标签:openssl
openssl协议简介
SSL(Secure Socket Layer)是netscape公司提出的主要用于web的安全通信标准。一般情况下的网络协议应用中,数据在机器中经过简单的由上到下的几次包装,就进入网络,如果这些包被截获的话,那么可以很容易的根据网络协议得到里面的数据。
SSL就是为了加密这些数据而产生的协议,可以这么理解,它是位与应用层和TCP/IP之间的一层,数据经过它流出的时候被加密,再往TCP/IP送,而数据从TCP/IP流入之后先进入它这一层被解密,同时它也能够验证网络连接俩端的身份。所以对网络中数据的加密解密的安全知识的理解就显得尤为重要。
一、信息安全的标准
网络信息安全与保密的三个要素(CIA):
保密性 完整性 可用性
除了CIA外,还有另外两个标准也被经常提醒:
真实性 可追溯性
二、加密方式和算法
(1)对称加密:采用单钥密码系统的加密方法,同一个密钥可以同时用作信息的加密和解密。
对称加密的算法:
DES : 数据加密标准(56位密钥)
3DES
AES :高级加密标准(128,192,256,384,512)
Blowfish
Twofish
IDEA
RC6
CAST5
对称加密的特性:
a)加密、解密使用同一口令;
b)将明文分隔成固定大小的块,逐个进行加密
对称加密的缺陷:
a)密钥过多;
b)密钥传输;
密钥交换、身份验正、数据完整性
(2)公钥加密:由对应的一对唯一性密钥(即公开密钥和私有密钥)组成的加密方法。
(公钥是从私钥中提取出来的。)
(公钥加密,只能私钥解密。私钥加密,也只能公钥解密。)
密钥:public key, secret key (p/s)
常用加密算法:
RSA, DSA, EIGamal
(DSA:只能用于身份验证)
(3)单向加密:不可逆的加密
单向加密特性:
定长输出: 无论原始数据是多大,结果大小都相同的
雪崩效应: 输入的微小改变,将会引起结果的巨大改变
单向加密算法:MD5(128位)、SHA1、SHA256、SHA384、SHA512
三、加密过程及原理
四、自建私有CA过程
A
①生成密钥
[root@bogon ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...............+++
....+++
e is 65537 (0x10001)
[root@bogon ~]#
②自签证书
[root@bogon ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Zhenzhou
Organization Name (eg, company) [Default Company Ltd]:mageedu
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server‘s hostname) []:bogon
Email Address []:263607236@qq.com
③初始化环境(第一次必须)
# touch /etc/pki/CA/{index.txt,serial}
# echo 01 >> /etc/pki/CA/serial (指定序列号从那个数字开始)
B
①节点申请证书:
(1) 节点生成请求
mkdir /etc/httpd/ssl
[root@bogon ~]# ls /etc/httpd/
conf/ conf.d/ logs/ modules/ run/ ssl/
②生成密钥对儿
[root@bogon ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................+++
................+++
e is 65537 (0x10001)
[root@bogon ~]#................+++
③、生成证书签署请求
[root@bogon ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Zhenzhou
Organization Name (eg, company) [Default Company Ltd]:mageedu
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server‘s hostname) []:bogon
Email Address []:263607236@qq.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:00woaioo
An optional company name []:00woaioo
C、 CA签署证书
①、验正证书中的信息;
②、签署证书
[root@bogon ~]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/httpd/ssl/httpd.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 3 21:05:10 2014 GMT
Not After : Apr 29 21:05:10 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = mageedu
organizationalUnitName = OPS
commonName = bogon
emailAddress = 263607236@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CA:6B:7E:1F:CD:78:D7:E6:9D:EE:65:86:E0:F0:8C:A3:64:4D:01:B2
X509v3 Authority Key Identifier:
keyid:1E:B0:D5:A7:25:BF:58:40:13:76:10:6B:8E:F6:7B:BA:AB:8D:86:5A
Certificate is to be certified until Apr 29 21:05:10 2017 GMT (1000 days)
Sign the certificate? [y/n]:
③、发送给请求者;
本文出自 “从零开始” 博客,请务必保留此出处http://zerofly.blog.51cto.com/4476065/1535137
加密、解密原理和openssl自建CA,布布扣,bubuko.com
标签:openssl
原文地址:http://zerofly.blog.51cto.com/4476065/1535137