這兩天學習了openssl在LInux中的使用,openssl是一款開源的加密工具,在Linux環境下,我們能夠利用它來搭建一個CA來實現認證的發放,可以用於企業內部使用的加密工具。在介紹openssl之前,首先描述一下關於“身份認證+資料加密”的實現方法原理。
如何?“身分識別驗證+資料加密”,請看下面的一張流程圖(自己畫得,比較簡陋)
整個加密過程:
發送方: 計算資料特徵值----> 使用私密金鑰加密特徵值 ---> 隨機產生密碼對稱式加密整個資料 ---> 使用接受方公開金鑰加密密碼
接收方: 使用私密金鑰解密密碼 ----> 解密整個資料 ----> 使用公開金鑰驗證身份 ----> 比較資料特徵值
但是存在一個問題,誰來管理公開金鑰,任何在互連網上傳播的資料都不安全,更不用說傳遞公開金鑰,它如果被篡改,那就無法驗證身份,所以不可能由使用者自己頒發公開金鑰。
這個時候需要有一個具有公信力的中間機構來做這份工作,那就是CA,由此引發了兩個概念:
CA : 憑證授權單位
PKI : 公開金鑰基礎設施,公開金鑰基礎構架
認證: 裡面存放了使用者的各種資訊,最核心的部分就是公開金鑰
但是還有一個問題,誰來給CA頒發公開金鑰,解決方案是,CA自己給自己頒發公開金鑰。。。
下面是用openssl這個強大的工具,在linux下構建一個CA,來實現認證管理,我們用一個web伺服器端作為需要認證的用戶端
1.首先我們來給CA產生一個私密金鑰
切換到/etc/pki/CA/目錄,使用openssl命令給自己產生一個私密金鑰
[root@server56 openssl]# cd /etc/pki/CA/[root@server56 CA]# lsprivate[root@server56 CA]# (umak 66;openssl genrsa 2046 > private/cakey.pem)-bash: umak: command not foundGenerating RSA private key, 2046 bit long modulus.............................+++..+++e is 65537 (0x10001)
2. CA需要一個自簽認證,所以我們給它使用openssl命令產生一個自簽認證
[root@server56 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pemYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:CN # 輸入你的各項資訊,國家 , 省或州,地區,公司,單位,網域名稱,郵箱地址State or Province Name (full name) [Berkshire]:Henan Locality Name (eg, city) [Newbury]:ZhengzhouOrganization Name (eg, company) [My Company Ltd]:LINUXOrganizational Unit Name (eg, section) []:TechCommon Name (eg, your name or your server's hostname) []:www.rhce.com #需要注意的是,這個網域名稱是FQDN(完全限定網域名稱)Email Address []:ca@rhce.com[root@server56 CA]# lscacert.pem private
3.編輯CA設定檔,它位於etc/pki/tls/openssl.cnf,它的作用是指定你的CA所在目錄,更改預設屬性值
[root@server56 CA]# vim /etc/pki/tls/openssl.cnf[ CA_default ]dir = ../../CA # Where everything is kept **************CA路徑 ,修改為絕對路徑certs = $dir/certs # Where the issued certs are kept ×××××××發給其他的人的認證 ,該目錄需要手動建立crl_dir = $dir/crl # Where the issued crl are kept ××××××憑證撤銷清單 不屬於必須建立的目錄database = $dir/index.txt # database index file. *****************存放產生認證檔案索引 需要手動建立的檔案#unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs. ××××××××××x新產生的認證存放地 需要手動建立 certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial number ××××××序號,需要自己建每一個認證都有一個序號需要自己建,並指定從幾開始crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem# The private keyRANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the cert# req_extensions = v3_req # The extensions to add to a certificate request#########修改認證CSR與自己的匹配[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_default = CN #我修改為CN和CA的自簽認證對應countryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = Henan #同上localityName = Locality Name (eg, city)localityName_default = Zhengzhou #同上0.organizationName = Organization Name (eg, company)0.organizationName_default = Tech #同上
4.建立CA的相關目錄和檔案,指定序號起始數字,在上一步已經說明,它們在CA所在目錄建立
[root@server56 ~]# cd /etc/pki/CA/[root@server56 CA]# mkdir certs crl newcerts[root@server56 CA]# lscacert.pem certs crl newcerts private[root@server56 CA]# touch index.txt serial[root@server56 CA]# echo 01 > serial
5. 建立web伺服器的私密金鑰 ,因為是實驗,所有並不需要安裝web伺服器,你可以建立一個ssl目錄,我們假設它是一個web伺服器
[root@server56 CA]# cd /etc/httpd/[root@server56 httpd]# mkdir ssl[root@server56 httpd]# cd ssl/[root@server56 ssl]# (umask 66;openssl genrsa 2048 > web.key)Generating RSA private key, 2048 bit long modulus
6. 用戶端(web伺服器)請求獲得認證,用戶端如果想申請獲得認證的話,需要建立一個申請認證,傳遞給CA
[root@server56 ssl]# openssl req -new -key web.key -out web.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [Henan]:Locality Name (eg, city) [Zhengzhou]:Organization Name (eg, company) [RHCE]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) []:www.web.com Email Address []:www@web.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: # 請求認證需要在網路上傳遞,所以加密防止別人窺探,這裡留空因為我們只是實驗An optional company name []:
7. 在CA端給用戶端頒發認證,使用openssl命令
[root@server56 ssl]# openssl ca -in web.csr -out web.crt # 這個命令執行後,會顯示請求認證裡的資訊Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 9 04:46:25 2011 GMT Not After : Aug 8 04:46:25 2012 GMT Subject: countryName = CN stateOrProvinceName = Henan organizationName = RHCE organizationalUnitName = Tech commonName = www.web.com emailAddress = www@web.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B6:52:27:11:5B:BA:84:C8:56:4D:67:D7:B9:7A:CB:FE:45:CF:5A:02 X509v3 Authority Key Identifier: keyid:5C:4A:A2:EB:DD:3F:BB:08:41:A2:02:3F:98:A4:59:8B:78:47:AF:4FCertificate is to be certified until Aug 8 04:46:25 2012 GMT (365 days)Sign the certificate? [y/n]:y # 是否認同這個請求的用戶端,並授予認證1 out of 1 certificate requests certified, commit? [y/n]y # 升級認證資料庫Write out database with 1 new entriesData Base Updated
好了,看一下我們的認證把!就是那個.crt結尾的檔案
[root@server56 ssl]# lsserver.key web.crt web.csr web.key