目录
基础介绍
TLS 作用于TCP和应用之间,负责应用之间的数据加密
创建root ca
openssl req -new -x509 -days 36500 -extensions v3_ca -keyout ca.key -out ca.crt
创建证书
openssl genrsa -out server.key 2048
openssl req -out server.csr -key server.key -new
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 36500
CRL创建
openssl ca -revoke devcacrl/mqtt-br1.neverland.com.crt -keyfile devcacrl/signing-ca.key -cert devcacrl/signing-ca.crt -config etc/signing-ca.conf,吊销证书
openssl ca -gencrl -config etc/root-ca.conf -out rootca.crl -passin pass:flatwave239 -keyfile root-ca/private/root-ca.key -cert root-ca/01.pem,创建CRL
证书如果吊销之后不能撤回,但在测试环境下,可以刪除已有的database,然后生成空的database
-crldays,CRL有效期
编程实现CRL
X509_STORE *pCaCertStore = SSL_CTX_get_cert_store(net->ctx);
X509_STORE_set_flags(pCaCertStore, X509_V_FLAG_CRL_CHECK);
X509_V_FLAG_CRL_CHECK:只检查对端的叶子节点证书的序列号是否存在于CRL中
X509_V_FLAG_CRL_CHECK_ALL:不仅检查叶子节点还检查对面的trust chain
一旦开启CRL检查,X509_STORE 必须能成功加载对端CA发布的CRL,如果X509_V_FLAG_CRL_CHECK_ALL,则必须包含中间CA的CRL
PKCS11与Openssl
私钥存于加密芯片中时,芯片厂商会提供相应的接口供上层使用,为了屏蔽不同芯片厂商给上层带来的影响,PKCS11应运而生。
openssl pkcs11 engine:https://github.com/OpenSC/libp11
MicrochipTech/cryptoauthlib:https://github.com/MicrochipTech/cryptoauthlib
SoftHSMv2: https://github.com/opendnssec/SoftHSMv2,实现了PKCS11接口的一个模拟芯片。
Openssl 与engine
[ openssl_def ]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/pkcs11.so
MODULE_PATH = /usr/lib/libcryptoauth.so
编程实现从Engine(PKCS11 Engine)中加载private key
//load engine entity by engine_id
ENGINE *engine = ENGINE_by_id(engine_id);
//get chip token
char* cmd="p11tool --list-token-urls"
char result[400]={0};
ExecuteCMD(cmd, result);
//opts->engine:engine entity,opts->key_id:chip token
EVP_PKEY* pkey = ENGINE_load_private_key(opts->engine, opts->key_id, NULL,NULL);
Log(TRACE_MIN, -1, "ENGINE_load_private_key done ");
rc=SSL_CTX_use_PrivateKey(net->ctx, pkey);
查看信息
openssl x509 -in cert.pem -noout -text,查看证书信息,默认pem
openssl x509 -in cert.pem -inform der -noout -text ,查看证书信息,der格式
openssl x509 -pubkey -noout -in ca.crt ,查看证书公钥
openssl req -text -noout -in server.csr,查看csr信息
调试
openssl s_server -key server.key -cert server.crt -accept 4333 -Verify 1 -CAfile ca.crt,开启mutual authenication ,若只是server authenication, 去掉-Verify
penssl s_client -connect 192.168.1.100:4333 -CAfile /usr/cert/mqtttls/ca.crt -cert /usr/cert/mqtttls/client.crt -key /usr/cert/mqtttls/client.key
-CAfile , file path of server trust chain,-CApath, directory contains server trust chain,run "openssl rehash" for CApath
pkcs11 engine client:
openssl s_client -connect 192.168.1.100:4333 -engine pkcs11 -keyform engine -key "pkcs11:model=ATECC508A;manufacturer=Microchip%20Technology%20Inc;serial=236253CF11C0BBAD;token=00ABC" -cert /usr/cert/mqtttls/client.crt -CApath /usr/cert/CertMngr/TrustedCAs/OpensslCertificates
检查证书与Private key是否match
openssl x509 –noout –modulus –in <file>.crt | openssl md5
openssl rsa –noout –modulus –in <file>.key | openssl md5