文章目录
创建CA
进入OPENSSLDIR
$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
$ openssl version -d
OPENSSLDIR: "/etc/pki/tls"
$ cd /etc/pki/tls
$ ll
total 12
lrwxrwxrwx 1 root root 49 Dec 30 2016 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
drwxr-xr-x 2 root root 117 Apr 22 2019 certs
drwxr-xr-x 2 root root 74 Apr 22 2019 misc
-rw-r--r-- 1 root root 10923 May 17 2017 openssl.cnf
drwxr-xr-x 2 root root 6 Sep 19 2017 private
$ cd misc/
$ ll
total 24
-rwxr-xr-x 1 root root 5178 Sep 19 2017 CA
-rwxr-xr-x 1 root root 119 Sep 19 2017 c_hash
-rwxr-xr-x 1 root root 152 Sep 19 2017 c_info
-rwxr-xr-x 1 root root 112 Sep 19 2017 c_issuer
-rwxr-xr-x 1 root root 110 Sep 19 2017 c_name
新建CA
执行./CA -newca
,具体示范输入内容请见右侧注释:
$ ./CA -newca
CA certificate filename (or enter to create) # 这里直接回车即可
Making CA certificate ...
Generating a 2048 bit RSA private key
.................................................
..............+++
..................+++
writing new private key to '/etc/pki/CA/private/./ca key.pem'
Enter PEM pass phrase: # 输入密码,例如1234
Verifying - Enter PEM pass phrase: # 重新输入1234
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Dist inguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:AU # AU
State or Province Name (full name) []:Some-State # Some-State
Locality Name (eg, city) [Default City]: # 回车
Organization Name (eg, company) [Default Company Ltd]:Internet Widgits Pty Ltd # Internet Widgits Pty Ltd
Organizational Unit Name (eg, section) []: # 回车
Common Name (eg, your name or your server's hostname) []:CA # CA
Email Address []: # 回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # 回车
An optional company name []: # 回车
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: # 1234
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
bc:3a:03:87:ac:bc:1d:71
Validity
Not Before: Apr 1 15:19:36 2020 GMT
Not After : Apr 1 15:19:36 2023 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Wid gits Pty Ltd
commonName = CA
X509v3 extensions:
X509v3 Subject Key Identifier:
E7:65:6B:F4:FE:63:97:38:11:04:2A:6D: 76:08:4D:81:55:20:0D:6B
X509v3 Authority Key Identifier:
keyid:E7:65:6B:F4:FE:63:97:38:11:04: 2A:6D:76:08:4D:81:55:20:0D:6B
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Apr 1 15:19:36 2023 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
CA创建完毕,存放在:/etc/pki/CA。如果想重新创建,需要删除/etc/pki/CA。
$ cd /etc/pki/CA
$ ll
total 14
-rw------- 1 root root 4315 Apr 1 23:19 cacert.pem
-rw------- 1 root root 1005 Apr 1 23:19 careq.pem
drwx------ 2 root root 6 Apr 1 23:18 certs
drwx------ 2 root root 6 Apr 1 23:18 crl
-rw------- 1 root root 392 Apr 2 16:22 index.txt
drwx------ 2 root root 118 Apr 2 16:22 newcerts
drwx------ 2 root root 23 Apr 1 23:18 private
-rw------- 1 root root 17 Apr 2 16:22 serial
创建CA认证的服务器证书
创建未经CA认证的服务器证书与服务器CA认证请求文件
输入类似,Common Name要输入(SNI会用到),比如BUPT。
$ openssl req -newkey rsa:1024 -out req2.pem -keyout sslserverkey.pem
Generating a 1024 bit RSA private key
..........++++++
...++++++
writing new private key to 'sslserverkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:Some-State
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Internet Widgits Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:BUPT
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CA对服务器的CA认证请求文件进行认证生成sslservercert.pem
# openssl ca -in req2.pem -out sslservercert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: # 输入1234
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
bc:3a:03:87:ac:bc:1d:72
Validity
Not Before: Apr 1 15:27:04 2020 GMT
Not After : Apr 1 15:27:04 2021 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = BUPT
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AD:62:A1:74:00:86:72:D4:24:03:3E:F1:9D:51:90:7B:11:43:01:00
X509v3 Authority Key Identifier:
keyid:E7:65:6B:F4:FE:63:97:38:11:04:2A:6D:76:08:4D:81:55:20:0D:6B
Certificate is to be certified until Apr 1 15:27:04 2021 GMT (365 days)
Sign the certificate? [y/n]:y # 输入y
1 out of 1 certificate requests certified, commit? [y/n]y # y
Write out database with 1 new entries
Data Base Updated
到此,服务器需要的证书都已经具备了。
生成CA认证的客户端证书
创建未经CA认证的客户端证书与客户端CA认证请求文件
Common Name可以输入BUPT-Client。
$ openssl req -newkey rsa:1024 -out req1.pem -keyout sslclientkey.pem
Generating a 1024 bit RSA private key
.............++++++
...............................................................................++++++
writing new private key to 'sslclientkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:Some-State
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:Internet Widgits Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:BUPT-Client
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CA对客户端的CA认证请求文件进行认证生成sslclientcert.pem
$ openssl ca -in req1.pem -out sslclientcert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
bc:3a:03:87:ac:bc:1d:73
Validity
Not Before: Apr 1 15:30:46 2020 GMT
Not After : Apr 1 15:30:46 2021 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = BUPT-Client
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
22:04:72:D0:CC:A6:B7:4C:EA:01:53:C9:DB:E5:91:12:6B:D7:96:A7
X509v3 Authority Key Identifier:
keyid:E7:65:6B:F4:FE:63:97:38:11:04:2A:6D:76:08:4D:81:55:20:0D:6B
Certificate is to be certified until Apr 1 15:30:46 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
到此,客户端需要的证书都已经具备了。
客户端与服务器数据交互
启动服务器
$ openssl s_server -cert sslservercert.pem -key sslserverkey.pem -CAfile cacert.pem Enter pass phrase for sslserverkey.pem: # 输入1234
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDDkJlRJ7pZXxw0q5rzJZ+L+M+9vaGyadOyylrNuAqAr
fuKIeysuRwqgGN2vgmGv69yhBgIEXoS0caIEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-A ES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH -RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA 256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAM ELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384: ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AE S256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AE S128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA: DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA- AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES12 8-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DH E-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GC M-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH -ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:E CDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH -RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH -RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA 256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256: DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:P-384:secp256k1
Shared Elliptic curves: P-256:P-521:P-384:secp256k1
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
完成后服务器处于监听状态。
使用客户端发起安全连接
新建一个终端,进入对应目录,发起安全连接。
$ openssl s_client -CAfile cacert.pem
CONNECTED(00000003)
depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CA
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = BUPT
verify return:1
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=BUPT
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIJALw6A4esvB1yMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQxCzAJBgNVBAMMAkNBMB4XDTIwMDQwMTE1MjcwNFoXDTIx
MDQwMTE1MjcwNFowVDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDENMAsGA1UEAwwEQlVQ
VDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtgnZu6ho9B4KeQTPKfw8KuZ7
SPiIpvN7bDQb7yEH8lXdcw0NB+VB/iZuT/cwwAWlXJNW0qokAxFn6lt8QMtubnUs
vRjY31Tg7cTmcxArwP8kBXF4M4GGXqR9wEI9hvbTJfuwqRB5vkNfvSjBH0hdzgp9
YM7mUbcFNt5W0z+0CzUCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFK1ioXQA
hnLUJAM+8Z1RkHsRQwEAMB8GA1UdIwQYMBaAFOdla/T+Y5c4EQQqbXYITYFVIA1r
MA0GCSqGSIb3DQEBCwUAA4IBAQA7631/iAO/poTvnkNzUKxW/WOQoo6AavZoEN1s
MlYpIKp2dzHB/b/TFBEC0PIK5EpRifSXS4t+v1IGVZecqYExsy4yX0U/jPXcQbmO
NYwrgFvMG3k0/5qBuZNuYw7KYLtAIstl+V8/LcRK3c76znrAb29stU6g5hEgmVUY
/k7K7JG8AprC5fU1pRaourhykbFCx7LxFyMzv2cwNoNkYmaU45SZGo8QBa0WWZuy
tAHWCflq2RqEaccFu1i3PSrkCaOUCXTbOvoM0pqjLgraU1gS/6bsseYd4aiOpfhz
b9pdF+0n3FU1LG7LoQphpDXCH/mergr8+J5MF1PdqbdIki53
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=BUPT
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2229 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 752478828F0D3861FF1542233342F49A0FC8B04776A40F400C614629E35D4CC5
Session-ID-ctx:
Master-Key: E4265449EE9657C70D2AE6BCC967E2FE33EF6F686C9A74ECB296B36E02A02B7EE2887B2B2E470AA018DDAF8261AFEB DC
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - c6 ab 1d b0 bc 9f 85 09-c2 8e 6b 4b f3 ed 63 70 ..........kK..cp
0010 - be 56 ff 63 51 9e fb cb-a7 86 df 5c 4a 48 e2 ce .V.cQ......\JH..
0020 - 67 0a c5 39 a0 69 03 9a-16 93 c7 6b ed e0 d1 9b g..9.i.....k....
0030 - 0a 1c d3 7e 67 d9 1b 6c-85 be 49 67 af 83 50 57 ...~g..l..Ig..PW
0040 - 97 84 9d 18 27 5f 99 85-83 9f 5a 70 cd da b4 0a ....'_....Zp....
0050 - a9 49 10 25 7a 45 40 5e-d5 27 58 57 a8 10 b7 70 .I.%zE@^.'XW...p
0060 - fd 8e 95 cd 7e 87 fd 1d-e8 11 32 3d d0 c2 e8 1c ....~.....2=....
0070 - dc c2 5c 60 ed 78 07 4c-88 91 55 86 a2 45 bb 51 ..\`.x.L..U..E.Q
0080 - 3c 34 23 36 67 a7 4d 7b-6b d3 17 29 e7 2f 31 59 <4#6g.M{k..)./1Y
0090 - 34 fd f3 86 c3 80 90 90-ad 18 55 f0 17 ee 0b 56 4.........U....V
Start Time: 1585755249
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
之后,我们在服务器和客户端输入字符即可实现数据传送。