Loading... <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px">前言</strong></span><br style="padding: 0px;margin: 0px" /></p> <p> <span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 16px"><span style="padding: 0px;margin: 0px">要自建CA需先了解openssl工具和ssl协议还有各加密类型</span></span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> ssl(Secure Socket Layer)安全套接字层当前版本为3.0,浏览器与Web服务器之间的身份认证和加密数据传输,它工作在传输层和各应用层之间,用户可以选择是否使用ssl进行传输,选择ssl协议将调用ssl函数库,端口也会发生变化。</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"><br style="padding: 0px;margin: 0px" /></span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"><strong style="padding: 0px;margin: 0px">加密类型</strong></span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 对称加密:任意加密数据块和流的内容,加密和解密用同一个密码, 通常明文通过算法和密钥生成密文,再由接受者用相同的密钥和算法解密获取明文。</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 算法:(DES、3DES、AES现在使用比较广、Blowfish、Twofish、IDEA、RC6、CAST5)<br /> 特性:加密、解密使用同一口令。将明文分割成固定大小块,逐个进行加密<br /> 缺陷:密钥过多、密钥传输不安全、密钥交换、身份验证。</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> </span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 公钥加密:公钥和私钥是成对出现的,公钥包含在私钥中,公钥称为public key、私钥为secret key,由发起者对接受者索要公钥,用公钥加密数据后发送给接受者,接受者用算法和私钥解密</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 缺陷:加密、解密时间过长一般不用于简单通信</span></p> <p><br style="padding: 0px;margin: 0px" /></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 单项加密:单项机密也叫数据完整性校验,抽取数据特征码和之前特征码作比较以确保数据没有被窜改</span></p> <p><br style="padding: 0px;margin: 0px" /></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 认证协议:用来确定通信方的真实性。</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"><br style="padding: 0px;margin: 0px" /></span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"></span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px">ssl会话模型</strong></span></p> <p> <span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai">发起者用单项加密获取数据特征码,用自己的私钥计算特征码附加在数据后面,在用对称加密对整个包(数据和特征码)进行加密,并用对方公钥加密对称加密密码,附加在整个包中一并发给对方。接受者用自己的私钥解密获取对称加密密码,得到密码后解密整个包获得数据和特征码,在用相同的算法计算特征码,用对方的公钥解密数据验证对方身份,用对方计算结果(特征码)和解析结果(特征码)进行对比,来验证数据的完整性</span>。</p> <p><br style="padding: 0px;margin: 0px" /></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px">openssl工具</strong></span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px"> </strong></span><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 对称加密工具openssl enc</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> </span><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> openssl命令选项:<br /> -e:指定为加密,可以不写默认为加密。<br /> -des3:指定算法算法<br /> -salt:默认设置,生成一段字符串放在密码最前面进行加密,提高解密难度。<br /> -a:基于base64处理数据。加密结果进行base64编码处理<br /> -in:读取那个文件进行加密<br /> -out:输出到那里<br /> -d:指定为解密</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 案例如下:</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> </span><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 加密文件:openssl enc -e -des3 -a -salt -in test.sh -out ./test.txt<br /> 解密文件:openssl enc -d -des3 -a -salt -in test.txt -out ./test.sh </span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"><br style="padding: 0px;margin: 0px" /></span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 单项加密:openssl dgst</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> -md5:用md5方式加密<br /> -sha1:sha1方式加密<br /> -out:加密后密码保存到那里</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> <span style="padding: 0px;margin: 0px">案例如下:</span></span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> openssl dgst -md5 test.sh 或openssl dgst -md5 -out ./123a test.sh</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> openssl dgst -sha1 test.sh</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"><br style="padding: 0px;margin: 0px" /></span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> </span><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai">用户密码:openssl passwd</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> </span><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> -1:md5加密、<br /> -salt:自己指定附加信息。</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 生成随机数:openssl rand -base64 4或openssl rand -hex 4,生成8位随机数</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> <span style="padding: 0px;margin: 0px"> </span><span style="padding: 0px;margin: 0px">案例如下:</span></span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> openssl passwd -1 -salt `openssl rand -base64 4` 123456 </span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> </span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 生成私钥和公钥:openssl genrsa </span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 案例如下:</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> (umask 077;openssl genrsa -out ./mykey 2048)生成只有当前用户可读的2048字节mkkey私钥文件</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> </span><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> openssl rsa -in ./mykey -pubout,-pubout根据私钥文件提取公钥</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"><br style="padding: 0px;margin: 0px" /></span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px">建立私有CA:</strong></span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> </span><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 服务器端:</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 生成密钥</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 自签证书</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> <span style="padding: 0px;margin: 0px">初始化工作环境</span></span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 节点:</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 生成密钥对儿</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 生成证书签署请求</span></p> <p><span style="padding: 0px;margin: 0px;font-size: 16px;font-family: 楷体, 楷体_GB2312, SimKai"> 把请求发送给CA</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> CA服务器:</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> 验正请求者信息:自建CA无需该步骤</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> 签署证书</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> 把签好的证书发送给请求者</span> </p> <p><br style="padding: 0px;margin: 0px" /></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px">服务器端自建CA</strong></span></p> <p> <span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> 生成密钥:</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> 自签证书:</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> req: 生成证书签署请求<br /> -news: 新请求<br /> -key /path/to/keyfile: 指定私钥文件<br /> -out /path/to/somefile:输出文件到那里<br /> -x509: 生成自签署证书<br /> -days n: 有效天数<br /> openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> <strong style="padding: 0px;margin: 0px"> 详细记录证书创建时所填信息如不一致签署将失败。建议修改openssl.conf文件发给每个申请节点</strong></span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> 初始化工作环境:<br /> touch /etc/pki/CA/{index.txt,serial}:创建相关文件<br /> echo 01 > /etc/pki/CA/serial。只需第一次创建序列号</span></p> <p><br style="padding: 0px;margin: 0px" /></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px">节点申请证书:</strong></span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px"> <span style="padding: 0px;margin: 0px"> </span></strong></span><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai">生成密钥:</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> </span><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai">生成证书签署请求:</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> 把签署请求文件发送给CA服务</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"><br style="padding: 0px;margin: 0px" /></span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px">CA服务器签署证书:</strong></span><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> <br /> </span><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai">签署证书:</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> openssl ca -in /path/to/somefile.csr -out /path/to/somefile.crt -days N<br /> 发送给请求者:</span></p> <p><br style="padding: 0px;margin: 0px" /></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai;font-size: 18px"><strong style="padding: 0px;margin: 0px">CA证书验证会话模型</strong></span></p> <p> <span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"> 在基于tcp/ip协议建立后,服务端会把ca证书发送给客户端,客户端得到证书后通过ca公钥进行解密ca签名,能解密证明该证书是可信任的、把解密出来的数据和重新计算出来的特征码对比对确保完整性、之后验证主机的名称和申请者名称是否相同,验证通过后客户端会取得服务器端公钥信息,客户端用公钥生成个一次性的对称加密密码发给服务器端。服务器端获取密码后加密网页数据发给客户端。</span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai"><br style="padding: 0px;margin: 0px" /></span></p> <p><span style="padding: 0px;margin: 0px;font-family: 楷体, 楷体_GB2312, SimKai">以上为建立CA大致流程,如有遗漏请告知。</span></p> <p></p> 最后修改:2021 年 12 月 10 日 10 : 53 AM © 允许规范转载 赞赏 如果觉得我的文章对你有用,请随意赞赏 赞赏作者 支付宝微信