效期是10年。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeBei
Locality Name (eg, city) [Default City]:TangShan
Organization Name (eg, company) [Default Company Ltd]:Horizoom
Organizational Unit Name (eg, section) []:Tec
Common Name (eg, your name or your server's hostname) []:lidonghai
Email Address []:lidonghai@qq.com
到这里CA的ca.crt和ca.key已经准备就绪。可以为其他服务签署证书了。
3>生成签发请求文件server.csr文件,先生成server.key,因为server.crt需要server.key来生成
openssl genrsa -out server.key 2048 #注意这个server.key文件和上边的ca.key文件是不一样的。当然也可以使用同一个,但基本上正常人是不会这么用的。
4>生成server.csr请求文件。
openssl req -new -key server.key -out server.csr
下边就是请求者的信息,将会被记录到server.csr文件中。具体解释请参看上边,一样的
openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeBei
Locality Name (eg, city) [Default City]:TangShan
Organization Name (eg, company) [Default Company Ltd]:Horizoom
Organizational Unit Name (eg, section) []:Tec
Common Name (eg, your name or your server's hostname) []:lidonghai
Email Address []:lidonghai@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5>下面签署server.csr文件。
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
有时我在网上看见有人竟然这样cat server.key server.crt > server.pem 生成证书,这个server.pem文件确实可以当做证书来使用,但是极为不安全的。做测试的时候可以用,但生产环境坚决不能使用。这可是很危险的事情,你这样做证书和把密码写在银行卡上的道理是一样的。
结束,将server.crt和server.key拿给需要证书的服务并配置好即可。注意server.key文件的保密,切不可泄露。其实方法一和方法二是一样的。只不过方法一用了Makefile脚本自动完成了方法二的所有步骤。大致命令是一样的。不信的话可参看/etc/pki/tls/certs/Makefile脚本,看看命令是一样的。
总结:CA必须同时具有ca.crt——CA的自签证书、 ca.key——CA的私钥。 被签发的服务必须提供server.csr——签发请求文件、server.key——被签发服务的私钥。
证书需要私钥才能生成所以,现有*.key文件才会有*.crt或者*.csr文件.
3、标准的私有CA签发证书,一般生产环境中使用。要真正明白证书的签发流程还是得来标准的。
先进行CA的配置,用openssl做私有CA颁发机构。
1> cd /etc/pki/tls/
2> vim openssl.cnf #修改配置如下。 也可以不用修改直接使用即可(蓝色字体部分为配置文件部分可直接跳过)。这里只是提供了写默认值和方便的选项,其实没必要修改配置文件,有兴趣的可以查看下。
#################Start##########
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept 工作目录
certs = $dir/certs # Where the issued certs are kept 所有客户端证书的保存位置
crl_dir = $dir/crl # Where the issued crl are kept 所有没过期却被吊销的证书保存位置
database = $dir/index.txt # database index file. 发过的证书记录被记录在这个数据库文件中
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. 新生成的证书放的位置
certificate = $dir/cacert.pem # The CA certificate 作为CA来讲你自己的证书在哪里存放着
serial = $dir/serial # The current serial number 发行的证书序列号保存位置
crlnumber = $dir/crlnumber # the current crl number 证书吊销列表的序列号保存位置
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key CA的私钥文件保存的位置
RANDFILE = $dir/private/.rand # private random number file 随机数文件保存的位置,这个文件自动生成不用管
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 3650 # how long to certify for 生成的证书有效期为365天默认值
default_crl_days= 30 # how long before next CRL 被吊销的证书存放时间30天
default_md = default # use public key default MD 单项加密算法
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN #国家
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name) #省份
stateOrProvinceName_default = HeBei
localityName = Locality Name (eg, city)
localityName_default = TangShan #城市名称
0.organizationName = Organization Name (eg, company) #公司名称
0.organizationName_default = Horizoom
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)#部门名称
organizationalUnitName_default =Tec
commonName = Common Name (eg, your name or your server\'s hostname)#域名或你的名字
commonName_max = 64
emailAddress = lidonghai@qq.com #email地址,默认值
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
####################End#############
3>cd /etc/pki/CA
4>openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 #生成CA的私钥
5>openssl rea -new -x509 -key /etc/pki/CA/privite/cakey.pem -out /etc/pki/CA/cacert.pem #生成CA的自签证书,注意文件名字和路径要和openssl.cnf里的配置一样,要不然找不到CA的证书和私钥,那样就不能签发证书了。
下边就是CA的信息,将会被保存到CA自签证书cacert.perm里边。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HeBei]:
Locality Name (eg, city) [TangShan]:
Organization Name (eg, company) [Horizoom]:
Organizational Unit Name (eg, section) [Tec]:
Common Name (eg, your name or your server's hostname) []:lidonghai
lidonghai@qq.com []:
6>touch index.txt serial #这个文件需要提供,数据库文件,用来保存签发的客户端证书的记录信息
7> echo 01 > serial #这个文件也需要提供,签发序列号信息
8>mkdir -pv /etc/pki/CA/{crl,certs,newscerts} #这些目录也需要准备出来。
到这里私有CA环境搭建完毕,可以其他人进行证书的签署了。
签署证书:
1> 生成server.csr 签发请求文件。一次执行下边命令
cd /etc/httpd
mkdir ssl
cd ./ssl
(umask 077; openssl genrsa -out server.key 2048) #生成请求私钥,掩码设置成077是为了控制私钥的权限为600,命令放到括号中是说这些命令集会被放到子shell中执行,不影响当前shell
openssl req -new -key ./server.key -out server.csr #生成签署请求。下边是需要填写的你的详细信息。具体的含义请参看上方注释,一样的。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HeBei]:
Locality Name (eg, city) [TangShan]:
Organization Name (eg, company) [Horizoom]:
Organizational Unit Name (eg, section) [Tec]:
Common Name (eg, your name or your server's hostname) []:lidonghai #生产环境需要填写你的服务器域名要不浏览器没办法使用你的证书
lidonghai@qq.com []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
2>签署证书server.csr.
openssl ca -in ./server.csr -out server.crt -days 3650 #签署证书,回车两次同意即可。
到这里证书签署完毕,把server.crt和server.key 拿给需要证书的服务就可以了。
总结:按照上边步骤生成所需的server.crt和server.key 就行了。
其实上边就概括为两 {配置CA环境,其实只需要提供CA的证书cacert.pem和私钥cakey.pem并把它们存放到配置文件规定的位置就可以了。之后只需要提供出相应的index.txt文件和serial并在serial文件中存入初始证书序列号即可。这样私有CA的环境就完成了}{签署证书,这步只需要提供server.key和server.csr签署文件就可以了。直接对server.csr进行签署生成server.crt就完事了。} 这最后一种方式是最省事的方式,虽然一开始可能需要点时间好好配置,但是后边用的次数多了还是他最快,而且还能记录颁发的相应的证书信息并进行相应的管理。
4、https配置实例
1>、//安装ssl模块
yum install mod_ssl #安装动态库文件,否则没办法支持ssl层。
2>、vim /etc/httpd/conf.d/ssl.conf #配置如下
找到下边这句,并改成你的服务器的ip地址。
<VirtualHost 192.168.99.164:443>
找到这句,设置成你的httpd服务的工作目录。
DocumentRoot "/var/www/html"
你的证书在哪里
SSLCertificateFile /etc/httpd/ssl/server.crt
你的私钥在哪了
SSLCertificateKeyFile /etc/httpd/ssl/server.key
3>service httpd restart
4>https://192.168.99.164/ #注意你的浏览器因为判断出服务器端的证书不是公共的合法的证书,会进行阻拦。你只需要配置浏览器接受相信该服务器的证书即可使用。
5、其他openssl相关的常识
PKI: Public Key Infrastructure #公钥基础设施,保证数据安全的理论基础。可类比于OSI(Open System Interconnection)参考模型来理解,它只是一个规定。
CA: Certificate Authority
x509, pkcs12 #证书的格式,证书有很多种,但数x509最为常用
x509: 格式的证书一般包含的内容有
公钥及期有效期限
证书的合法拥有者
证书该如何被使用
CA的信息
CA签名的校验码
PKI: TLS/SSL 这是PKI标准的实现协议,可类比于网络中常用的四层协议模型。 也就是所这个才是实际中使用的协议
PKI: OpenGPG 这是PKI标准的实现协议,可类比于网络中常用的四层协议模型。也就是说这个才是实际中使用的协议。
对称加密:加密算法例举如下
DES:Data Encrption Standard, 56bit IBM公司研发的,目前已经不用了
3DES:
AES:Advanced
AES192, AES256, AES512
Blowfish 商业上使用的,需付费
可以实现上述加密算法的工具
openssl
gpg
单向加密:
MD4
MD5
SHA1
SHA192, SHA256, SHA384
CRC-32
公钥加密:(加密/签名)
身份认证(数字签名)
数据加密
密钥交换
RSA: 加密、签名
DSA:签名
ElGamal
OpenSSL: SSL的开源实现
libcrypto: 加密库,基本上所有的加密算法的实现函数库,如果写程序的话不需要自己再去实现这些算法,直接包含此库,调用相应的函数即可
libssl: TLS/SSL的实现 ,这个就是能够实现https ftps 等服务的库或者木块。大部分的应用只要支持这个ssl层(能支持这个库)就可以将数据在网上加密传输送
基于会话的、实现了身份认证、数据机密性和会话完整性的TLS/SSL库、
openssl: 多用途命令行工具
实现私有证书颁发机构
子命令:openssl 这个就是我们经常使用的证书生成工具。