SSL证书
证书类型简介
要设置安全服务器,使用公共钥创建一对公私钥对。大多数情况下,发送证书请求(包括自己的公钥),你的公司证明材料以及费用到一个证书颁发机构(CA)。CA验证证书请求及您的身份,然后将证书返回给您的安全服务器。
但是内网实现一个服务器端和客户端传输内容的加密,可以自己给自己颁发证书,只需要忽略掉浏览器不信任的警报即可!
由CA签署的证书为您的服务器提供两个重要的功能:
- 浏览器会自动识别证书并且在不提示用户的情况下允许创建一个安全连接。
- 当一个CA生成一个签署过的证书,它为提供网页给浏览器的组织提供身份担保。
- 多数支持ssl的web服务器都有一个CA列表,它们的证书会被自动接受。当一个浏览器遇到一个其授权CA并不在列表中的证书,浏览器将询问用户是否接受或拒绝连接。
制作CA证书
ca.key CA私钥:
# openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
......+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:ca.crt CA根证书(公钥)
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShenZhang
Locality Name (eg, city) [Default City]:ShenZhang
Organization Name (eg, company) [Default Company Ltd]:HF
Organizational Unit Name (eg, section) []:Hf
Common Name (eg, your name or your server's hostname) []:www.jackyops.com
Email Address []:[email protected]制作网站的证书并用CA签名认证
网站域名为www.jackyops.com,生成www.jackyops.com.key证书私钥:
# openssl genrsa -des3 -out www.jackyops.com.pem 1024
Generating RSA private key, 1024 bit long modulus
..................................................++++++
....................................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for www.jackyops.com.pem:
Verifying - Enter pass phrase for www.jackyops.com.pem:
[root@hfspng02 test]# ls
ca.crt ca.key www.jackyops.com.pem制作解密后的www.jackyops.com.pem证书私钥:
# openssl rsa -in www.jackyops.com.pem -out www.jackyops.com.key
Enter pass phrase for www.jackyops.com.pem:
writing RSA key
# ls
ca.crt ca.key www.jackyops.com.key www.jackyops.com.pem生成签名请求:
# openssl req -new -key www.jackyops.com.pem -out www.jackyops.com.csr
Enter pass phrase for www.jackyops.com.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShenZhang
Locality Name (eg, city) [Default City]:ShenZhang
Organization Name (eg, company) [Default Company Ltd]:HF
Organizational Unit Name (eg, section) []:Hf
Common Name (eg, your name or your server's hostname) []:www.jackyops.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:可以在Common Name中填入网站域名,即可生产该网站的证书。
用CA进行签名:
openssl ca -policy policy_anything -days 365 -cert ca.crt -keyfile ca.key -in www.jackyops.com.csr -out www.jackyops.com.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 13 09:33:37 2018 GMT
Not After : Nov 13 09:33:37 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = ShenZhang
localityName = ShenZhang
organizationName = HF
organizationalUnitName = Hf
commonName = www.jackyops.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7E:4F:72:DA:1D:38:65:F3:1C:08:D8:FB:34:BE:6E:21:23:E8:F5:19
X509v3 Authority Key Identifier:
keyid:79:FB:F1:D1:19:2F:C0:3D:49:7B:30:18:63:26:A8:E5:5F:8C:6F:29
Certificate is to be certified until Nov 13 09:33:37 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated可能执行签名时,会出现如下问题
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
47905929770128:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
47905929770128:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
解决方法:
touch /etc/pki/CA/index.txt
echo "01" > /etc/pki/CA/serial
基于Nginx搭建HTTPS虚拟主机
虚拟主机配置文件
upstream sslfpm {
server 192.168.1.20:8080 weight=10 max_fails=3 fail_timeout=20s;
}
server {
listen 192.168.1.*:443;
server_name 192.168.1.*;
#为一个server开启ssl支持
ssl on;
#为虚拟主机指定pem格式的证书文件
ssl_certificate /home/wangzhengyi/ssl/wangzhengyi.crt;
#为虚拟主机指定私钥文件
ssl_certificate_key /home/wangzhengyi/ssl/wangzhengyi_nopass.key;
#客户端能够重复使用存储在缓存中的会话参数时间
ssl_session_timeout 5m;
#指定使用的ssl协议
ssl_protocols SSLv3 TLSv1;
#指定许可的密码描述
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
#SSLv3和TLSv1协议的服务器密码需求优先级高于客户端密码
ssl_prefer_server_ciphers on;
location / {
root /home/wangzhengyi/ssl/;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
error_page 404 /404.html;
location = /50x.html {
root /usr/share/nginx/www;
}
location = /404.html {
root /usr/share/nginx/www;
}
# proxy the PHP scripts to fpm
location ~ \.php$ {
access_log /var/log/nginx/ssl/ssl.access.log main;
error_log /var/log/nginx/ssl/ssl.error.log;
root /home/wangzhengyi/ssl/;
fastcgi_param HTTPS on;
include /etc/nginx/fastcgi_params;
fastcgi_pass sslfpm;
}
} HTTPS服务器优化
方法
SSL操作需要消耗CPU资源,所以在多处理器的系统,需要启动多个工作进程,而且数量需要不少于可用CPU的个数。最消耗CPU资源的SSL操作是SSL握手,有两种方法可以将每个客户端的握手操作数量降到最低:
保持客户端长连接,在一个SSL连接发送多个请求
在并发的连接或者后续的连接中重用SSL会话参数,这样可以避免SSL握手操作。
会话缓存用于保存SSL会话,这些缓存在工作进程间共享,可以使用ssl_session_cache指令进行配置。1M缓存可以存放约4000个会话。默认的缓存超时时间是5m,可以使用ssl_session_timeout加大它。
ssl_session_cache指令
语法:ssl_session_cache off|none|builtin:size|shared:name:size
使用环境:main,server
缓存类型:
off -- 硬关闭,nginx明确告诉客户端这个会话不可重用
none -- 软关闭,nginx告诉客户端会话能够被重用,但是nginx实际上不会重用它们
bultin -- openssl内置缓存,仅可用于一个工作进程.可能导致内存碎片
shared -- 所有工作进程的共享缓存。(1)缓存大小用字节数指定(2)每个缓存必须拥有自己的名称(3)同名的缓存可用于多个虚拟主机
#优化ssl服务
ssl_session_cache shared:wzy:10m;
#客户端能够重复使用存储在缓存中的会话参数时间
ssl_session_timeout 10m;
通信shell脚本生成证书:
#!/bin/sh
# create self-signed server certificate:
read -p "Enter your domain [www.example.com]: " DOMAIN
echo "Create server key..."
openssl genrsa -des3 -out $DOMAIN.key 1024
echo "Create server certificate signing request..."
SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"
openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr
echo "Remove password..."
mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key
echo "Sign SSL certificate..."
openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
echo "TODO:"
echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo " ..."
echo " listen 443 ssl;"
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;"
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"
echo "}"在当前目录下会创建出4个文件:
- www.test.com.crt:自签名的证书
- www.test.com.csr:证书的请求
- www.test.com.key:不带口令的Key
- www.test.com.origin.key:带口令的Key
Web服务器需要把www.test.com.crt发给浏览器验证,然后用www.test.com.key解密浏览器发送的数据,剩下两个文件不需要上传到Web服务器上。