在如今互聯(lián)網(wǎng)時代,越來越多的人注重信息安全五续,及對重要信息加密洒敏。加密即我們將文字轉換成不能直接閱讀的形式(即密文)的過程稱為加密。像網(wǎng)站疙驾,把我們平時看到的“http”加密成“https”來傳輸凶伙,這樣保證了信息在傳輸?shù)倪^程中不被竊聽。https就是“HTTP 協(xié)議”和“SSL/TLS 協(xié)議”的組合它碎。HTTP over SSL”或“HTTP over TLS”函荣,對http協(xié)議的文本數(shù)據(jù)進行加密處理后,成為二進制形式傳輸扳肛。
像有些網(wǎng)站用的是http偏竟,是沒有證書的,被一些瀏覽器認為是不安全的敞峭。如:
但凡涉及到交易的那就不一樣,那就要使用https協(xié)議沉迹。如淘寶網(wǎng)
這里就有證書的信息(CA)睦疫,我們可通過下載來觀察下
那什么是CA證書呢?
CA 也擁有一個證書(內(nèi)含公鑰和私鑰)鞭呕。網(wǎng)上的公眾用戶通過驗證 CA 的簽字從而信任 CA 蛤育,任何人都可以得到 CA 的證書(含公鑰),用以驗證它所簽發(fā)的證書。
如果用戶想得到一份屬于自己的證書瓦糕,他應先向 CA 提出申請底洗。在 CA 判明申請者的身份后,便為他分配一個公鑰咕娄,并且 CA 將該公鑰與申請者的身份信息綁在一起亥揖,并為之簽字后,便形成證書發(fā)給申請者圣勒。
如果一個用戶想鑒別另一個證書的真?zhèn)畏驯洌陀?CA 的公鑰對那個證書上的簽字進行驗證,一旦驗證通過圣贸,該證書就被認為是有效的挚歧。證書實際是由證書簽證機關(CA)簽發(fā)的對用戶的公鑰的認證。
證書的內(nèi)容包括:電子簽證機關的信息吁峻、公鑰用戶信息昼激、公鑰、權威機構的簽字和有效期等等锡搜。目前,證書的格式和驗證方法普遍遵循X.509 國際標準瞧掺。
下面我們就模擬創(chuàng)建私有CA并給節(jié)點頒發(fā)證書
一:創(chuàng)建環(huán)境:
centos7.3 當作CA服務器 centos6.9 充當客戶端(申請者)
在centos7.3上作為CA服務器需了解CA的配置文件:/etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept (CA有關的文件存放位置)
certs = $dir/certs # Where the issued certs are kept(簽發(fā)的證書位置)
crl_dir = $dir/crl # Where the issued crl are kept(吊銷證書存放位置)
database = $dir/index.txt # database index file.(生成證書索引數(shù)據(jù)庫文件)
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate(CA公鑰位置)
serial = $dir/serial # The current serial number(指定頒發(fā)證書的序列號)
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key (CA私鑰)
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
policy = policy_match
# For the CA policy 策略
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
這里 三種策略:匹配耕餐、支持和可選
匹配指要求申請?zhí)顚懙男畔⒏鶦A設置信息必須一致,支持指必須填寫這項申請信息辟狈,可選指可有可無
二肠缔、創(chuàng)建所需的文件(centos7.3)
[root@centos7 ~]#cd /etc/pki/CA
[root@centos7 CA]#ls
certs crl newcerts private
[root@centos7 CA]#touch index.txt 生成證書索引數(shù)據(jù)庫文件(默認沒有)
[root@centos7 CA]#echo 01 > serial 指定第一個頒發(fā)證書的序列號(默認也沒有 這里01兩位采用的是十六進制)
[root@centos7 CA]#ls
certs crl index.txt newcerts private serial
1.生成私鑰文件
[root@centos7 CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
.........+++
e is 65537 (0x10001)
[root@centos7 CA]#ll private/
total 4
-rw------- 1 root root 1679 Jul 16 19:21 cakey.pem
2.生成自簽證書
[root@centos7 CA]#openssl req -new -x509 -key private/cakey.pem -out private/cacert.pem -days 3650 # 生成自簽證書指明私鑰文件,證書保存路徑哼转,有效期限等
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 所在國家
State or Province Name (full name) []:henan # 所在省
Locality Name (eg, city) [Default City]:zhengzhou # 所在城市
Organization Name (eg, company) [Default Company Ltd]:keji # 組織(公司)名稱
Organizational Unit Name (eg, section) []:ops # 所在崗位
Common Name (eg, your name or your server's hostname) []:keji.com 證書持有者姓名或請求證書服務器的主機名
Email Address []: # 郵件地址
[root@centos7 CA]#ll
total 8
-rw-r--r-- 1 root root 1302 Jul 16 19:22 cacert.pem
drwxr-xr-x. 2 root root 22 Jul 16 21:24 certs
drwxr-xr-x. 2 root root 6 Nov 6 2016 crl
drwxr-xr-x 2 root root 22 Jul 16 19:55 csr
-rw-r--r-- 1 root root 0 Jul 16 19:01 index.txt
drwxr-xr-x. 2 root root 6 Nov 6 2016 newcerts
drwx------. 2 root root 23 Jul 16 21:24 private
-rw-r--r-- 1 root root 3 Jul 16 19:02 serial
3.查看自簽名證書
[root@centos7 CA]#openssl x509 -in private/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11375816810472933637 (0x9ddf051e12280905)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=henan, L=zhengzhou, O=keji, OU=ops, CN=keji.com
Validity
Not Before: Jul 16 09:22:51 2017 GMT
Not After : Jul 14 09:22:51 2027 GMT
Subject: C=CN, ST=henan, L=zhengzhou, O=keji, OU=ops, CN=keji.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:8e:c6:90:33:22:57:52:13:8c:29:ad:c4:34:
35:35:0c:23:ee:68:96:4a:2f:cc:03:0a:14:99:50:
3a:a9:f0:69:b5:38:fa:aa:47:ec:9c:ca:c0:83:de:
64:c7:fa:d0:e1:cb:a3:a7:d7:e3:02:17:29:27:6f:
a3:11:1c:36:73:5d:eb:72:d2:ab:d9:32:8f:a1:1a:
0f:1a:a0:dc:c9:1c:64:87:18:68:ab:8e:bb:d7:eb:
25:7f:b9:6f:49:75:a6:1e:b0:25:11:08:77:a3:98:
5f:73:4c:b2:ef:db:fe:6e:45:15:76:5e:4c:bb:16:
7c:dc:2a:52:5d:3c:7d:e1:ee:bd:ae:f6:c8:23:74:
b5:17:1b:fa:a7:86:02:6e:79:9c:ef:fd:8f:6c:6d:
c8:5f:0a:d3:e2:a4:ab:8d:fd:f0:7e:46:be:94:3d:
52:b4:69:ef:58:e6:29:14:6c:0f:8d:40:af:68:0d:
8d:6c:07:50:e2:a1:87:7c:8a:66:9f:06:04:8a:8b:
07:25:b0:bf:28:cc:a0:52:ec:5f:65:8e:3e:03:36:
92:99:c3:af:bf:a2:14:10:01:f0:ac:31:d4:33:09:
47:25:f0:28:90:b7:84:86:57:20:7f:11:30:9c:4b:
39:19:3f:c2:99:a6:85:4f:22:4a:32:d2:ba:79:e3:
74:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7E:D8:E1:ED:AB:FF:05:D6:F5:45:87:06:5B:11:1D:EF:B1:A5:29:FF
X509v3 Authority Key Identifier:
keyid:7E:D8:E1:ED:AB:FF:05:D6:F5:45:87:06:5B:11:1D:EF:B1:A5:29:FF
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
84:b8:f6:7a:2f:9b:ed:64:88:85:5e:93:33:b9:3d:93:ff:31:
5c:99:bd:05:d8:aa:50:21:c7:a7:26:44:d1:05:01:7b:e0:58:
36:f5:15:23:14:b5:ad:6b:90:b0:3b:d0:fb:d2:0d:01:39:9d:
3b:df:b2:df:ba:ae:20:eb:9b:27:40:55:e2:ea:14:9b:aa:75:
91:36:20:61:5f:fa:80:d0:81:b6:9c:7e:e1:05:fc:52:44:f3:
ad:9d:00:fb:2e:1b:cc:f1:6c:72:b6:d8:11:46:66:9d:a6:cf:
d2:27:08:2b:27:3b:66:0d:da:c8:31:76:a3:04:16:35:c8:79:
8f:02:7f:06:89:47:48:11:b8:1d:47:59:7f:67:c4:c0:f2:d9:
a5:5e:6b:e8:42:c1:11:94:6c:05:7e:88:b8:56:4e:6e:29:66:
46:2c:d2:04:a1:cb:90:a1:81:9f:a2:74:c1:b9:38:86:c0:d5:
f8:ba:9f:62:38:ea:14:68:b7:da:3d:94:93:6e:55:97:68:42:
39:cf:e0:71:6c:b8:f7:df:6d:57:fa:94:a0:80:f0:e7:e9:c2:
d9:26:93:b0:a1:db:62:ab:29:fc:96:6e:5d:08:31:79:04:a8:
42:98:83:23:aa:61:c5:f0:33:b8:2e:91:76:21:d6:3b:ae:86:
1a:f0:31:55
三明未、客戶端證書請求發(fā)送給CA進行簽署 (centos 6.9)
1.生成密鑰文件:
[root@centos6 ~]#(umask 066;openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................................+++
......................................+++
e is 65537 (0x10001)
[root@centos6 ~]#ll /etc/pki/tls/private
total 4
-rw-------. 1 root root 1679 Jul 16 02:32 test.key
2.利用私鑰生成證書簽署請求:
[root@centos6 ~]#openssl req -new -key /etc/pki/tls/private/test.key -out /etc/pki/tls/private/test.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kejitwo
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:kejitwo.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注意:默認國家,省壹蔓,公司名稱三項必須和CA一致
[root@centos6 ~]#ll /etc/pki/tls/private
total 8
-rw-r--r--. 1 root root 1005 Jul 16 02:46 test.csr
-rw-------. 1 root root 1679 Jul 16 02:32 test.key
3.傳輸給CA(centos7.3):
[root@centos6 ~]#scp /etc/pki/tls/private/test.csr 192.168.18.142:/etc/pki/CA/csr
The authenticity of host '192.168.18.142 (192.168.18.142)' can't be established.
RSA key fingerprint is 5a:d9:05:80:2c:2b:99:b5:f5:1f:5a:e6:31:ff:51:6f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.18.142' (RSA) to the list of known hosts.
root@192.168.18.142's password:
test.csr 100% 1005 1.0KB/s 00:00
[root@centos7 CA]#ll csr/
total 4
-rw-r--r-- 1 root root 1005 Jul 16 02:35 test.csr
四趟妥、簽署(centos7.3)
1.CA簽發(fā)證書
[root@centos7 CA]#openssl ca -in /etc/pki/CA/csr/test.csr -out /etc/pki/CA/certs/test.crt -days 365
# 簽發(fā)證書,-in指明要簽的證書文件位置佣蓉,-out指明簽好后輸出的文件位置披摄,必須放在certs下,指明期限
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 16 11:46:40 2017 GMT
Not After : Jul 16 11:46:40 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = keji
organizationalUnitName = ops
commonName = centos6.9.zj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4F:22:F5:49:09:17:75:91:A9:5D:64:69:7A:CC:E5:76:7A:9B:9C:70
X509v3 Authority Key Identifier:
keyid:7E:D8:E1:ED:AB:FF:05:D6:F5:45:87:06:5B:11:1D:EF:B1:A5:29:FF
Certificate is to be certified until Jul 16 11:46:40 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
│ └── test.crt
├── crl
├── csr
│ └── test.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 10 files
[root@centos7 CA]#cat index.txt # 可以看到第一個簽署的證書編號為01
V 180716114640Z 01 unknown /C=CN/ST=henan/O=keji/OU=ops/CN=centos6.9.zj.com
2.把簽署好的證書發(fā)還給請求者
[root@centos7 CA]#scp /etc/pki/CA/certs/test.crt 192.168.18.130:/etc/pki/tls/
The authenticity of host '192.168.18.130 (192.168.18.130)' can't be established.
RSA key fingerprint is a7:2e:2a:99:b0:33:c5:88:98:4b:0e:ce:7c:8c:6a:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.18.130' (RSA) to the list of known hosts.
root@192.168.18.130's password:
test.crt
五勇凭、在客戶端上查看已簽署的證書(centos6.9)
[root@centos6 ~]#openssl x509 -in /etc/pki/tls/test.crt -noout -text # 請求者收到后查看
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=henan, L=zhengzhou, O=keji, OU=ops, CN=keji.com
Validity
Not Before: Jul 16 11:46:40 2017 GMT
Not After : Jul 16 11:46:40 2018 GMT
Subject: C=CN, ST=henan, O=keji, OU=ops, CN=centos6.9.zj.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e0:5a:dc:b0:34:7f:08:76:34:1f:5f:ba:95:27:
ec:d0:eb:be:37:14:c2:58:de:65:5c:fb:76:4b:fa:
91:0b:f4:6a:be:e6:0f:96:dd:12:26:af:c4:78:23:
bc:33:3c:dd:d6:99:e7:53:0d:ce:93:2c:4c:fc:0d:
d8:5b:a1:08:aa:f8:12:ce:a5:30:fd:63:0a:49:91:
32:db:4e:f6:67:86:2c:dc:99:f6:29:d0:7f:cb:b3:
97:17:f7:4e:71:aa:53:08:87:2b:d0:11:df:93:42:
8b:a8:87:c3:64:11:d2:76:5c:9c:0c:03:a3:00:fc:
2a:3a:e3:d7:7f:f2:e2:f4:f9:d0:f8:b3:14:47:0b:
78:96:e3:31:53:02:69:94:13:a8:e3:59:f8:fd:f3:
64:59:75:b5:ad:75:ca:2e:0f:af:bd:25:ec:41:2d:
2c:c8:09:00:f5:f5:ff:e5:fb:9d:88:cf:c2:72:ef:
29:e5:8f:08:86:2b:c6:63:40:c0:de:a3:08:b8:69:
68:f1:f7:63:60:54:bc:08:a1:71:8b:2f:9e:d1:e4:
8b:48:54:63:b4:73:dd:c0:bb:6c:a6:3b:96:d9:5d:
e5:ae:6f:67:cb:f5:d6:0a:c4:6d:7b:02:a4:7f:8a:
21:03:b7:4a:7a:9a:7b:1f:be:f8:89:6a:92:dc:04:
83:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4F:22:F5:49:09:17:75:91:A9:5D:64:69:7A:CC:E5:76:7A:9B:9C:70
X509v3 Authority Key Identifier:
keyid:7E:D8:E1:ED:AB:FF:05:D6:F5:45:87:06:5B:11:1D:EF:B1:A5:29:FF
Signature Algorithm: sha256WithRSAEncryption
7b:ec:35:5b:14:51:87:6c:05:99:5d:55:08:50:72:54:40:8e:
f8:e9:f5:b5:21:09:b4:a2:00:fa:c3:59:4a:18:6d:24:e6:77:
8a:a5:98:2c:91:36:1e:4b:10:cb:ab:99:73:c9:cd:d0:e0:46:
99:b3:3f:8f:20:eb:65:d6:4c:71:c1:48:e1:5d:21:d8:42:e5:
88:e5:80:40:bc:60:b0:25:cb:ec:1e:1a:7d:85:68:45:98:8d:
3f:5c:d4:3e:c8:b4:46:86:36:05:a0:64:1d:51:1e:ef:23:0d:
50:6e:c3:c0:f4:97:d7:0f:68:d7:e1:65:cd:dd:1a:01:ea:1e:
cf:18:a2:f7:56:5e:4f:bd:d2:57:8c:ac:23:f3:99:a4:a0:9a:
2b:0b:31:0b:7d:09:bc:ca:a4:e7:98:11:4b:d9:08:93:e3:fe:
18:be:a5:0c:9f:9c:b4:c9:bd:70:90:30:f6:3d:75:c4:cc:11:
0b:d7:6d:57:33:83:4a:41:92:da:7c:9c:3d:fb:59:1b:2a:aa:
79:3f:cc:2e:8b:20:42:69:93:27:79:30:93:eb:2a:43:55:45:
0d:88:28:0e:db:f5:72:f3:a8:1c:8b:97:a0:58:f9:6a:b2:4a:
8e:25:43:e9:03:68:69:8d:82:59:96:13:1b:65:4d:62:9c:e6:
8c:8f:37:c8
六.在window下查看制作的CA證書
到這里我們就對CA進行完整的操作疚膊。如果想更直觀的觀察自己制作的CA證書,我們還可以把文件導入到window中查看虾标,這里就要把cacert.pem的CA自簽名證書后綴改下Windows能識別的文件格式寓盗。如下圖所示
如有不足請多多指教!
