[TOC]
前言
上一篇文章 http://blog.csdn.net/hylexus/article/details/53048305、http://www.reibang.com/p/c929ac2d9134 中沪袭,最終得到的安全通信的結(jié)論的前提都是基于CA及CA頒發(fā)的證書是可靠的基礎(chǔ)上的湾宙,整個(gè)通信過程的安全性也都依賴于CA這個(gè)根源樟氢。本篇文章就來說說CA及與其相關(guān)的一些概念。
本文章中的諸多信息都是來自大牛 馬哥 的linux視頻教程侠鳄。
1 X509
X509埠啃,簡言之,也是個(gè)人理解:就是證書的元數(shù)據(jù)伟恶,也就是來約定證書格式的標(biāo)準(zhǔn)碴开。
我們常見的證書的格式大都是基于X509的標(biāo)準(zhǔn)的。
1.1 X509證書格式
以下信息來源于百度百科:
所有的X.509證書包含以下數(shù)據(jù):
- X.509版本號(hào):指出該證書使用了哪種版本的X.509標(biāo)準(zhǔn)博秫,版本號(hào)會(huì)影響證書中的一些特定信息潦牛。目前的版本是3。
- 證書持有人的公鑰:包括證書持有人的公鑰挡育、算法(指明密鑰屬于哪種密碼系統(tǒng))的標(biāo)識(shí)符和其他相關(guān)的密鑰參數(shù)巴碗。
- 證書的序列號(hào):由CA給予每一個(gè)證書分配的唯一的數(shù)字型編號(hào),當(dāng)證書被取消時(shí)即寒,實(shí)際上是將此證書序列號(hào)放入由CA簽發(fā)的CRL(Certificate Revocation List證書作廢表橡淆,或證書黑名單表)中。這也是序列號(hào)唯一的原因母赵。
- 主題信息:證書持有人唯一的標(biāo)識(shí)符(或稱DN-distinguished name)這個(gè)名字在 Internet上應(yīng)該是唯一的逸爵。DN由許多部分組成,看起來象這樣:
CN=Bob Allen, OU=Total Network Security Division
O=Network Associates, Inc.
C=US
這些信息指出該科目的通用名凹嘲、組織單位师倔、組織和國家或者證書持有人的姓名、服務(wù)處所等信息周蹭。 - 書的有效期:證書起始日期和時(shí)間以及終止日期和時(shí)間溯革;指明證書在這兩個(gè)時(shí)間內(nèi)有效。
- 認(rèn)證機(jī)構(gòu):證書發(fā)布者谷醉,是簽發(fā)該證書的實(shí)體唯一的CA的X.509名字致稀。使用該證書意味著信任簽發(fā)證書的實(shí)體。(注意:在某些情況下俱尼,比如根或頂級(jí)CA證書抖单,發(fā)布者自己簽發(fā)證書)
- 發(fā)布者的數(shù)字簽名:這是使用發(fā)布者私鑰生成的簽名,以確保這個(gè)證書在發(fā)放之后沒有被撰改過遇八。
- 簽名算法標(biāo)識(shí)符:用來指定CA簽署證書時(shí)所使用的簽名算法矛绘。算法標(biāo)識(shí)符用來指定CA簽發(fā)證書時(shí)所使用的公開密鑰算法和HASH算法。
2 SSL/openSSL/TLS
2.1 簡單介紹
先來看看這兩張來自百度的OSI七層模型圖和四層模型圖:
OSI七層模型
四層模型
我們常見的一些協(xié)議刃永,比如 http货矮、smtp、telnet斯够、ftp本身默認(rèn)是不支持?jǐn)?shù)據(jù)傳輸加密的囚玫。
SSL(Secure Socket Layer)就是在應(yīng)用層和TCP/IP層之間加的層喧锦,好像和這個(gè)快被歷史遺忘了的牛逼的NetScape公司有關(guān)系。
有了SSL層抓督,本來不支持加密傳輸?shù)囊恍﹨f(xié)議比如http就可以支持加密了即https燃少,smtps,ftps等铃在。
TLS(Transport Layer Security)安全傳輸層協(xié)議阵具。TLS-v1相當(dāng)于SSL-v3。
本文不加區(qū)別的使用SSL和TLS定铜。
openSSL即是SSL的開源實(shí)現(xiàn)版本阳液。
openSSL
- libcrypto:通用加密庫
- libssl:SSL/TLS的實(shí)現(xiàn)
- openssl:命令行工具
2.2 openSSL常用命令
2.2.1 基礎(chǔ)命令
# 查看當(dāng)前機(jī)器上安裝的openssl信息
[root@h1 ~]# rpm -q openssl
openssl-1.0.1e-48.el6_8.3.x86_64
# 測(cè)試當(dāng)前機(jī)器對(duì)常用加密算法的運(yùn)算性能
[root@VM_15_242_centos ~]# openssl speed
Doing md2 for 3s on 16 size blocks: 388053 md2's in 2.99s
………………………………………………
# 測(cè)試當(dāng)前機(jī)器對(duì)指定算法的運(yùn)算性能
[root@h1 ~]# openssl speed md5
Doing md5 for 3s on 16 size blocks: 9085406 md5's in 3.00s
Doing md5 for 3s on 64 size blocks: 6577474 md5's in 2.99s
Doing md5 for 3s on 256 size blocks: 3690426 md5's in 3.00s
Doing md5 for 3s on 1024 size blocks: 1305693 md5's in 2.99s
Doing md5 for 3s on 8192 size blocks: 186074 md5's in 3.00s
OpenSSL 1.0.1e-fips 11 Feb 2013
…………………………………………………………………………………………
2.2.2 文件加密/解密
# 加密文件
openssl enc -des3 -salt -a -in /etc/passwd -out /root/passwd.enc
-des3:des加密方式
-salt:加鹽
-a:基于base64編碼處理
-in:輸入文件
-out:加密結(jié)果輸出至何處
# 解密文件
openssl enc -des3 -d -salt -a -in /root/passwd.enc -out /root/passwd.plaintext
-des3:des加密方式
-d:解密
-salt:加鹽
-a:基于base64編碼處理
-in:輸入文件
-out:加密結(jié)果輸出至何處
2.2.3 計(jì)算特征碼
[root@h1 ~]# openssl dgst -sha1 /etc/passwd
SHA1(/etc/passwd)= cda7fc123305e443155760afa8789b8e757d819a
[root@h1 ~]# openssl dgst -md5 /etc/passwd
MD5(/etc/passwd)= eaa520eb398cfedf2bdd7d785e5dcd78
# 和以下命令的計(jì)算結(jié)果一致
[root@h1 ~]# md5sum /etc/passwd
eaa520eb398cfedf2bdd7d785e5dcd78 /etc/passwd
[root@h1 ~]# sha1sum /etc/passwd
cda7fc123305e443155760afa8789b8e757d819a /etc/passwd
2.2.4 生成密碼
# 和passwd命令類似
[root@h1 ~]# openssl passwd -1
Password:
Verifying - Password:
$1$THXDghVa$jF7Ds7zDQpaIDbUEFZZMF1
2.2.5 生成偽隨機(jī)數(shù)
man sslrand 查看幫助
[root@h1 ~]# openssl rand -base64 22
UESrys2wxAQKBa2ofpcxC06/37Q+vg==
[root@h1 ~]# openssl rand -hex 22
87eda2a48cbc437578b41d5ec1ddc3e42fdf5a7bc9be
2.2.6 生成秘鑰
# 生成1024位的rsa秘鑰保存至文件server.pri.1024中
[root@h1 ~]# openssl genrsa 1024 > server.pri.1024
Generating RSA private key, 1024 bit long modulus
.................................................++++++
........++++++
e is 65537 (0x10001)
# 或者直接用以下命令在子shell中執(zhí)行以便直接將mod設(shè)置為600
(umask 077;openssl genrsa -out server.pri.1024 1024)
# 可以用以下命令提取查看公鑰
openssl rsa -in server.pri.1024 -pubout
2.2.7 生成/查看X509證書
# 新生成一個(gè)x509格式的證書保存至文件server.crt中,有效期365天
[root@h1 ~]# openssl req -new -x509 -key ./server.pri.1024 -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# 國家代碼:CN
Country Name (2 letter code) [XX]:CN
# 省份
State or Province Name (full name) []:ShangHai
# 城市
Locality Name (eg, city) [Default City]:ShangHai
# 組織機(jī)構(gòu)名稱
Organization Name (eg, company) [Default Company Ltd]:KKBC
# 部門
Organizational Unit Name (eg, section) []:develop
# 主機(jī)名
Common Name (eg, your name or your server's hostname) []:h1.hylexus.tech
# 電子郵件
Email Address []:hylexus@163.com
[root@h1 ~]#
查看證書信息
[root@h1 ~]# openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17011964780701293735 (0xec16a3d5b5281ca7)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=ShangHai, L=ShangHai, O=KKBC, OU=develop, CN=h1.hylexus.tech/emailAddress=hylexus@163.com
Validity
Not Before: Nov 6 14:04:42 2016 GMT
Not After : Nov 6 14:04:42 2017 GMT
Subject: C=CN, ST=ShangHai, L=ShangHai, O=KKBC, OU=develop, CN=h1.hylexus.tech/emailAddress=hylexus@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:8e:f4:e9:21:06:4a:8a:23:7c:15:6f:70:cb:
b2:df:d3:f8:21:2e:0d:c1:ff:16:b7:ed:c3:a7:8f:
4b:ef:b6:75:da:df:0d:4a:2b:b0:26:cb:7e:a3:16:
d3:da:15:67:a5:21:74:ac:ec:cd:e8:c7:cc:aa:b9:
78:d1:fe:2f:11:e3:f7:72:fb:cd:08:8a:ae:57:53:
c0:a0:61:b9:e4:bd:e2:25:43:03:b3:ef:e4:eb:36:
fc:7a:ce:4f:a8:d7:3e:bd:ec:36:39:b1:bd:15:ee:
dc:92:00:7b:71:a4:b9:fe:7f:be:f3:de:c4:43:bc:
d1:52:d9:1b:e5:a6:74:0c:07
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
57:34:FC:F4:1B:52:B1:CA:C3:70:3B:79:1E:6B:BE:49:53:07:CA:3D
X509v3 Authority Key Identifier:
keyid:57:34:FC:F4:1B:52:B1:CA:C3:70:3B:79:1E:6B:BE:49:53:07:CA:3D
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
3b:96:2c:a1:be:ec:8a:68:fc:e2:69:a9:d3:83:24:02:1d:db:
14:19:bc:c7:a9:2a:53:5a:7e:6f:76:1f:68:9b:a7:a2:9a:62:
ce:bc:f5:12:a7:39:2b:7e:d5:ad:36:a7:76:4a:a2:c9:38:eb:
b8:1f:60:71:ba:dd:f8:b7:2d:86:01:e9:37:74:e0:87:df:fa:
fa:ab:e4:88:1a:58:85:08:ce:ac:2b:b0:0c:95:02:4d:66:42:
01:f9:ee:b1:86:a2:2b:ec:b6:62:b5:9d:94:a1:19:5b:96:0f:
93:e4:cf:3f:ab:d7:59:85:e5:c7:43:0a:3b:f6:20:2f:f9:fb:
da:1e
-----BEGIN CERTIFICATE-----
MIIC7DCCAlWgAwIBAgIJAOwWo9W1KBynMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD
VQQGEwJDTjERMA8GA1UECAwIU2hhbmdIYWkxETAPBgNVBAcMCFNoYW5nSGFpMQ0w
CwYDVQQKDARLS0JDMRAwDgYDVQQLDAdkZXZlbG9wMRgwFgYDVQQDDA9oMS5oeWxl
eHVzLnRlY2gxHjAcBgkqhkiG9w0BCQEWD2h5bGV4dXNAMTYzLmNvbTAeFw0xNjEx
MDYxNDA0NDJaFw0xNzExMDYxNDA0NDJaMIGOMQswCQYDVQQGEwJDTjERMA8GA1UE
CAwIU2hhbmdIYWkxETAPBgNVBAcMCFNoYW5nSGFpMQ0wCwYDVQQKDARLS0JDMRAw
DgYDVQQLDAdkZXZlbG9wMRgwFgYDVQQDDA9oMS5oeWxleHVzLnRlY2gxHjAcBgkq
hkiG9w0BCQEWD2h5bGV4dXNAMTYzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAwo706SEGSoojfBVvcMuy39P4IS4Nwf8Wt+3Dp49L77Z12t8NSiuwJst+
oxbT2hVnpSF0rOzN6MfMqrl40f4vEeP3cvvNCIquV1PAoGG55L3iJUMDs+/k6zb8
es5PqNc+vew2ObG9Fe7ckgB7caS5/n++897EQ7zRUtkb5aZ0DAcCAwEAAaNQME4w
HQYDVR0OBBYEFFc0/PQbUrHKw3A7eR5rvklTB8o9MB8GA1UdIwQYMBaAFFc0/PQb
UrHKw3A7eR5rvklTB8o9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
O5Ysob7simj84mmp04MkAh3bFBm8x6kqU1p+b3YfaJunoppizrz1Eqc5K37VrTan
dkqiyTjruB9gcbrd+LcthgHpN3Tgh9/6+qvkiBpYhQjOrCuwDJUCTWZCAfnusYai
K+y2YrWdlKEZW5YPk+TPP6vXWYXlx0MKO/YgL/n72h4=
-----END CERTIFICATE-----
3 HTTPS
HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer)即HTTP在SSL/TLS基礎(chǔ)上的安全版本揣炕。
3.1 HTTP VS HTTPS
以下對(duì)比來自于百度百科:
- https協(xié)議需要到ca申請(qǐng)證書趁舀,一般免費(fèi)證書很少,需要交費(fèi)祝沸。
- http是超文本傳輸協(xié)議,信息是明文傳輸越庇,https 則是具有安全性的ssl加密傳輸協(xié)議罩锐。
- http和https使用的是完全不同的連接方式,用的端口也不一樣卤唉,前者是80涩惑,后者是443。
- http的連接很簡單桑驱,是無狀態(tài)的竭恬;HTTPS協(xié)議是由SSL+HTTP協(xié)議構(gòu)建的可進(jìn)行加密傳輸、身份認(rèn)證的網(wǎng)絡(luò)協(xié)議熬的,比http協(xié)議安全痊硕。
3.2 大致過程
- 三次握手當(dāng)然是必不可少的了
既然是安全的,當(dāng)然就得加密傳輸數(shù)據(jù)了押框。
怎么加密傳輸呢岔绸?
非對(duì)稱加密代價(jià)太大,HTTPS使用的方式大致和上篇文章中所說的
第二種安全通信方式:http://blog.csdn.net/hylexus/article/details/53048305#72-方式二 類似橡伞。
客戶端和服務(wù)端需要協(xié)商通信的對(duì)稱加密的加密算法等信息盒揉。一般并不是基于IKE實(shí)現(xiàn)的。
4 openSSL實(shí)現(xiàn)私有CA
4.1 準(zhǔn)備工作
先查看或按需修改/etc/pki/tls/openssl.cnf文件內(nèi)容,其中有以下一些配置項(xiàng):
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
為方便兑徘,此處直接cd至/etc/pki/CA目錄進(jìn)行后續(xù)操作
4.2 生成秘鑰
[root@h1 CA]# pwd
/etc/pki/CA
# 注意此處的輸出位置應(yīng)該和/etc/pki/tls/openssl.cnf中的配置相對(duì)應(yīng)
[root@h1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
...........................................................................................................+++
e is 65537 (0x10001)
[root@h1 CA]#
4.3 生成自簽署的證書
注意此處的證書是CA自己的證書刚盈。
[root@h1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShangHai]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [Default Company Ltd]:KKBC
Organizational Unit Name (eg, section) [dev]:
Common Name (eg, your name or your server's hostname) []:h1.hylexus.tech
Email Address []:hylexus@163.com
[root@h1 CA]#
4.4 其他配置
# 此時(shí)的目錄大概是這個(gè)樣子,具體應(yīng)該和/etc/pki/tls/openssl.cnf中的配置相對(duì)應(yīng)
[root@h1 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
# 新建 database index file.
[root@h1 CA]# touch index.txt
# The current serial number
[root@h1 CA]# echo 01 > serial
# 最終的目錄結(jié)構(gòu)大概是這個(gè)樣子,具體應(yīng)該和/etc/pki/tls/openssl.cnf中的配置相對(duì)應(yīng)
[root@h1 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4.5 為應(yīng)用程序配置SSL
此處本人在/etc/nginx/ssl目錄下操作,只是示例而已:
生成私鑰(應(yīng)用程序自己的私鑰,不要和上面的CA的私鑰混了)
[root@h1 ssl]# cd /etc/nginx/
[root@h1 nginx]# mkdir ssl ; cd ssl
[root@h1 ssl]# pwd
/etc/nginx/ssl
# 生成私鑰
[root@h1 ssl]# (umask 077;openssl genrsa -out nginx.key)
Generating RSA private key, 1024 bit long modulus
.......................++++++
................++++++
e is 65537 (0x10001)
生成證書頒發(fā)請(qǐng)求
# csr====Certificate Signature Request
[root@h1 ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShangHai]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [Default Company Ltd]:KKBC
Organizational Unit Name (eg, section) [dev]:
Common Name (eg, your name or your server's hostname) []:h2.hylexus.tech
Email Address []:hylexus@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
將證書頒發(fā)請(qǐng)求發(fā)送給CA,讓CA簽署(CA簽名認(rèn)證)
此處CA和應(yīng)用都在同一臺(tái)主機(jī)上,直接操作即可
[root@h1 ssl]# openssl ca -in nginx.csr -out nginx.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 6 23:22:02 2016 GMT
Not After : Nov 4 23:22:02 2026 GMT
Subject:
countryName = CN
stateOrProvinceName = ShangHai
organizationName = KKBC
organizationalUnitName = dev
commonName = h2.hylexus.tech
emailAddress = hylexus@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
06:E2:32:E3:46:07:3B:E4:39:0B:44:8D:E2:60:F4:FC:CB:C3:17:81
X509v3 Authority Key Identifier:
keyid:D8:E5:FB:17:23:6D:A6:ED:FB:D1:D6:82:B5:97:FF:2D:E8:05:E0:67
Certificate is to be certified until Nov 4 23:22:02 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
