最終得到的安全通信的結論的前提都是基於CA及CA頒發的證書是可靠的基礎上的,整個通信過程的安全性也都依賴於CA這個根源。本篇文章就來說說CA及與其相關的一些概念。
本文章中的諸多信息都是來自大牛 馬哥 的linux視頻教程。
X509,簡言之,也是個人理解:就是證書的元數據,也就是來約定證書格式的標准。
我們常見的證書的格式大都是基於X509的標准的。
以下信息來源於百度百科:
所有的X.509證書包含以下數據:
X.509版本號:指出該證書使用了哪種版本的X.509標准,版本號會影響證書中的一些特定信息。目前的版本是3。證書持有人的公鑰:包括證書持有人的公鑰、算法(指明密鑰屬於哪種密碼系統)的標識符和其他相關的密鑰參數。證書的序列號:由CA給予每一個證書分配的唯一的數字型編號,當證書被取消時,實際上是將此證書序列號放入由CA簽發的CRL(Certificate Revocation List證書作廢表,或證書黑名單表)中。這也是序列號唯一的原因。主題信息:證書持有人唯一的標識符(或稱DN-distinguished name)這個名字在 Internet上應該是唯一的。DN由許多部分組成,看起來象這樣:先來看看這兩張來自百度的OSI七層模型圖和四層模型圖:
我們常見的一些協議,比如 http、smtp、telnet、ftp本身默認是不支持數據傳輸加密的。<喎?http://www.2cto.com/kf/ware/vc/" target="_blank" class="keylink">vcD4NCjxwPlNTTChTZWN1cmUgU29ja2V0IExheWVyKb7NysfU2tOm08Oy47rNVENQL0lQsuPWrrzkvNO1xLLjo6y6w8/xus3V4rj2v+yxu8D6yrfSxc38wcu1xMWjsca1xE5ldFNjYXBluavLvtPQudjPtaGjPGJyIC8+DQrT0MHLU1NMsuOjrLG+wLSyu9ans9a808PctKvK5LXE0rvQqdCt0umxyMjnaHR0cL7Nv8nS1Nans9a808Pcwcu8tGh0dHBzo6xzbXRwc6OsZnRwc7XIoaM8L3A+DQo8cD5UTFMoVHJhbnNwb3J0IExheWVyIFNlY3VyaXR5KbCyyKu0q8rksuPQrdLpoaNUTFMtdjHP4LWx09pTU0wtdjOhozxiciAvPg0Ksb7OxLK7vNPH+LHwtcTKudPDU1NMus1UTFOhozwvcD4NCjxwPm9wZW5TU0y8tMrHU1NMtcS/qtS0yrXP1rDmsb6hozwvcD4NCjxwPm9wZW5TU0w8YnIgLz4NCi0gbGliY3J5cHRvOs2o08O808Pcv+I8YnIgLz4NCi0gbGlic3NsOlNTTC9UTFO1xMq1z9Y8YnIgLz4NCi0gb3BlbnNzbDrD/MHu0NC5pL7fPC9wPg0KPGgyIGlkPQ=="22-openssl常用命令">2.2 openSSL常用命令
# 查看當前機器上安裝的openssl信息 [root@h1 ~]# rpm -q openssl openssl-1.0.1e-48.el6_8.3.x86_64 # 測試當前機器對常用加密算法的運算性能 [root@VM_15_242_centos ~]# openssl speed Doing md2 for 3s on 16 size blocks: 388053 md2's in 2.99s ……………………………………………… # 測試當前機器對指定算法的運算性能 [root@h1 ~]# openssl speed md5 Doing md5 for 3s on 16 size blocks: 9085406 md5's in 3.00s Doing md5 for 3s on 64 size blocks: 6577474 md5's in 2.99s Doing md5 for 3s on 256 size blocks: 3690426 md5's in 3.00s Doing md5 for 3s on 1024 size blocks: 1305693 md5's in 2.99s Doing md5 for 3s on 8192 size blocks: 186074 md5's in 3.00s OpenSSL 1.0.1e-fips 11 Feb 2013 …………………………………………………………………………………………
# 加密文件 openssl enc -des3 -salt -a -in /etc/passwd -out /root/passwd.enc -des3:des加密方式 -salt:加鹽 -a:基於base64編碼處理 -in:輸入文件 -out:加密結果輸出至何處
# 解密文件 openssl enc -des3 -d -salt -a -in /root/passwd.enc -out /root/passwd.plaintext -des3:des加密方式 -d:解密 -salt:加鹽 -a:基於base64編碼處理 -in:輸入文件 -out:加密結果輸出至何處
[root@h1 ~]# openssl dgst -sha1 /etc/passwd SHA1(/etc/passwd)= cda7fc123305e443155760afa8789b8e757d819a [root@h1 ~]# openssl dgst -md5 /etc/passwd MD5(/etc/passwd)= eaa520eb398cfedf2bdd7d785e5dcd78 # 和以下命令的計算結果一致 [root@h1 ~]# md5sum /etc/passwd eaa520eb398cfedf2bdd7d785e5dcd78 /etc/passwd [root@h1 ~]# sha1sum /etc/passwd cda7fc123305e443155760afa8789b8e757d819a /etc/passwd
# 和passwd命令類似 [root@h1 ~]# openssl passwd -1 Password: Verifying - Password: $1$THXDghVa$jF7Ds7zDQpaIDbUEFZZMF1
man sslrand 查看幫助 [root@h1 ~]# openssl rand -base64 22 UESrys2wxAQKBa2ofpcxC06/37Q+vg== [root@h1 ~]# openssl rand -hex 22 87eda2a48cbc437578b41d5ec1ddc3e42fdf5a7bc9be
# 生成1024位的rsa秘鑰保存至文件server.pri.1024中 [root@h1 ~]# openssl genrsa 1024 > server.pri.1024 Generating RSA private key, 1024 bit long modulus .................................................++++++ ........++++++ e is 65537 (0x10001) # 或者直接用以下命令在子shell中執行以便直接將mod設置為600 (umask 077;openssl genrsa -out server.pri.1024 1024) # 可以用以下命令提取查看公鑰 openssl rsa -in server.pri.1024 -pubout
# 新生成一個x509格式的證書保存至文件server.crt中,有效期365天 [root@h1 ~]# openssl req -new -x509 -key ./server.pri.1024 -out server.crt -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- # 國家代碼:CN Country Name (2 letter code) [XX]:CN # 省份 State or Province Name (full name) []:ShangHai # 城市 Locality Name (eg, city) [Default City]:ShangHai # 組織機構名稱 Organization Name (eg, company) [Default Company Ltd]:KKBC # 部門 Organizational Unit Name (eg, section) []:develop # 主機名 Common Name (eg, your name or your server's hostname) []:h1.hylexus.tech # 電子郵件 Email Address []:[email protected] [root@h1 ~]#
查看證書信息
[root@h1 ~]# openssl x509 -text -in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: 17011964780701293735 (0xec16a3d5b5281ca7) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=ShangHai, L=ShangHai, O=KKBC, OU=develop, CN=h1.hylexus.tech/[email protected] Validity Not Before: Nov 6 14:04:42 2016 GMT Not After : Nov 6 14:04:42 2017 GMT Subject: C=CN, ST=ShangHai, L=ShangHai, O=KKBC, OU=develop, CN=h1.hylexus.tech/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c2:8e:f4:e9:21:06:4a:8a:23:7c:15:6f:70:cb: b2:df:d3:f8:21:2e:0d:c1:ff:16:b7:ed:c3:a7:8f: 4b:ef:b6:75:da:df:0d:4a:2b:b0:26:cb:7e:a3:16: d3:da:15:67:a5:21:74:ac:ec:cd:e8:c7:cc:aa:b9: 78:d1:fe:2f:11:e3:f7:72:fb:cd:08:8a:ae:57:53: c0:a0:61:b9:e4:bd:e2:25:43:03:b3:ef:e4:eb:36: fc:7a:ce:4f:a8:d7:3e:bd:ec:36:39:b1:bd:15:ee: dc:92:00:7b:71:a4:b9:fe:7f:be:f3:de:c4:43:bc: d1:52:d9:1b:e5:a6:74:0c:07 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 57:34:FC:F4:1B:52:B1:CA:C3:70:3B:79:1E:6B:BE:49:53:07:CA:3D X509v3 Authority Key Identifier: keyid:57:34:FC:F4:1B:52:B1:CA:C3:70:3B:79:1E:6B:BE:49:53:07:CA:3D X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 3b:96:2c:a1:be:ec:8a:68:fc:e2:69:a9:d3:83:24:02:1d:db: 14:19:bc:c7:a9:2a:53:5a:7e:6f:76:1f:68:9b:a7:a2:9a:62: ce:bc:f5:12:a7:39:2b:7e:d5:ad:36:a7:76:4a:a2:c9:38:eb: b8:1f:60:71:ba:dd:f8:b7:2d:86:01:e9:37:74:e0:87:df:fa: fa:ab:e4:88:1a:58:85:08:ce:ac:2b:b0:0c:95:02:4d:66:42: 01:f9:ee:b1:86:a2:2b:ec:b6:62:b5:9d:94:a1:19:5b:96:0f: 93:e4:cf:3f:ab:d7:59:85:e5:c7:43:0a:3b:f6:20:2f:f9:fb: da:1e -----BEGIN CERTIFICATE----- MIIC7DCCAlWgAwIBAgIJAOwWo9W1KBynMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD VQQGEwJDTjERMA8GA1UECAwIU2hhbmdIYWkxETAPBgNVBAcMCFNoYW5nSGFpMQ0w CwYDVQQKDARLS0JDMRAwDgYDVQQLDAdkZXZlbG9wMRgwFgYDVQQDDA9oMS5oeWxl eHVzLnRlY2gxHjAcBgkqhkiG9w0BCQEWD2h5bGV4dXNAMTYzLmNvbTAeFw0xNjEx MDYxNDA0NDJaFw0xNzExMDYxNDA0NDJaMIGOMQswCQYDVQQGEwJDTjERMA8GA1UE CAwIU2hhbmdIYWkxETAPBgNVBAcMCFNoYW5nSGFpMQ0wCwYDVQQKDARLS0JDMRAw DgYDVQQLDAdkZXZlbG9wMRgwFgYDVQQDDA9oMS5oeWxleHVzLnRlY2gxHjAcBgkq hkiG9w0BCQEWD2h5bGV4dXNAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAwo706SEGSoojfBVvcMuy39P4IS4Nwf8Wt+3Dp49L77Z12t8NSiuwJst+ oxbT2hVnpSF0rOzN6MfMqrl40f4vEeP3cvvNCIquV1PAoGG55L3iJUMDs+/k6zb8 es5PqNc+vew2ObG9Fe7ckgB7caS5/n++897EQ7zRUtkb5aZ0DAcCAwEAAaNQME4w HQYDVR0OBBYEFFc0/PQbUrHKw3A7eR5rvklTB8o9MB8GA1UdIwQYMBaAFFc0/PQb UrHKw3A7eR5rvklTB8o9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA O5Ysob7simj84mmp04MkAh3bFBm8x6kqU1p+b3YfaJunoppizrz1Eqc5K37VrTan dkqiyTjruB9gcbrd+LcthgHpN3Tgh9/6+qvkiBpYhQjOrCuwDJUCTWZCAfnusYai K+y2YrWdlKEZW5YPk+TPP6vXWYXlx0MKO/YgL/n72h4= -----END CERTIFICATE-----
HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer)即HTTP在SSL/TLS基礎上的安全版本。
以下對比來自於百度百科:
https協議需要到ca申請證書,一般免費證書很少,需要交費。 http是超文本傳輸協議,信息是明文傳輸,https 則是具有安全性的ssl加密傳輸協議。 http和https使用的是完全不同的連接方式,用的端口也不一樣,前者是80,後者是443。 http的連接很簡單,是無狀態的;HTTPS協議是由SSL+HTTP協議構建的可進行加密傳輸、身份認證的網絡協議,比http協議安全。既然是安全的,當然就得加密傳輸數據了。
怎麼加密傳輸呢?
非對稱加密代價太大,HTTPS使用的方式大致和上篇文章中所說的
[第二種安全通信方式:http://blog.csdn.net/hylexus/article/details/53048305#72-方式二](“http://blog.csdn.net/hylexus/article/details/53048305#72-方式二” “”) 類似。
客戶端和服務端需要協商通信的對稱加密的加密算法等信息。一般並不是基於IKE實現的。
先查看或按需修改/etc/pki/tls/openssl.cnf文件內容,其中有以下一些配置項:
#################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file
為方便,此處直接cd至/etc/pki/CA目錄進行後續操作
[root@h1 CA]# pwd /etc/pki/CA # 注意此處的輸出位置應該和/etc/pki/tls/openssl.cnf中的配置相對應 [root@h1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ................................+++ ...........................................................................................................+++ e is 65537 (0x10001) [root@h1 CA]#
注意此處的證書是CA自己的證書。
[root@h1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [ShangHai]: Locality Name (eg, city) [ShangHai]: Organization Name (eg, company) [Default Company Ltd]:KKBC Organizational Unit Name (eg, section) [dev]: Common Name (eg, your name or your server's hostname) []:h1.hylexus.tech Email Address []:[email protected] [root@h1 CA]#
# 此時的目錄大概是這個樣子,具體應該和/etc/pki/tls/openssl.cnf中的配置相對應 [root@h1 CA]# tree . ├── cacert.pem ├── certs ├── crl ├── newcerts └── private └── cakey.pem # 新建 database index file. [root@h1 CA]# touch index.txt # The current serial number [root@h1 CA]# echo 01 > serial # 最終的目錄結構大概是這個樣子,具體應該和/etc/pki/tls/openssl.cnf中的配置相對應 [root@h1 CA]# tree . ├── cacert.pem ├── certs ├── crl ├── index.txt ├── newcerts ├── private │ └── cakey.pem └── serial
此處本人在/etc/nginx/ssl目錄下操作,只是示例而已:
生成私鑰(應用程序自己的私鑰,不要和上面的CA的私鑰混了)
[root@h1 ssl]# cd /etc/nginx/ [root@h1 nginx]# mkdir ssl ; cd ssl [root@h1 ssl]# pwd /etc/nginx/ssl # 生成私鑰 [root@h1 ssl]# (umask 077;openssl genrsa -out nginx.key) Generating RSA private key, 1024 bit long modulus .......................++++++ ................++++++ e is 65537 (0x10001)
生成證書頒發請求
# csr====Certificate Signature Request [root@h1 ssl]# openssl req -new -key nginx.key -out nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [ShangHai]: Locality Name (eg, city) [ShangHai]: Organization Name (eg, company) [Default Company Ltd]:KKBC Organizational Unit Name (eg, section) [dev]: Common Name (eg, your name or your server's hostname) []:h2.hylexus.tech Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
將證書頒發請求發送給CA,讓CA簽署(CA簽名認證)
此處CA和應用都在同一台主機上,直接操作即可
[root@h1 ssl]# openssl ca -in nginx.csr -out nginx.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 6 23:22:02 2016 GMT Not After : Nov 4 23:22:02 2026 GMT Subject: countryName = CN stateOrProvinceName = ShangHai organizationName = KKBC organizationalUnitName = dev commonName = h2.hylexus.tech emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 06:E2:32:E3:46:07:3B:E4:39:0B:44:8D:E2:60:F4:FC:CB:C3:17:81 X509v3 Authority Key Identifier: keyid:D8:E5:FB:17:23:6D:A6:ED:FB:D1:D6:82:B5:97:FF:2D:E8:05:E0:67 Certificate is to be certified until Nov 4 23:22:02 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated