CA和证书
摘要:涉及到网络安全这一块,想必大家都听过CA吧。像百度、淘宝、京东等这些知名网站,每年都要花费一笔money来买CA证书。但其实简单的企业内的CA认证,我们自己就可以实现,今天我就讲解一下怎么在企业局部实现CA认证。
PKI: Public Key Infrastructure
签证机构:CA(Certificate Authority)
注册机构:RA
证书吊销列表:CRL
证书存取库:
X.509:定义了证书的结构以及认证协议标准
版本号、序列号、签名算法、颁发者、有效期限、主体名称、主体公钥、CRL分发点扩展信息、发行者签名、证书获
证书类型:
证书授权机构的证书
服务器用户证书
获取证书两种方法:
• 使用证书授权机构生成证书请求(csr),将证书请求csr发送给CA,CA签名颁发证书
• 自签名的证书
自已签发自己的公钥
安全协议
SSL:Secure Socket Layer,TLS: Transport Layer Security
1995:SSL 2.0 Netscape
1996:SSL 3.0
1999:TLS 1.0
2006:TLS 1.1 IETF(Internet工程任务组) RFC 4346
2008:TLS 1.2 当前使用
2015:TLS 1.3
功能:机密性,认证,完整性,重放保护
两阶段协议,分为握手阶段和应用阶段
握手阶段(协商阶段):客户端和服务器端认证对方身份(依赖于PKI体系,利用数字
证书进行身份认证),并协商通信中使用的安全参数、密码套件以及主密钥。后续通信使
用的所有密钥都是通过MasterSecret生成。
应用阶段:在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密
钥进行安全通信
SSL/TLS
Handshake协议:包括协商安全参数和密码套件、服务器身份认证(客户端身
份认证可选)、密钥交换
ChangeCipherSpec 协议:一条消息表明握手协议已经完成
Alert 协议:对握手协议中一些异常的错误提醒,分为fatal和warning两个级别,
fatal类型错误会直接中断SSL链接,而warning级别的错误SSL链接仍可继续,
只是会给出错误警告
Record 协议:包括对消息的分段、压缩、消息认证和完整性保护、加密等
HTTPS 协议:就是“HTTP 协议”和“SSL/TLS 协议”的组合。HTTP over
SSL”或“HTTP over TLS”,对http协议的文本数据进行加密处理后,成为二
进制形式传输
HTTPS结构
HTTPS工作过程
base64字符表示:
演示base64算法结果:
ab 的base64结果是YWI=
ab 的ascii码是78 79
2^6=64位,因此按6位区分
011000 01 0110 001000(后面补两个0,用输出的=代替)
24 22 8
Y W I=
echo -n ab | base64 ab 的base64输出结果:
Openssl详细用法:
OpenSSL 是一个开源项目,其组成主要包括一下三个组件:
-
openssl:多用途的命令行工具
-
libcrypto:加密算法库
-
libssl:加密模块应用库,实现了ssl及tls
openssl可以实现:秘钥证书管理、对称加密和非对称加密 。
1、对称加密
对称加密需要使用的标准命令为 enc ,用法如下:
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e] [-d] [-a/-base64]
[-A] [-k password] [-kfile filename] [-K key] [-iv IV] [-S salt] [-salt] [-nosalt] [-z] [-md]
[-p] [-P] [-bufsize number] [-nopad] [-debug] [-none] [-engine id]
常用选项有:
-in filename:指定要加密的文件存放路径 -out filename:指定加密后的文件存放路径 -salt:自动插入一个随机数作为文件内容加密,默认选项 -e:可以指明一种加密算法,若不指的话将使用默认加密算法 -d:解密,解密时也可以指定算法,若不指定则使用默认算法,但一定要与加密时的算法一致 -a/-base64:使用-base64位编码格式
示例:
加密:]# openssl enc -e -des3 -a -salt -in fstab -out fstab.bak 解密:]# openssl enc -d -des3 -a -salt -in fstab.bak -out fstab
2、单向加密
单向加密需要使用的标准命令为 dgst ,用法如下:
openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c] [-d] [-hex] [-binary]
[-out filename] [-sign filename] [-keyform arg] [-passin arg] [-verify filename] [-prverify
filename] [-signature filename] [-hmac key] [file...]
常用选项有:
[-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] :指定一种加密算法
-out filename:将加密的内容保存到指定文件中
示例如下:
openssl dgst -md5 f1 等价于md5sum f1
单向加密除了 openssl dgst 工具还有: md5sum,sha1sum,sha224sum,sha256sum ,sha384sum,sha512sum
示例如下:
shs512sum fstab md5sum fstab
3、生成密码
生成密码需要使用的标准命令为 passwd ,用法如下:
openssl passwd [-crypt] [-1] [-apr1] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] {password}
常用选项有:
-1:使用md5加密算法
-salt string:加入随机数,最多8位随机数
-in file:对输入的文件内容进行加密
-stdion:对标准输入的内容进行加密
示例如下:
openssl passwd -1 -in fstab -salt 11111
4、生成随机数
生成随机数需要用到的标准命令为 rand ,用法如下:
openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num
常用选项有:
-out file:将生成的随机数保存至指定文件中
-base64:使用base64 编码格式
-hex:使用16进制编码格式
示例如下:
openssl rand -hex 10 openssl rand -base64 10 openssl rand -base64 10 -out bb
5、生成秘钥对
首先需要先使用 genrsa 标准命令生成私钥,然后再使用 rsa 标准命令从私钥中提取公钥。
genrsa 的用法如下:
openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]
常用选项有:
-out filename:将生成的私钥保存至指定的文件中
-des|-des3|-idea:不同的加密算法
numbits:指定生成私钥的大小,默认是2048
一般情况下秘钥文件的权限一定要控制好,只能自己读写,因此可以使用 umask 命令设置生成的私钥权限,示例如下:
(umask 077;openssl genrsa -out test.key -des3 2048) 生成test.key私钥文件并以des3的算法加密 make /data/test.key 或者直接切换至cd /etc/pki/tls/certs下生成私钥,里边有一个makefile文件就可以自动生成私钥文件
openssl rsa -in test.key -out test2.key.bak 对test.key 私钥进行解密并导出文件起名叫test2.key.bak
ras 的用法如下:
openssl rsa [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg]
[-sgckey] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-engine id]
常用选项:
-in filename:指明私钥文件
-out filename:指明将提取出的公钥保存至指定文件中
-pubout:根据私钥提取出公钥
示例如下:根据私钥取出公钥
openssl rsa -in test.bak -pubout -out test.pubkey
随机数生成器:伪随机数字 键盘和鼠标,块设备中断
/dev/random:仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机 数,非阻塞
示例:
tr -dc 'a-zA-Z0-9' < /dev/urandom 将生成的随机大小写字母、数字全部进行打印
tr:参数解释
-c或——complerment:取代所有不属于第一字符集的字符; -d或——delete:删除所有属于第一字符集的字符; -s或--squeeze-repeats:把连续重复的字符以单独一个字符表示; -t或--truncate-set1:先删除第一字符集较第二字符集多出的字符。
CA创建和证书申请实验:
以此表作为参考进行创建:
创建CA:
centos7上创建CA证书:
1) (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) CA生成秘钥 [root@centos7CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...................................................+++ .........................................................................+++ e is 65537 (0x10001) 2) openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3650 生成自签名证书 [root@centos7CA]#openssl req -new -x509 -key private/cakey.pem -out cacert1.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN 国家名称 State or Province Name (full name) []:shanghai 城市 Locality Name (eg, city) [Default City]:shanghai 省会 Organization Name (eg, company) [Default Company Ltd]:baidu 公司名称 Organizational Unit Name (eg, section) []:yunwei 部门组织名称 Common Name (eg, your name or your server's hostname) []:*baidu.com 域名 Email Address []:
3) touch index.txt 4) echo oF > serial
在centos6(或者web服务器)中进行创建证书:
1) (umask 077;openssl genrsa -out app.key 1024) 生成私钥 [root@centos6CA]#(umask 077;openssl genrsa -out app.key 1024) Generating RSA private key, 1024 bit long modulus ............++++++ .......++++++ e is 65537 (0x10001) 2) openssl req -new -key app.key -out app.csr 生成申请证书文件 [root@centos6CA]#openssl req -new -key app.key -out app.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN 国家:要和根CA的信息一致 State or Province Name (full name) []:shanghai 省会:要和根CA的信息一致 Locality Name (eg, city) [Default City]:shanghai 城市 Organization Name (eg, company) [Default Company Ltd]:baidu要和根CA的公司信息一致 Organizational Unit Name (eg, section) []:yunwei Common Name (eg, your name or your server's hostname) []:*baidu.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:centos An optional company name []:centos 3)scp app.csr 192.168.34.101:/etc/pki/CA 复制到centos7的CA目录下 4)openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 1000 centos7对centos6(服务器)centos7对申请的证书文件进行核对并颁发证书 [root@centos7CA]#openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 1000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 15 (0xf) Validity Not Before: Oct 19 15:10:49 2019 GMT Not After : Jul 15 15:10:49 2022 GMT Subject: countryName = CN stateOrProvinceName = shanghai organizationName = baidugongsi organizationalUnitName = yunwei commonName = *baidu.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13 X509v3 Authority Key Identifier: keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E Certificate is to be certified until Jul 15 15:10:49 2022 GMT (1000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
注意:默认要求 国家,省,公司名称三项必须和CA一致
证书内容:
[root@centos7CA]#cat certs/app.crt Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=shanghai, L=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com Validity Not Before: Oct 19 15:10:49 2019 GMT Not After : Jul 15 15:10:49 2022 GMT Subject: C=CN, ST=shanghai, O=baidugongsi, OU=yunwei, CN=*baidu.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:e1:e6:f8:56:4a:7e:3a:70:10:76:77:1e:bd:93: 05:a4:6e:a5:be:8d:26:35:29:ff:2c:ae:52:a9:35: 4f:61:5e:df:53:3b:90:92:a4:c3:61:0a:18:9c:dc: 66:c2:45:d3:2a:fb:52:78:28:d1:4b:5b:0e:f6:33: f3:6c:6c:13:cb:30:d7:a7:3c:6a:72:ca:4b:40:70: 8a:7e:f6:c5:10:1c:48:cb:43:b8:ba:32:f9:5a:f3: 21:a6:35:f8:7d:a8:7f:e7:70:85:14:29:9e:40:da: 88:ed:c3:fd:6c:b6:a9:0c:2c:05:28:0a:38:cc:1c: 83:12:a1:19:3f:74:66:8c:2b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 24:C4:BC:94:A1:8D:C0:AC:A1:63:CF:9D:61:DB:7B:F9:5B:AB:5B:13 X509v3 Authority Key Identifier: keyid:00:04:B1:D1:62:35:F9:91:B5:D6:56:C2:96:19:DD:9A:D4:9B:D5:9E Signature Algorithm: sha256WithRSAEncryption 18:92:ce:11:2f:d5:bd:76:11:92:43:3a:c7:b9:20:79:ca:66: e5:e4:ff:8f:e2:d8:d6:76:96:34:63:ef:9b:de:1e:ec:dd:8a: bf:c0:2f:9a:9d:8a:23:60:8f:6c:65:48:95:a8:a8:62:60:df: 96:93:3b:49:00:28:89:1f:c1:b3:91:0c:5f:21:6b:c8:76:52: 9c:39:81:bc:fd:11:6a:1f:f6:e4:85:04:f2:04:61:81:53:90: be:f4:5e:bc:8d:c6:c1:bc:17:dc:bb:77:78:53:1a:f6:f3:cb: db:06:af:64:fd:d8:85:a0:bf:e8:0b:2c:7f:b1:62:09:45:b4: 0f:27:ed:6e:9e:35:da:67:83:b4:9d:d6:8d:e6:a3:0a:e5:36: ac:6d:23:d4:55:8e:bd:0b:af:1c:b7:e0:58:12:85:16:c1:70: aa:ea:80:d7:a4:e8:3d:0d:8b:9f:ee:00:25:24:d7:6e:87:89: 11:55:50:d1:09:71:81:c4:64:08:bd:28:9b:8d:25:b5:de:3a: 6d:c6:6f:2a:9c:59:0f:24:73:15:e8:26:29:e8:5e:27:ea:90: 9e:17:6c:ee:ab:6d:2b:00:eb:36:5d:e4:fe:fb:e6:7d:4e:5c: c4:16:bb:1a:17:73:95:29:ec:60:a8:d7:8e:1d:bf:d3:a9:64: 3e:02:7d:b8 -----BEGIN CERTIFICATE----- MIIDPTCCAiWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjER MA8GA1UECAwIc2hhbmdoYWkxETAPBgNVBAcMCHNoYW5naGFpMRQwEgYDVQQKDAti YWlkdWdvbmdzaTEPMA0GA1UECwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29t MB4XDTE5MTAxOTE1MTA0OVoXDTIyMDcxNTE1MTA0OVowXDELMAkGA1UEBhMCQ04x ETAPBgNVBAgMCHNoYW5naGFpMRQwEgYDVQQKDAtiYWlkdWdvbmdzaTEPMA0GA1UE CwwGeXVud2VpMRMwEQYDVQQDDAoqYmFpZHUuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDh5vhWSn46cBB2dx69kwWkbqW+jSY1Kf8srlKpNU9hXt9TO5CS pMNhChic3GbCRdMq+1J4KNFLWw72M/NsbBPLMNenPGpyyktAcIp+9sUQHEjLQ7i6 Mvla8yGmNfh9qH/ncIUUKZ5A2ojtw/1stqkMLAUoCjjMHIMSoRk/dGaMKwIDAQAB o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJMS8lKGNwKyhY8+dYdt7+VurWxMwHwYD VR0jBBgwFoAUAASx0WI1+ZG11lbClhndmtSb1Z4wDQYJKoZIhvcNAQELBQADggEB ABiSzhEv1b12EZJDOse5IHnKZuXk/4/i2NZ2ljRj75veHuzdir/AL5qdiiNgj2xl SJWoqGJg35aTO0kAKIkfwbORDF8ha8h2Upw5gbz9EWof9uSFBPIEYYFTkL70XryN xsG8F9y7d3hTGvbzy9sGr2T92IWgv+gLLH+xYglFtA8n7W6eNdpng7Sd1o3mowrl NqxtI9RVjr0Lrxy34FgShRbBcKrqgNek6D0Ni5/uACUk126HiRFVUNEJcYHEZAi9 KJuNJbXeOm3GbyqcWQ8kcxXoJinoXifqkJ4XbO6rbSsA6zZd5P775n1OXMQWuxoX c5Up7GCo144dv9OpZD4Cfbg= -----END CERTIFICATE-----
5) sz /etc/pki/CA/certs/app.crt文件到桌面可以看看内容
6) sz cacert.pem证书文件是app.crt的上一级证书文件
吊销证书:在centos7(根CA)上执行吊销
1)openssl ca -revoke /etc/pki/CA/certs/app.crt 对app.crt吊销 [root@centos7CA]#openssl ca -revoke /etc/pki/CA/certs/app.crt Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 0F. Data Base Updated 2)echo FF > /etc/pki/CA/crlnumber 生成证书编号 3)openssl ca -gencrl -out /etc/pki/CA/crl.pem 更新吊销列表信息 [root@centos7CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem Using configuration from /etc/pki/tls/openssl.cnf 4)openssl crl -in /etc/pki/CA/crl.pem -noout -text 查看吊销证书信息 [root@centos7CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text Certificate Revocation List (CRL): 注销信息 Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CN/ST=shanghai/L=shanghai/O=baidugongsi/OU=yunwei/CN=*baidu.com 注销的公司相关信息 Last Update: Oct 19 15:18:23 2019 GMT Next Update: Nov 18 15:18:23 2019 GMT CRL extensions: X509v3 CRL Number: 255 Revoked Certificates: Serial Number: 0F 声明:oF编号的证书已被注销 Revocation Date: Oct 19 15:16:25 2019 GMT Signature Algorithm: sha256WithRSAEncryption 2e:85:17:e8:aa:e0:56:a9:48:17:99:82:58:71:d5:f1:3c:00: 45:6c:5f:41:5b:56:f7:f6:6a:85:60:08:a5:ac:b4:88:25:91: 21:82:58:f0:45:c9:9b:08:31:81:2f:45:d2:3f:a0:2c:3f:51: 45:e2:0b:8e:6d:2b:2e:fd:43:3a:a3:7e:af:69:b9:23:b6:bc: 5e:b1:b8:58:80:c8:c8:08:09:b1:bb:8b:be:a5:9e:d8:af:28: 1f:5d:51:db:dc:a8:cd:74:df:93:d3:6a:f1:df:1d:2f:75:87: 66:ec:e0:04:13:e4:49:25:31:38:dd:02:0d:70:f1:d3:83:bb: 03:c5:2a:f4:09:6a:1f:6c:f0:1c:3d:6a:4c:e7:06:33:57:39: e9:91:1b:1d:5a:d4:47:f9:a0:47:7f:7f:0c:f3:35:96:a8:72: 28:e2:fa:94:5f:8c:8e:ad:ae:95:36:b9:e5:12:18:ce:b1:d8: 3a:c4:a7:89:49:83:dc:61:e9:84:65:00:f2:48:d0:98:af:21: 6f:a5:a8:6b:00:fd:18:3c:28:43:38:05:08:84:1a:bf:06:93: bc:14:4d:a3:d8:19:8b:d5:e6:fd:2b:9f:5a:59:54:ff:3c:6b: 38:ec:05:ca:76:3a:f3:bf:76:e3:1f:8f:67:f7:98:3d:ba:ab: 47:e7:7c:c3
5) sz crl.pem 可以查看windows当前吊销列表图形信息