SSL证书: 是数字证书的一种,类似于驾驶证、护照和营业执照的电子副本。因为配置在服务器上,也称为SSL服务器证书。
ssl也是传输协议。
基于ssl协议开发的一款软件叫openssl
linux系统默认已经安装
基本功能
非对称加密
openssl
配置文件:
/etc/pki/tls/openssl.conf
dir=/etc/pki/CA <<<指定CA工作目录
certs=$dir/certs <<<指定撤销存储库的位置
crl_dir=$dir/crl <<<证书撤销列表
database=$dir/index.txt <<<已生成的证书信息的索引文件(此文件默认不存在,需要自己创建)
new_certs_dir=$dir/newcerts <<<新签发的证书的保存位置
certificate=$dir/cacert.pem <<<CA自己的证书名称
serial = $dir/serial <<<记录证书的序号,默认可以从1开始(此文件默认不存在,内容也不能为空,需要手动往里面添加一个数字)
crlnumber = $dir/crlnumber <<<吊销的证书序列号
crl = $dir/crl.pem<<< 吊销的证书的列表
private_key = $dir/private/cakey.pem <<< CA自己的私钥的位置
RANDFILE = $dir/private/.rand <<<随机数文件位置
x509_extensions = usr_cert <<<扩展项
创建CA
1.创建不存在的文件
index,txt
serial
2.给自己(CA)创建证书
实现步骤
1.创建那些不存在的文件
[root@ ~]# touch /etc/pki/CA/index.txt [root@ ~]# echo "01">/etc/pki/CA/serial [root@~]# cat/etc/pki/CA/serial [root@~]# cat /etc/pki/CA/serial 01
2.给CA创建证书
(1)生成CA的私钥文件
[root@ ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024 <<<数字越大加密强度越大,然而小消耗系统资源也越多 Generating RSA private key, 1024 bit long modulus .......++++++ ....++++++ e is 65537 (0x10001)
(2)从私钥文件中抽取公钥,并制作证书
-new:申请新的证书
-x509:证书版本号,509是给CA自己创建证书的准用选项
-key:指定私钥文件
-days:指定证书有效期
[root@~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 360 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN <<<国家名字,只能用两个字母表示 State or Province Name (full name) []:henan <<<所在省 Locality Name (eg, city) [Default City]:zhengzhou <<< 所在市 Organization Name (eg, company) [Default Company Ltd]:baidu 组织名(公司名) Organizational Unit Name (eg, section) []:nuomi <<<组织单位名 Common Name (eg, your name or your server's hostname) []:www.baidu.com <<<公司网站域名(一定不能错,否则证书无效) Email Address []:123456789@126.com <<< 邮箱地址
给其他主机制作颁发证书的流程
1.客户端生成一个证书请求文件
2.客户端将证书申请文件发送到CA请求证书
3.检查证书请求文件中的信息的真伪,如果为真,则制作证书并颁发个客户端
实现步骤(以给apache颁发证书为例,服务器端10.220.5.67,客户端10.220.5.63)
1.给apache创建私钥文件(用于存放私钥,公钥以及颁发的证书)
(1)生成客户端私钥
[root@apache ~]# mkdir /etc/httpd/ssl
[root@apache ~]# openssl genrsa -out /etc/httpd/ssl/httpd.key 1024 Generating RSA private key, 1024 bit long modulus ........................................................++++++ ........................................++++++ e is 65537 (0x10001)
(2)生成请求文件
[root@apache ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.req
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou Organization Name (eg, company) [Default Company Ltd]:baidu Organizational Unit Name (eg, section) []:nuomi Common Name (eg, your name or your server's hostname) []:www.baidu.com Email Address []:123456789@126.com
Please enter the following 'extra' attributesto be sent with your certificate request
A challenge password []: <<<对生成的证书进行加密,这里省略
An optional company name []:
(3)查看生成的文件
[root@apache ~]# ls /etc/httpd/ssl/
httpd.key httpd.req<<此文件就是生成的请求文件
(4)将请求文件发送到服务器端
[root@apache ~]# scp /etc/httpd/ssl/httpd.req root@10.220.5.67:/tmp
The authenticity of host '10.220.5.67 (10.220.5.67)' can't be established.
ECDSA key fingerprint is SHA256:Fi2Rlnl2uce8/7OiRG1JReD158iHVydpZ+bW+IgoutY.
ECDSA key fingerprint is MD5:d0:96:1f:a9:83:fc:0a:bf:1f:20:1b:ec:4d:79:6e:7e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.220.5.67' (ECDSA) to the list of known hosts.
root@10.220.5.67's password:
httpd.req 100% 700 321.8KB/s 00:00
2.服务端检查请求文件中的信息的真实性(在服务端操作)
[root@e ~]# openssl ca -in /tmp/httpd.req -out /tmp/httpd.crt -days 7000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 3 16:53:28 2018 GMT Not After : Jan 2 16:53:28 2038 GMT Subject: countryName = CN stateOrProvinceName = henan organizationName = baidu organizationalUnitName = nuomi commonName = www.baidu.com emailAddress = 123456789@126.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 90:DA:6B:61:2B:D1:3D:AD:10:45:47:15:6D:9D:A6:B0:AB:7B:80:39 X509v3 Authority Key Identifier: keyid:50:EF:77:9C:65:CD:D1:42:C2:FC:9E:C4:09:82:16:9C:BB:41:0C:18 Certificate is to be certified until Jan 2 16:53:28 2038 GMT (7000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
2)将生成的证书发送给客户端
[root@ ~]# scp /tmp/httpd.crt root@10.220.5.63:/etc/httpd/ssl httpd.crt 100% 3233 1.1MB/s 00:00