标签:openssl
数据加密、CA、OpenSSL
SSL security socket layer,安全套接字层
openssl (软件)
加密算法和协议:
对称加密:加密和解密使用同一密钥;(依赖于算法和密钥,其安全性依赖于密钥而非算法)
常见算法:des 3des(常用) idea cast5
特性:加密、解密使用同一密钥;将明文分隔成固定大小的块,逐个进行加密
缺陷:密钥过多和密钥分发
非对称加密:
密钥对儿:公钥(public key)和私钥(secret key)
公钥从私钥中提取而来,使用公钥加密的数据,只能使用私钥解密,反之亦然
用处:
身份认证:私钥拥有者使用自己的私钥加密的数据,只要使用其公钥就能解密,即可认证其身份(数据签名)
密钥交换:与被通讯方通信之前,获取到对方的公钥,自己产生一个密钥,用对方的公钥进行加密并发送给对方
数据加密
算法:DSA RSA elgamal
特性:
密钥长度较大,如:512bits,2048bits,4096bits
加密解密分别使用密钥对儿中密钥进行
常用于数据签名和密钥交换
单向加密:
提取数据特征码
特性:
定长输出:无论原来的数据有多大,其加密长度一致
雪崩效应:原始数据的微笑改变,将会导致其结果巨大的变化
不可逆
算法:
MD5 SHA1 SHA256、285、512
用处:数据完整性
密钥交换:DH算法、公钥加密
数字签名:第三方具有公信力的机构CA颁发盖戳
数字证书:
CA:签证机构
功用:保证公钥信息安全分发
数字证书的格式(x.509 V3):
版本号(version)
序列号(serial number):CA用于唯一标示此证书
签名算法标志(signature algorithm indentifier)
发行者的名称:即CA自己的名称
有效期:两个日期,起始日期--终止日期
证书主体公钥信息:证书拥有者自己的公钥
发行商的唯一标识
证书主体的唯一标识
扩展信
签名:CA对此证书的数字签名
PKI public key infrastructure公钥基础设施:
签证机构:CA
注册机构:RA
证书吊销列表:CRL
证书存取库
openssl组成部分
libcrypto:加密、解密库文件
libssl:ssl协议的实现
openssl:多用途命令行工具,每种功能都是使用其子命令来实现
openssl子命令分类:
标准命令
消息摘要命令
加密、解密命令
对称加密:enc
单向加密:dgst
生成密码:passwd
生成随机数:rand
对称加密文件:
算法:des 3des aes blowfish twofish idea cast5
加密格式:openssl enc -e -加密算法名字(如 -des3) -a -salt -in /somefile -out /somefile
例如:
[root@localhost tmp]# openssl enc -e -des3 -a -salt -in fstab -out fstab1.enc
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@localhost tmp]# cat fstab1.enc
U2FsdGVkX19mydKMlYYfaTsgvvPkBmSXxWw2Bwz5LANINM1551tpEFBC3rUn+Oh2
jIUxsTqa1kkxSzdq3qse1bMmygkAp03TmgPjXzXT10j6iej8dp05ZcapoC/p8K/b
.....
解密格式:openssl enc -d -加密算法名字(如 -des3) -a -salt -in /somefile -out /somefile
例如:
[root@localhost tmp]# rm -rf fstab
[root@localhost tmp]# openssl enc -d -des3 -a -salt -in fstab1.enc -out fstab
enter des-ede3-cbc decryption password:
[root@localhost tmp]# ls fstab
fstab
单向加密:
提取数据特征码
算法:MD5 SHA1 SHA256、285、512
格式:openssl dgst -CIPHERNAME FILE
例如:
[root@localhost tmp]# openssl dgst -md5 fstab
MD5(fstab)= f1d433a822b392a58c3e8d494030a4c1
MD5加密方式还有另外一个命令:
[root@localhost tmp]# md5sum fstab
f1d433a822b392a58c3e8d494030a4c1 fstab
另外还有sha1sum sha224sum sha256sum sha384sum sha512sum
生成密码:
#openssl passwd -1 -salt 12312312
-1 数字1;使用MD5加密
-salt 添加杂质
可以man sslpasswd查看帮助
例如:
[root@localhost tmp]# openssl passwd -1 -salt 123
Password:
$1$123$j3JbtX1YPyIbwi6uXUORh.
在/etc/shadow中的密码部分是使用八位随机数做杂质,然后进行加密
生成随机数:
rand 可以man sslrand查看帮助
格式:openssl rand -base64|-hex NUM
-hex 16进制编码
-base64 使用base64编码
[root@localhost tmp]# openssl passwd -1 -salt $(openssl rand -hex 4)
Password:
$1$d0aefc7d$Sc6SE2Ywa25LvxU0UM4hW.
这个结果就像/etc/shadow中的密码部分(把生成的随机数作为生成密码的salt参数)
搭建私有CA:
由于证书的申请费用很贵,而且我们只是在公司内部使用,所有没有必要花钱购买,自建私有的即可
配置服务器端:
配置文件:/etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to ‘no‘ to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
配置文件中,可以修改一些默认值,如:
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX 修改国家
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = Default Province 修改省份
localityName = Locality Name (eg, city)
localityName_default = Default City 修改城市
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd 修改公司名
organizationalUnitName = Organizational Unit Name (eg, section) 修改部门名
...还有EMAIL等,也可以不修改,等下手动输入
大致步骤:
1、生成私钥
2、生成自签署文件
3、提供辅助性文件
私钥用于签发证书时,向证书添加数字签名时使用
证书:每个通信方都导入证书至“受信任的根证书颁发机构”
1、生成私钥
生成的私钥保存在/etc/pki/CA/private/cakey.pem
[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............................+++
.............+++
e is 65537 (0x10001)
2、生成自签署文件
使用openssl req命令
-new 生成新证书请求
-x509 特指生成根证书,而不是证书请求(通常只有CA服务器中才这么做)
-key /path/from/file_key.pem 配置文件已定义,在/etc/pki/CA/private/cakey.pem
-out /path/to/file_key.pem 配置文件已定义,/etc/pki/CA/cacert.pem
-days # 证书有效期限
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:apusic
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:ca.apusic.com
Email Address []:caadmin@apusic.com
3、提供辅助性文件
index.txt为证书索引数据库文件
serial为证书序列号文件,要给出一个初始值
[root@localhost CA]# touch index.txt
[root@localhost CA]# echo 01 >serial
以上服务器搭建完毕
给节点颁发证书:
1、节点申请证书
在申请证书的主机上操作:
A、生成私钥
B、生成证书签署请求
C、把证书签署请求发送给CA
2、CA签发证书
在CA服务器中操作:
A、验证请求者信息
B、签署请求
C、把签好的证书还给申请者
节点申请证书:
节点申请证书的主机上操作:
使用同一台主机做实验,创建目录/etc/httpd/ssl
[root@localhost ssl]# pwd
/etc/httpd/ssl
A、生成私钥
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
..............++++++
........++++++
e is 65537 (0x10001)
B、生成证书签署请求
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:apusic
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:web.apusic.com
Email Address []:webadmin@apusic.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []: #直接回车设置空密码
An optional company name []:
C、把证书签署请求发送给CA
由于我们是同一台机,不需要复制,如果是不同的机子可以使用scp或者其他命令复制到CA服务器中
CA签发证书:
CA服务器中操作
A、验证请求者信息,省略
B、签署请求
[root@localhost ssl]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/httpd/ssl/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 8 16:19:50 2015 GMT
Not After : Dec 5 16:19:50 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = guangdong
organizationName = apusic
organizationalUnitName = ops
commonName = web.apusic.com
emailAddress = webadmin@apusic.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
52:8B:9D:58:C3:07:A2:A1:83:78:47:64:CA:58:28:ED:A0:75:6A:8F
X509v3 Authority Key Identifier:
keyid:46:B2:19:78:01:C8:30:CD:E8:E4:52:B8:46:FD:75:2E:60:C0:8F:7B
Certificate is to be certified until Dec 5 16:19:50 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y #确认签署y即可
Write out database with 1 new entries
Data Base Updated
C、把签好的证书还给申请者
同一台主机,输出时直接使用绝对路径写入了,不需要额外再复制
/etc/pki/CA中几个目录的作用:
certs 证书存放路径
crl 已吊销的证书存放路径
newcerts 新证书存放路径
private 根证书私钥存放路径
吊销证书的方法:
1、获取吊销证书序列号
index.txt中保存序列号
[root@localhost CA]# cat index.txt
V 251205161950Z 01 unknown /C=CN/ST=guangdong/O=apusic/OU=ops/CN=web.apusic.com/emailAddress=webadmin@apusic.com
[root@localhost CA]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=guangdong/O=apusic/OU=ops/CN=web.apusic.com/emailAddress=webadmin@apusic.com
x509 指证书类型
-in /path/from/certificate_file.crt 指定要吊销的证书
-noout 不输出多余的信息
-serial 输出序列号
-subject 输出摘要信息
查看CA中index.txt的信息是否跟要吊销的证书信息一致
2、实现吊销证书
A、吊销
B、生成吊销证书编号
C、更新证书吊销列表
A、吊销
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
B、生成吊销证书编号
[root@localhost CA]# echo 01 > /etc/pki/CA/crlnumber #路径和文件名不可改变,配置文件中已定义
第一次执行证书吊销要创建吊销列表文件,并传递初始值
C、更新证书吊销列表
[root@localhost crl]# pwd
/etc/pki/CA/crl #切换到crl目录操作,自动生成吊销列表
[root@localhost crl]# openssl ca -gencrl -out ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
查看吊销列表:
[root@localhost crl]# openssl crl -in /etc/pki/CA/crl/ca.crl -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=guangdong/L=shenzhen/O=apusic/OU=ops/CN=ca.apusic.com/emailAddress=caadmin@apusic.com #证书信息
Last Update: Dec 8 16:47:14 2015 GMT
Next Update: Jan 7 16:47:14 2016 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01 #证书序列号
Revocation Date: Dec 8 16:39:03 2015 GMT #吊销时间
Signature Algorithm: sha1WithRSAEncryption
7a:23:a3:23:67:b0:1e:8a:f5:68:2b:7c:ac:af:3d:a5:d0:65:
1c:7a:59:59:fd:0b:71:23:f3:bb:e0:00:48:84:20:47:d9:5e:
6e:09:c2:9c:fb:0a:3d:6e:61:17:c4:53:59:76:c8:17:e2:20:
9e:db:e9:c5:98:f0:4e:08:62:1d:87:d3:d2:1a:91:b2:f8:f8:
d9:f2:52:f2:ee:1c:99:72:83:41:ca:a5:2c:4d:2e:e8:56:74:
85:67:39:13:bc:42:4c:71:e0:c5:b8:52:0c:f8:32:a6:92:fd:
63:11:8d:a0:5f:47:ec:80:fa:6f:a1:42:14:35:2e:e7:c6:c7:
b2:b9:05:c1:c7:3c:a7:7f:ee:7f:51:7f:b5:c3:33:a5:6a:30:
84:7f:b9:ff:e2:36:e7:b1:1c:02:fe:f7:e6:59:7b:57:3b:13:
50:b9:b0:bc:e6:f7:3b:6c:da:b5:c4:8e:58:ee:00:22:b6:7b:
d8:bb:cb:20:a7:72:8d:7a:87:0e:ee:77:58:78:0b:03:24:56:
a2:5c:52:0d:60:4a:e5:b6:87:a7:64:b8:2a:70:91:28:fe:42:
d7:04:29:75:9b:5c:10:57:67:0f:9e:c6:b0:bd:a5:f7:d3:86:
d7:ef:09:49:5c:ea:95:f2:9c:8a:eb:de:96:bb:99:e0:cf:7f:
ec:5c:2c:10
#签名信息
标签:openssl
原文地址:http://wangkunpeng.blog.51cto.com/1538469/1721150
