PKI (Public Key Infrastructure)
作用
- 通过加密技术和数字签名保证信息的安全
组成
- 公钥加密技术-数字证书,CA、RA
信息安全的三要素/四要素
- 机密性
- 完整性
- 身份验证/操作的不可否认性
哪些IT领域用到了PKI
- SSL/HTTPS
- IPsecVPN
- 部分远程访问VPN
公钥加密技术
- 作用
- 实现对信息的加密,数字签名的安全保障
- 加密算法
- 对称加密算法
- 加解密的密钥一致
- DES、3DES、AES
- 缺点
- 对称密钥容易在协商过程中丢失、被窃听
- 非对称加密算法
- 通信双方各自产生一对公钥
- 双方各自交换公钥
- 公钥和私钥互为加解密关系
- 公私角不可互相逆推
- RSA、DH
- 总结
- 使用对方的公钥加密完成机密性
- 使用hash算法完成对数据的完整性(摘要)
- 使用自己的私钥对摘要加密完成身份验证(数字签名)
- 对称加密算法
证书
-
证书是用来保证公钥的合法性的
-
证书格式遵循X.509标准
-
数字证书包含的信息
- 使用者的公钥
- 使用者的标识信息
- 有效日期
- 颁发者标识信息
- 颁发者的数字签名
-
数字证书由权威公正的第三方机构即CA签发
- CA是证书颁发机构
-
生成自签名证书(openssl)
[root@orcale ca]# openssl genrsa -des3 -out ca.key 2048 #生成私钥 Generating RSA private key, 2048 bit long modulus ...................+++ ...........................................+++ e is 65537 (0x10001) Enter pass phrase for ca.key: #输入密码 Verifying - Enter pass phrase for ca.key: #确认密码 [root@orcale ca]# openssl req -x509 -key ca.key -out ca.crt -days 365 #生成自签名证书(CA根证书),包含公钥等信息 Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:chn string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:yn Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: [root@orcale ca]# ll 总用量 8 -rw-r--r-- 1 root root 1253 10月 20 14:04 ca.crt -rw-r--r-- 1 root root 1751 10月 20 13:58 ca.key [root@orcale ca]# openssl x509 -in ca.crt -text -noout #查看证书的信息 Certificate: Data: Version: 3 (0x2) Serial Number: f9:60:e5:98:f4:d3:ef:4e Signature Algorithm: sha256WithRSAEncryption Issuer: C=cn, ST=yn, L=Default City, O=Default Company Ltd Validity Not Before: Oct 20 06:04:53 2022 GMT Not After : Oct 20 06:04:53 2023 GMT Subject: C=cn, ST=yn, L=Default City, O=Default Company Ltd Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ...... [root@orcale mykey]# openssl genrsa -out my.com.key 2048 #生成私钥 Generating RSA private key, 2048 bit long modulus ...............................................................................................................................................................................................+++ ............................................................................+++ e is 65537 (0x10001) [root@orcale mykey]# openssl genrsa -out my.com.key 2048 Generating RSA private key, 2048 bit long modulus ...............................................................................................................................................................................................+++ ............................................................................+++ e is 65537 (0x10001) [root@orcale mykey]# openssl req -new -key my.com.key -out my.com.csr #生成证书请求文件(包含公钥) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:yn Locality Name (eg, city) [Default City]:km Organization Name (eg, company) [Default Company Ltd]:brbg Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:my.com Email Address []:xx@xx Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@orcale mykey]# openssl req -text -noout -verify -in my.com.csr #查看证书请求文件内容 verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=cn, ST=yn, L=km, O=brbg, OU=it, CN=my.com/emailAddress=xx@xx Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: [root@orcale mykey]# openssl x509 -req -in my.com.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -set_serial 01 -out my.com.crt -days 365 #根据证书请求文件向CA根证书申请证书 Signature ok subject=/C=cn/ST=yn/L=km/O=brbg/OU=it/CN=my.com/emailAddress=xx@xx Getting CA Private Key Enter pass phrase for ../ca/ca.key: [root@orcale mykey]# ll 总用量 12 -rw-r--r-- 1 root root 1164 10月 20 14:34 my.com.crt -rw-r--r-- 1 root root 1009 10月 20 14:25 my.com.csr -rw-r--r-- 1 root root 1675 10月 20 14:23 my.com.key [root@orcale mykey]# [root@orcale mykey]# openssl x509 -in my.com.crt -text -noout #查看证书相关信息 Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=cn, ST=yn, L=Default City, O=Default Company Ltd Validity Not Before: Oct 20 06:34:24 2022 GMT Not After : Oct 20 06:34:24 2023 GMT Subject: C=cn, ST=yn, L=km, O=brbg, OU=it, CN=my.com/emailAddress=xx@xx Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: