openssl s_client s_server双向认证

最新推荐文章于 2024-08-19 10:35:16 发布

lovzm

最新推荐文章于 2024-08-19 10:35:16 发布

阅读量1w

点赞数

分类专栏： openssl 文章标签： openssl 双向认证

本文链接：https://blog.csdn.net/lsyyff23/article/details/79445720

版权

1 自建CA-certs目录

[root@localhost ~]# tree tls
tls
├── 1
│   ├── 1.crt
│   ├── 1.csr
│   └── 1.key
├── 2
│   ├── 2.crt
│   ├── 2.csr
│   └── 2.key
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 01.pem
│   └── 02.pem
├── serial
├── serial.old
├── server.crt
└── server.key

2 生成CA key及自签发证书

a 生成server.key

【命令】生成key命令：
[root@localhost ~]# openssl genrsa -out server.key -des3 2048

【结果】
Generating RSA private key, 2048 bit long modulus
.........................................................................+++
.......+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

b 自签发根证书

[root@localhost ~]# openssl req -new -x509 -key server.key -days 7300 -out srv_cacert.pem

【结果】
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FJ
Locality Name (eg, city) [Default City]:XM
Organization Name (eg, company) [Default Company Ltd]:YL
Organizational Unit Name (eg, section) []:YL
Common Name (eg, your name or your server's hostname) []:www.testlm.com
Email Address []:

3 生成客户端服务端的私钥/证书

a 服务端

a-1 生成key

【命令】
[root@localhost 1]# openssl genrsa -out 1.key -des3 2048

【结果】
Generating RSA private key, 2048 bit long modulus
......................................+++
............................................................+++
e is 65537 (0x10001)
Enter pass phrase for 1.key:
Verifying - Enter pass phrase for 1.key:

a-2 生成请求文件

【命令】
[root@localhost 1]# openssl req -new -key 1.key -out 1.csr -days 3650

【结果】
Enter pass phrase for 1.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FJ
Locality Name (eg, city) [Default City]:XM
Organization Name (eg, company) [Default Company Ltd]:YL
Organizational Unit Name (eg, section) []:YL
Common Name (eg, your name or your server's hostname) []:www.testlm.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

a-3 签发证书

【命令】
[root@localhost 1]# openssl ca -in 1.csr -out 1.crt -days 7300 -name my_caset  

【结果】
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /root/tls/server.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 6 (0x6)
        Validity
            Not Before: Mar  5 08:20:29 2018 GMT
            Not After : Feb 28 08:20:29 2038 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = FJ
            organizationName          = YL
            organizationalUnitName    = YL
            commonName                = www.testlm.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                47:34:D8:EF:55:BB:BF:74:16:E1:DD:22:65:00:56:C8:96:26:B9:BC
            X509v3 Authority Key Identifier: 
                keyid:B9:BD:D3:60:79:26:CF:82:E1:FE:1B:6B:DF:F5:A7:7D:35:7F:13:C1

Certificate is to be certified until Feb 28 08:20:29 2038 GMT (7300 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

b 生成client端key及签发证书

b-1 b-2 b-3

[root@localhost ~]# openssl genrsa -out 2.key -des3 2048
[root@localhost 2]# openssl req -new -key 2.key -out 2.csr -days 3650
[root@localhost 2]# openssl ca -in 2.csr -out 2.crt -name my_caset

4 测试

a 单向认证

a-1 server端

在.../tls/1/

【命令】
[root@localhost 1]# openssl s_server -key 1.key -cert 1.crt  -CAfile ../srv_cacert.pem 

【结果】
Enter pass phrase for 1.key:
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDBQ8pE6Ghvl2EqJF7hD5i7xjGgiMmhrmt2fGUq9r6YV
RAe7dBhKn9+QycUH+g+3jO6hBgIEWpz+t6IEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-