linux-运维进阶-31 OpenSSL实现CA证书
OpenSSL实现CA证书
什么是CA
CA,Catificate Authority,通俗的理解就是一种认证机制。它的作用就是提供证书(也就是服务端证书,由域名,公司信息,序列号,签名信息等等组成)来加强客户端与服务器端访问信息的安全性,同时提供证书的发放等相关工作。国内的大部分互联网公司都在国际CA机构申请了CA证书,并且在用户进行访问的时候,对用户的信息加密,保障了用户的信息安全。理论上来说,任何组织或者个人都可以扮演CA的角色,只不过,难以得到客户端的信任,不能推而广之,最典型应用莫过于12306网站,这个网站就是自己给自己颁发的根证书。
目前能够让浏览器默认支持的CA大厂有很多,Windows 操作系统在安装之初,也默认安装了很多受信任的根证书。可以通过控制面板–Internet选项来进行查看。
另外,可以将证书理解为带有额外信息的公钥。
SSL/TLS
SSL/TLS是网络通信过程中非常重要的两个协议。互联网的通信安全就建立在SSL/TLS协议基础之上。他们通过一系列的加密行为保障了通信的安全,是如今互联网通信最主要的应用之一。
SSL/TLS是一个很大的互联网应用,关于他们的介绍互联网上有很多,我们暂时不做详细的介绍。关于SSL/TLS通信的过程大致可以用下面的这张图来进行描述。
十六字真诀
公钥加密,私钥解密
私钥签章,公钥验签
实验准备
CA服务器:192.168.141.132
客户机:192.168.141.69
物理机(就是你的电脑)
OpenSSL
OpenSSL是一套开源软件,在Linux中可以很容易的安装。它能够很容易的完成密钥生成以及证书管理。我们接下来就利用OpenSSL搭建CA证书,并实现证书的申请与分发。
[root@localhost ~]# yum install openssl –y
CA配置
要手动创建CA证书,就必须首先了解,OpenSSL中关于CA的配置,配置文件位于下面的/etc/pki/tls/openssl.cnf
[root@localhost ~]# cat /etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca= CA_default #默认CA
####################################################################
[ CA_default ]
dir=/etc/pki/CA # CA的工作目录这里其实是定义了一个变量
certs= $dir/certs # 证书存储路径
crl_dir= $dir/crl # 证书吊销列表
database= $dir/index.txt # 证书数据库列表
new_certs_dir= $dir/newcerts #新的证书路径
certificate = $dir/cacert.pem # CA自己的证书
serial= $dir/serial #下一个证书的编号,十六进制,默认00
crlnumber= $dir/crlnumber #下一个要被吊销的证书编号,十六进制,默认00
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # CA 的私钥
RANDFILE= $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # 命名方式
cert_opt = ca_default # CA的选项
default_days= 365 # 默认证书的有效期限
default_crl_days= 30 # how long before next CRL
default_md= default # use public key default MD
preserve= no # keep passed DN ordering
policy= policy_match #策略
#这里记录的是 将来CA在搭建的时候,以及客户端申请证书的时候,
需要提交的信息的匹配程度。
[ policy_match ] # match意味着CA以及子CA必须一致
countryName = match # 国家
stateOrProvinceName= match # 州或者省
organizationName= match #组织公司
organizationalUnitName = optional
commonName= supplied
emailAddress= optional
[ policy_anything ] #可以对外提供证书申请,这时,证书的匹配就可以不用那么严格
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName = optional
commonName = supplied
emailAddress= optional
找到配置文件中指定的路径
[root@localhost ~]# cat /etc/pki/tls/openssl.cnf | grep dir
dir = /etc/pki/CA # Where everything is kept
可以看到路径 /etc/pki/CA
创建所需要的文件
这里有一点需要注意,我们的实验环境中包含了一个主机,如果不提前创建这两个文件,那么在生成证书的过程中会出现错误。
我们将文件创建在配置文件中指定的路径下面。
生成证书索引数据库文件
[root@localhost ~]# touch /etc/pki/CA/index.txt
指定第一个颁发证书的序列号
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
CA 自签名证书(构造根CA)
首先构造根CA的证书。因为没有任何机构能够给根CA颁发证书,所以只能根CA自己给自己颁发证书。
首先生成私钥文件cakey.pem
[root@localhost ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048
Generating RSA private key, 2048 bit long modulus
...............+++
.......................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem: #这里需要输入密码( pass phrase )
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem: #这里确认密码
更具私钥文件cakey.pem生成自签名证书cacert.pem
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #中国
State or Province Name (full name) []:js #江苏
Locality Name (eg, city) [Default City]:zj #镇江
Organization Name (eg, company) [Default Company Ltd]:feng
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:ca.feng.com
Email Address []:[email protected]
[root@localhost ~]#
查看生成的证书cacert.pem
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@localhost CA]# cat cacert.pem
关闭selinux
[root@localhost CA]# cd
[root@localhost ~]# setenforce 0
[root@localhost ~]#
颁发证书(客户端申请证书)
为客户端颁发ssl证书
- 客户端首先产生一个私钥以及证书请求的公钥
- 客户端将公钥发给CA服务器
- CA服务器为客户端颁发数字签名再传回客户机
我们再开一台虚拟机作为客户端,由于它不是CA服务器,所以就不在/etc/pki/CA/目录下生成私钥和证书等文件了,咱们另外建一个目录来搞。
客户端首先在/root/key/目录下生成一个私钥https.key
[root@localhost ~]# yum install openssl -y #客户端也要装ssl套件
[root@localhost ~]# mkdir key
[root@localhost ~]# openssl genrsa -out /root/key/https.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.................+++
e is 65537 (0x10001)
客户端再用私钥https.key生成证书请求https.csr
[root@localhost ~]# openssl req -new -key /root/key/https.key -out /root/key/https.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:js
Locality Name (eg, city) [Default City]:zj
Organization Name (eg, company) [Default Company Ltd]:feng
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:192.168.141.69
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:feng
[root@localhost ~]#
客户端将证书请求文件https.csr传到CA服务器的/etc/pki/CA目录下
[root@localhost ~]# cd key
[root@localhost key]# ls
https.csr https.key
[root@localhost key]# scp https.csr 192.168.141.132:/etc/pki/CA
The authenticity of host '192.168.141.132 (192.168.141.132)' can't be established.
ECDSA key fingerprint is SHA256:mJVa6J0b/NaWyJ+cbVho0hHnUDY9utS7iWUGq91HvpM.
ECDSA key fingerprint is MD5:d3:6c:dc:1c:76:df:3a:d1:b9:ef:6c:17:82:64:76:6e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.141.132' (ECDSA) to the list of known hosts.
[email protected]'s password:
https.csr 100% 1090 699.6KB/s 00:00
[root@localhost key]#
CA根据客户机发过来的证书请求https.csr生产数字签名https.crt
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# openssl ca -in https.csr -out https.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 17 08:07:23 2019 GMT
Not After : Feb 17 08:07:23 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = js
organizationName = feng
organizationalUnitName = tech
commonName = 192.168.141.69
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:83:77:55:09:E6:6F:BF:5A:0E:7A:D4:45:64:8B:28:81:0A:70:6B
X509v3 Authority Key Identifier:
keyid:A0:D2:8C:72:63:CE:16:D6:EE:DF:B6:5F:85:C1:57:06:D1:A2:CA:98
Certificate is to be certified until Feb 17 08:07:23 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# ls
cacert.pem crl https.csr index.txt.attr newcerts serial
certs https.crt index.txt index.txt.old private serial.old
[root@localhost CA]#
CA自己的私钥文件cakey.pem
CA的自签名证书cacert.pem
客户机发过来的证书请求https.csr
CA根据https.csr产生数字签名https.crt
CA将生产好的数字签名再传回客户机
[root@localhost CA]# scp https.crt 192.168.141.69:/root/key
The authenticity of host '192.168.141.69 (192.168.141.69)' can't be established.
ECDSA key fingerprint is SHA256:GxQcqZQLnGUvawOktRB9hLYZZA0ScnEsN3USeyTghgU.
ECDSA key fingerprint is MD5:d6:d5:c1:df:2b:47:22:55:4d:1a:a3:f2:63:50:d9:b7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.141.69' (ECDSA) to the list of known hosts.
[email protected]'s password:
https.crt 100% 4551 2.7MB/s 00:00
[root@localhost CA]#
切换到客户机,看一下的确传过来了
[root@localhost key]# ls
https.crt https.csr https.key
[root@localhost key]#
接下来客户机将自己的密钥https.key传给CA,由CA生成证书cacert.pem传回给客户机。为了不冲突,在CA服务器上新建一个目录/root/test
[root@localhost ~]# mkdir test
[root@localhost ~]#
客户机将自己的密钥https.key传给CA
[root@localhost key]# scp https.key 192.168.141.132:/root/test
[email protected]'s password:
https.key 100% 1675 447.2KB/s 00:00
[root@localhost key]#
由CA生成证书cacert.pem
[root@localhost ~]# openssl req -new -x509 -key /root/test/https.key -days 7300 -out /root/test/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:js
Locality Name (eg, city) [Default City]:zj
Organization Name (eg, company) [Default Company Ltd]:feng
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:192.168.141.69
Email Address []:[email protected]
[root@localhost ~]#
CA服务器将证书传给客户机
[root@localhost ~]# cd test/
[root@localhost test]# ls
cacert.pem https.key
[root@localhost test]# scp cacert.pem 192.168.141.69:/etc/pki/CA
[email protected]'s password:
cacert.pem 100% 1375 1.0MB/s 00:00
[root@localhost test]#
切换到客户机,看一下的确传过来了
[root@localhost key]# cd /etc/pki/CA
[root@localhost CA]# ls
cacert.pem certs crl newcerts private
[root@localhost CA]#
客户机使用https保护网站
原理:比如人们访问网站http://test.feng.com,这个网站又搭建在客户机192.168.141.69上,那么客户机就需要向CA服务器申请到数字签名,这样安装了相应证书的电脑就可以访问https://test.feng.com了。刚刚我们的客户机已经成功申请到了数字签名,现在咱们在客户机上搭网站,只有一个默认网页“Testing……”,用来看证书使用效果即可。
安装apache和mod_ssl模块
[root@localhost key]# cd
[root@localhost ~]# yum install httpd mod_ssl -y
修改配置文件
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
100 SSLCertificateFile /root/key/https.crt
107 SSLCertificateKeyFile /root/key/https.key
122 SSLCACertificateFile /etc/pki/CA/cacert.pem
放行443端口和https服务,关闭selinux,重启apache服务
[root@localhost ~]# firewall-cmd --add-port={443,80}/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# setenforce 0
[root@localhost ~]#
[root@localhost ~]# systemctl restart httpd
这里重启apache服务要放到最后,否则会报错。
windows导入根CA证书
将根linux的证书(就是CA服务器生成的自签名证书,ca.feng.com的那个cacert.pem)导出到windows上,然后将后缀名改为.crt,打开后点击安装证书
[root@localhost ~]# yum install lrzsz -y
[root@localhost ~]# sz /etc/pki/CA/cacert.pem
[root@localhost ~]#
导出到自己电脑,如下图,改其后缀为crt,双击它开始安装证书。
如上图,打开这个CA的自签名证书后就可以看到,颁发者和颁发给都是ca.feng.com,且不受信任,证书信息的标志那里都是一个大大的红色叉叉,我们需要手动安装这个证书,安装到本地计算机后,就受信任了,表示本地计算机信任了这个证书机构给它自己办法的证书。
选择本地计算机,然后点击下一步
安装证书,最后下一步点完成
查看证书
win+r,输入certmgr.msc点击确定即可
我们安装的证书是CA的自签名证书,名字叫做ca.feng.com,安装好之后,我们的电脑会对这个CA机构产生充分的信任,且对于这个CA机构颁发给任何网站的证书都会信任。之前我们的客户机:192.168.141.69搭建了apache服务,也算是有了一个网站了,虽然其网站主页还是下面这个“Testing 123”的页面,但是这个不妨碍我们的浏览器对其网站证书进行安全分析。
如下图,我们打开https://192.168.141.69,会看到它的证书来自于ca.feng.com。之前我们的客户机192.168.141.69向CA服务器申请到的证书,现在就发挥了它的作用了,让我们的浏览器得以信任这个网站的证书,同时,由于mod_ssl模块是支持”https“中的“s”的,所以也能用https打开这个网址。
访问网站
吊销证书
吊销证书是CA机构做的事,我们不用去做,这里只做方法演示。吊销不会立即生效,要等网站重启。
在根CA上根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,然后吊销证书
# 吊销子客户端的证书 使用revoke 命令
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/https.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 01.
Data Base Updated
[root@localhost CA]#
指定第一个吊销证书的编号
(指定吊销证书的编号,只有在更新证书吊销列表之前,才需要操作)
# 这条命令与生成证书时指定证书serial 号码的作用是一致的。
# 就是说,指定下一个证书吊销时的编号。
[root@localhost CA]# echo 01 > /etc/pki/CA/crlnumber
[root@localhost CA]# cat /etc/pki/CA/crlnumber
01
[root@localhost CA]#
更新证书吊销列表
前面指定了证书吊销列表编号之后,就可以来更新证书吊销列表了。
[root@localhost CA]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: #这里提示输入密码
[root@localhost CA]#
查看证书吊销列表的文件
[root@localhost CA]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=js/L=zj/O=feng/OU=tech/CN=ca.feng.com/[email protected]
Last Update: Feb 17 08:55:41 2019 GMT
Next Update: Mar 19 08:55:41 2019 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Feb 17 08:54:31 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
2e:c5:24:2e:00:ec:bb:58:b5:6a:87:49:7a:1d:f9:5d:e6:83:
bd:af:51:49:63:96:49:7a:c7:74:6d:bd:5f:fb:87:65:35:9d:
62:98:0a:42:56:19:67:9a:9f:1e:27:e1:dc:70:36:e6:32:c6:
02:e8:e8:25:1c:15:2e:ab:82:af:54:f7:80:bb:d2:dc:84:a3:
6f:b2:72:70:95:81:18:55:7e:c7:fc:fd:8b:5b:b2:d6:ab:c3:
64:64:89:38:86:dd:28:53:ea:36:64:05:84:88:62:77:a3:2f:
0e:ae:d6:76:64:de:ea:f6:8b:fa:eb:63:0e:ff:13:16:bc:b1:
62:bf:32:99:50:e5:86:2d:95:b8:e7:15:93:86:78:6f:b3:22:
6a:af:7b:43:9d:61:33:ac:65:c1:26:a4:6f:6d:74:91:69:69:
04:36:ca:7e:d0:42:45:12:07:37:4a:f1:2a:a8:45:01:a5:5b:
43:77:fb:6e:26:fc:16:09:d1:f3:44:2e:d0:e7:96:0a:75:af:
50:c2:b7:41:f5:9f:d2:0f:58:92:75:0b:81:d2:99:5c:5c:79:
6a:a8:59:b9:0e:cd:0a:e9:4f:f2:a4:8d:5a:d5:71:8d:6c:b4:
f2:f8:0b:7a:cf:9f:6e:43:b5:de:2a:15:84:0c:40:c0:3f:5a:
75:fb:f5:9c
[root@localhost CA]#
吊销不会立即生效,要等网站重启,这里在客户机重启apache服务
[root@localhost ~]# systemctl restart httpd
查看吊销后的结果
本篇到此结束。