zhubiao
September 10, 2017
openssl 及 CA
openssl 及 CA
我们可能每天都在上网,所看到的网页信息是WEB服务器传输到你所使用的电脑或移动设备上,通过浏览器显示出来的。WEB服务器与本地浏览器的数据传输是基于HTTP协议完成。但HTTP协议是一种不安全的传输协议,数据是通过明文传输的,也就是说中间者可以通过抓包工具截取到你与WEB浏览器之间交换的数据。对于仅仅是浏览一下新闻等网页信息,这没多大问题。但我们若在某电商网站上购物,需输入登录,交易密码,这将是相当危险的。此时我们就需要一某种方式保证数据传输的安全,现在互联网上针对这种安全性要求高的数据传输使用的是HTTPS协议。HTTPS协议是在HTTP协议和传输层协议中间加了一层SSL/TLS协议,SSL/TLS协议设计的目的就是为了保证HTTP数据的安全和完整。
如下图所示,淘宝网,甚至连百度网都使用了HTTPS协议,目的就是保证数据的安全。
现在我们知道要安全上网,就使用 HTTPS 协议。而 HTTPS 协议就是SSL/TLS协议对 HTTP 协议的安全封装。那么 这个过程 SSL/TLS 协议是如何通信的呢。
SSL/TLS 协议通信原理
SSL/TLS 协议架构图
SSL/TLS 的次握手协议
经过TCP协议的三次此握手建立了HTTP通信后,还需SSL/TLS的握手协议才建立起HTTPS通信
上面的握手协议分为四个阶段:
第一阶段 客户端发出请求(Client Hello)
首先,客户端向服务器发出加密通信请求,这个阶段客户端向服务器提供以下信息:- 支持的协议版本
- 客户端生成的随机数,稍后用于生成 “对话密钥”
- 支持的加密方法
- 支持的压缩方法
第二阶段 服务器回应(Server Hello)
服务器收到客户端请求后,向客户端发出回应,称为Server Hello,回应包含以下内容:- 确认使用的加密通信协议版本
- 服务器生成的随机数,稍后用于生成 “对话密钥”
- 确认使用的加密方法
- 服务器证书
- 索要客户端证书(非必须),银行金融系统需要。
第三阶段 客户端回应
客户端收到服务器回应以后,首先验证服务器证书,如果证书是不可信任机构颁发,或内容不符合规定,或已被吊销,则浏览器会发出警告,由用户选择是否继续访问。
如果证书没有问题,则客户端会用颁发此证书的CA的公钥将证书解开,得到服务器的公钥,并用服务器的公钥加密客户端生成的另一个随机数发送给服务器。发送的内容如下:- 客户端生成一个新的随机数,并且用服务器的公钥加密
- 编码改变通知,表示随后的信息将用双方商定的加密方法和密钥发送
- 客户端握手结束通知
经过上面的握手阶段已经生成了三个随机数,
第四阶段 服务器最后回应
服务器收到客户端的第三个随机数之后,计算生成本次会话所用的 “会话密钥”,然后向客户端最后发送以下信息。- 编码改变通知,表示随后的信息将用双方商定的加密方法和密钥发送。
- 服务器握手结束通知。
在 SSL/TLS 的握手协议中涉及到了一个重要的过程,客户端验证服务端的证书,而证书里包含了服务器的公钥,证书通常是CA签名颁发给服务器的,所谓签名是指用CA的私钥加密服务器的公钥,然后颁发给服务器。这个过程称为CA证书认证,在Linux系统中我们可以使用开源软件 openssl 来实现,为了更好的理解这些内容,我们下面介绍:
- 加密和解密
- openssl
- CA证书认证实验
加密和解密
对称加密
加解密过程
- 加密过程:将明文和加密密钥经过特殊加密算法计算后生成复杂的密文
- 解密过程:将密文和加密密钥经过与加密相同算法的逆运算后还原出明文,解密的密钥和加密的密钥是相同的。
对称加密加密算法:DES, 3DES,AES,Blowfish,Twofish, IDEA, RC6,CAST5
对称加密特性
- 加密、解密使用同一把药匙,效率高
- 将原来的数据分割成固定大小的块,逐个进行加密
缺陷
- 密匙过多,每组通信双方就需要一个密钥。
- 密匙分发难,由于加密和解密使用的是同一把密钥,所以双方都需要有该密钥,而密钥的分发过程的安全性无法保证。
- 无法验证身份
非对称加密
与对称加密算法不同,非对称加密需要两把密钥,公开密钥(publickey)和私有密钥(privatekey)。加密和解密的密钥是成对的,用公钥加密后的密文,只能用私钥才能解开,反正亦然。其中将向外公开的密钥我们称之为公钥,而不对外公开的那把密钥称之为私钥。可以通过私钥推算出公钥,但不能通过公钥推算出私钥。
非对称加密加密算法:RSA,DSA,ECC
非对称加密算法的作用:
- 加密,防止中间人攻击
A 向 B 发送信息,为了确保信息的保密性,使用 B 的公钥对信息加密和再发送给 B,只有通过 B 的私钥才能解开A发过来的信息,其它人没有 B 的私钥,无法获取明文信息。此方法常用来交换密钥。 - 数字签名,验证身份
私钥拥有者用自己的密钥加密明文,然后将明文,密文,公钥一起发布出去,接收方使用发布者的公钥去解开密文,然后将解开的密文与明文对比,对比是否一致,就可以判断明文在中通是否被窜改过。
缺陷:
非对称加密算法相对于对称加密算法运算速度慢很多。非对称加密只使用于加密小数量的数据,对于加密大量的数据通常要配合对称加密算法一起使用。
单向加密(单向散列, 哈希算法)
单向加密算法是一种将任意长度的数据进行单向加密运算后,得到一个固定长度的数字的一种运算,计算结果称为摘要。
单向加密特性
- 任意长度的数据经过相同的单向加密运算后得到相同长度的数字。
- 只要原文不同,计算的到的摘要必然不同,而相同的原文计算得到的摘要相同
- 不可逆转性:根据摘要无法反推出原文数据,所以称为单向
- 雪崩效应 : 原文数据的微小改变,计算得到的摘要截然不同
单向加密做用
- 验证数据的完整性:利用单向散列算法的特性,原文发送方通常将原文的摘要,及使用的算法公布在公网上,接收方得到数据后用相同的算法对数据进行单向加密运算,得到摘要,对比公网上的摘要是否相同,就可以验证数据是否完整。当然发送方的摘要也可能使用发送方的私钥进行加密和原文一起发送给接收方,接收方使用发送方的公钥进行解密得到。
单向加密算法: md5(128bit), sha1(160bit),sha224(224bit),sha256, sha384,sha512,CRC-32
openssl
SSL/TLS 协议使用了很多密码学手段,包括对称加密,非对称加密,证书,完整性校验等来保证数据的安全,而 openssl 是对 SSL/TLS 协议的开源实现。
openssl command [command_opts] [command_args]
- command
- enc 实现对称加密
- dgst 单向加密
- rand 生成随机数
- genrsa 生成私钥
- rsa 提取公钥
- req 申请证书
- ca 颁发/吊销证书
openssl 工具集由以下rpm安装生成
[root@7 ~]# rpm -qa "openssl*"
openssl-libs-1.0.1e-60.el7.x86_64
openssl-1.0.1e-60.el7.x86_64
openss 配置文件
/etc/pki/tls/openssl.cnf
CA证书认证实验
SSL/TLS 握手协议过程中有一个重要的环节是客户端验证服务器的数字证书的真实、有效性(合法性),验证的目的是为了确保证书中的公钥是真实、可靠的。那么证书是如何来的呢,如何确保所获得的证书是合法的呢。这就需要一个大家都信任的权威机构来给服务器颁发这些证书。该权威机构我们称之为CA(Certificate Authority),他所颁发的证书称之为CA证书。数字证书的颁发就是CA用自己的私钥对申请者的公钥进行数字签名,证书中包含了证书的序列号、签名算法标识符、认证机构的数字签名、认证机构、公钥信息、颁发日期等。某些CA的权威性可能并不是高到所有人都能信任他,那他又想要做CA怎么办呢,他可以请一个权威性比他更高的机构来验证他的身份,即给他颁发数字证书,得到大家的信任,该 CA 我们称之为子CA。而他的上一级CA若权威性高到可以自己证明自己,那该CA可以自我签名,即自己给自己颁发证书,该CA称之为根CA
为了更好理解认证过程,我们下面通过 openssl 工具来演示CA证书的认证过程,一共分为以下几个主要步骤
- RootCA 自签证书
- SubCA 向RootCA申请证书
- RootCA 给 SubCA颁发证书
- WebServer 向 SubCA 申请证书
- SubCA颁发证书给 WebServer
- 吊销证书
网络连接示意图
- 查看 openssl 配置文件中与证书相关的配置信息
[RootCA CA]# awk '/^\[ ca \]/,/^\[ req \]/' /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
- 创建 RootCA 所需要的文件
在 RootCA上操作
# 创建前 /etc/pki/CA
[RootCA CA]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
# 创建证书数据库index.txt
[RootCA CA]# touch /etc/pki/CA/index.txt
# 创建证书序列号文件
[RootCA CA]# echo 00 > /etc/pki/CA/serial
# 创建一个目录csr来存放来自他人的证书申请书
[RootCA CA]# mkdir /etc/pki/CA/csr
# 创建后 /etc/pki/CA
[RootCA CA]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── csr
├── index.txt
├── newcerts
├── private
└── serial
- 创建 RootCA 私钥
在 RootCA上操作
# 创建私钥,并且将私钥的权限设置为600,并给私钥加密防止泄露
[RootCA CA]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048)
Generating RSA private key, 2048 bit long modulus
......+++
......................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem: <=输入密钥
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem: <=再次输入密钥
- RootCA 自签证书
在 RootCA上操作
[RootCA CA]# openssl req -new -x509 -days 72000 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN <= 填写国家
State or Province Name (full name) []:yunnan <= 填写省/州
Locality Name (eg, city) [Default City]:xuanwei <= 填写城市
Organization Name (eg, company) [Default Company Ltd]:zhubiaook.com <= 填写组织/公司名
Organizational Unit Name (eg, section) []:IT <= 填写部门名称
Common Name (eg, your name or your server's hostname) []:rootca.zhubiaook.com <= 一般填写域名或主机名
Email Address []:zhubiaook@gmail.com <= 邮件地址
- SubCA 创建所需要的文件
在 SubCA 主机上操作
# 创建存储证书信息的数据库文件
[SubCA CA]# touch /etc/pki/CA/index.txt
# 创建证书开始编号
[SubCA CA]# echo 99 > /etc/pki/CA/serial
# 创建目录src存放证书申请文件
[SubCA CA]# mkdir /etc/pki/CA/csr
- SubCA 向RootCA申请证书
- 生成 SubCA 的密钥
在 SubCA 主机上操作
- 生成 SubCA 的密钥
[SubCA CA]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048)
Generating RSA private key, 2048 bit long modulus
....................................................+++
..................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:
- 生成申请书
在 SubCA 主机上操作
[SubCA CA]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/csr/subca.csr
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN <= 国家,根据策略需与RootCA的相同
State or Province Name (full name) []:yunnan <= 省/州,根据策略需与RootCA的相同
Locality Name (eg, city) [Default City]:kunming
Organization Name (eg, company) [Default Company Ltd]:zhubiaook.com <= 组织,根据策略需与RootCA的相同
Organizational Unit Name (eg, section) []:sales
Common Name (eg, your name or your server's hostname) []:subca.zhubiaook.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 将 SubCA 的申请传给 RootCA 进行数字签名
# 使用 scp 命令传
[SubCA CA]# scp /etc/pki/CA/csr/subca.csr root@172.18.17.201:/etc/pki/CA/csr/
root@172.18.17.201's password:
subca.csr 100% 1025 1.0KB/s 00:00
- RootCA 给 SubCA颁发证书
在 RootCA 主机上操作
# 给SubCA颁发证书,有效期为10年
[RootCA CA]# openssl ca -in /etc/pki/CA/csr/subca.csr -out /etc/pki/CA/certs/subca.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Sep 10 07:06:23 2017 GMT
Not After : Sep 8 07:06:23 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = yunnan
organizationName = zhubiaook.com
organizationalUnitName = sales
commonName = subca.zhubiaook.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D4:DE:45:AE:89:B0:BD:FC:63:7E:C1:C7:48:CF:BC:52:5F:87:99:25
X509v3 Authority Key Identifier:
keyid:92:60:9B:C9:5A:CE:D3:E7:6A:3B:32:97:02:23:5B:27:BA:2D:E3:18
Certificate is to be certified until Sep 8 07:06:23 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- RootCA 将证书传给 SubCA
在 RootCA 主机上操作
# 通过 scp 传输,并将传过去的文件改名为cacert.pem, 因为SubCA 也是CA 需按照/etc/pki/tls/openssl 文件要求的格式命名
[RootCA CA]# scp /etc/pki/CA/certs/subca.crt root@172.18.17.101:/etc/pki/CA/cacert.pem
root@172.18.17.101's password:
subca.crt 100% 4602 4.5KB/s 00:00
- 查看 SubCA 的证书
[SubCA CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=yunnan, L=xuanwei, O=zhubiaook.com, OU=IT, CN=rootca.zhubiaook.com/emailAddress=zhubiaook@gmail.com <=颁发者
Validity
Not Before: Sep 10 07:06:23 2017 GMT
Not After : Sep 8 07:06:23 2027 GMT
Subject: C=CN, ST=yunnan, O=zhubiaook.com, OU=sales, CN=subca.zhubiaook.com <=颁发给
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:2d:32:bb:06:b5:2b:58:f2:eb:a5:d4:47:12:
85:d4:dd:7d:a7:b3:21:88:60:dd:43:1e:59:fe:68:
76:df:93:6d:7a:f0:ef:76:49:b1:0a:e0:e0:f6:76:
e4:f1:50:cf:4b:f8:a8:a0:cc:78:af:61:1d:5d:14:
ec:8e:6a:5b:17:48:23:4e:6f:21:f7:e1:bd:fd:ee:
4c:aa:1a:a7:53:94:be:e5:9a:51:09:ab:f4:24:d3:
ad:46:f4:34:6a:c7:a1:1c:45:f7:93:64:f1:39:7f:
ce:30:75:5e:00:75:a1:87:45:5f:14:a9:1b:1f:6d:
0a:7d:2a:c7:17:fe:92:ae:01:bb:ff:be:ed:d6:4a:
b3:7a:3c:b4:0a:f5:f3:0d:f2:42:53:7d:db:58:41:
a2:44:54:02:f9:c5:81:9e:3e:87:33:12:7a:56:6d:
cd:55:38:60:f7:4e:da:aa:bf:cb:10:5d:95:ed:79:
c9:2a:e9:cc:35:e3:21:9f:7e:ed:d0:b2:d5:a8:77:
bf:44:19:a3:3e:f3:be:92:1e:de:c4:7f:a7:c4:b7:
f6:c1:8a:c2:fb:f8:9d:5e:3b:33:7c:98:12:ec:6d:
82:01:9d:8d:ee:9d:34:93:9c:b2:9d:21:cb:a2:89:
da:99:67:29:b8:11:8d:61:1b:0a:a8:e1:46:fb:92:
65:d7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D4:DE:45:AE:89:B0:BD:FC:63:7E:C1:C7:48:CF:BC:52:5F:87:99:25
X509v3 Authority Key Identifier:
keyid:92:60:9B:C9:5A:CE:D3:E7:6A:3B:32:97:02:23:5B:27:BA:2D:E3:18
Signature Algorithm: sha256WithRSAEncryption
b7:0a:c5:3e:81:26:f2:4b:65:ae:fb:d2:27:4d:ca:20:67:5c:
0a:cc:8a:82:ee:0c:68:05:f4:9e:da:ec:19:92:76:37:84:7e:
b8:ba:ed:93:e5:b4:86:c7:3c:3b:38:26:ee:85:78:26:83:59:
ca:e2:5d:80:51:92:60:45:50:1b:0e:e5:6c:fb:4c:10:54:df:
63:00:f9:43:29:4d:74:4b:9d:49:5f:99:99:ee:5b:88:f3:8e:
77:45:69:44:41:fe:c2:aa:83:7a:29:f8:71:9f:ba:b6:b1:1c:
83:14:7b:54:83:24:58:a2:80:2b:e8:ec:81:57:4b:7e:34:23:
e0:d7:90:0b:f5:b3:62:0b:cc:69:d9:2a:16:39:65:c0:88:ac:
dc:a7:94:ce:32:93:f0:a0:30:e8:f0:6a:6f:08:05:a9:06:3b:
0e:16:d1:b1:3e:dd:08:4f:1c:cb:3b:14:0a:39:73:c7:d6:bc:
ed:e9:f5:fd:ff:c3:ca:a4:89:81:78:e5:3f:7f:d3:fc:85:d0:
5a:cd:5b:40:8e:2f:62:c6:0f:69:59:13:f4:89:e8:12:ec:62:
42:d5:f3:64:7c:b8:65:49:82:e3:d7:19:ca:6d:00:39:e5:af:
31:00:95:49:fb:3a:fe:4f:4e:fd:8f:2b:95:0a:da:ef:a7:1a:
02:9c:4d:87
- WebServer 向 SubCA 申请证书
在 SubCA 主机上操作
- 生成私钥
# 此处私钥没有加密
[WebServer app]# (umask 066; openssl genrsa -out /app/webserver.key 2048)
Generating RSA private key, 2048 bit long modulus
.........+++
............+++
e is 65537 (0x10001)
- 创建申请书
[WebServer app]# openssl req -new -key /app/webserver.key -out /app/websever.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN <=国家
State or Province Name (full name) []:yunnan <=省
Locality Name (eg, city) [Default City]:xishuangbanna
Organization Name (eg, company) [Default Company Ltd]:zhubiaook.com <=组织
Organizational Unit Name (eg, section) []:tourism
Common Name (eg, your name or your server's hostname) []:web.zhubiaook.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- WebServer 将证书申请书传个 SubCA 去签名
在 SubCA 主机上操作
[WebServer app]# scp /app/websever.csr root@172.18.17.101:/etc/pki/CA/csr/webserver.csr
The authenticity of host '172.18.17.101 (172.18.17.101)' can't be established.
RSA key fingerprint is c4:e5:71:06:07:bf:48:3d:f3:38:79:5a:30:ac:d7:59.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.17.101' (RSA) to the list of known hosts.
root@172.18.17.101's password:
websever.csr 100% 1033 1.0KB/s 00:00
- SubCA 给 WebServer 颁发证书
[SubCA CA]# openssl ca -in /etc/pki/CA/csr/webserver.csr -out /etc/pki/CA/certs/webserver.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 153 (0x99)
Validity
Not Before: Sep 9 12:23:02 2017 GMT
Not After : Sep 9 12:23:02 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = yunnan
organizationName = zhubiaook.com
organizationalUnitName = tourism
commonName = web.zhubiaook.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9A:A4:D2:14:53:22:84:2A:70:FB:12:F7:1B:1E:BB:59:B1:20:8A:3B
X509v3 Authority Key Identifier:
keyid:D4:DE:45:AE:89:B0:BD:FC:63:7E:C1:C7:48:CF:BC:52:5F:87:99:25
Certificate is to be certified until Sep 9 12:23:02 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- SubCA 将证书传给 WebServer
[SubCA CA]# scp /etc/pki/CA/certs/webserver.crt root@172.18.17.10:/app/
The authenticity of host '172.18.17.10 (172.18.17.10)' can't be established.
RSA key fingerprint is ac:1e:71:19:0f:5a:f1:56:b4:11:cd💿e7:39:d4:62.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.17.10' (RSA) to the list of known hosts.
root@172.18.17.10's password:
webserver.crt 100% 4486 4.4KB/s 00:00
- 将 RootCA,SubCA,WebServer 中的证书传到 windows 系统中,并将其导入 Windows浏览器中(rootca.crt 导入到受信任的根证书颁发机构下,subca.crt导入到中级证书颁发机构下),直观的查看一下证书链。
查看证书链
- 吊销证书
若服务器密钥丢失等原因,则其上级CA需将其证书吊销,并将吊销信息公布出来。
这里演示SubCA将WebServer的证书吊销
- 吊销证书
[SubCA CA]# openssl ca -revoke /etc/pki/CA/certs/webserver.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 99.
Data Base Updated
[SubCA CA]# cat /etc/pki/CA/index.txt
R 180909122302Z 170909124644Z 99 unknown /C=CN/ST=yunnan/O=zhubiaook.com/OU=tourism/CN=web.zhubiaook.com
- 创建吊销证书起始编号
[SubCA CA]# echo 10 > /etc/pki/CA/crlnumber
- 更新吊销证书列表
[SubCA CA]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
- 查看crl文件
[SubCA CA]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=yunnan/O=zhubiaook.com/OU=sales/CN=subca.zhubiaook.com
Last Update: Sep 9 12:53:26 2017 GMT
Next Update: Oct 9 12:53:26 2017 GMT
CRL extensions:
X509v3 CRL Number:
18
Revoked Certificates:
Serial Number: 99
Revocation Date: Sep 9 12:46:44 2017 GMT
Signature Algorithm: sha1WithRSAEncryption
5a:a2:bc:17:88:95:d0:ca:6b:99:7f:99:12:5b:c8:a9:b1:a8:
6a:9d:45:0a:7c:08:18:ad:b4:7d:50:d3:44:80:ec:5c:e2:9b:
21:d6:6f:bf:cb:b3:48:bd:1c:5d:17:0e:1d:43:83:c5:7a:d0:
73:60:9c:12:2a:86:db:14:9c:36:df:92:40:dc:8a:d7:8e:a2:
94:9f:e3:3b:11:12:00:0b:48:39:0b:54:33:d5:1b:10:88:bd:
a9:f3:09:89:3c:6a:e4:3d:b7:dc:74:a6:80:f9:86:90:1f:cd:
61:cc:44:37:f1:9c:41:87:b4:ae:43:b2:fc:ce:b5:9a:21:b3:
4e:82:42:18:bc:29:81:c7:7d:00:6c:17:66:55:67:57:48:21:
32:45:f8:77:dd:75:34:c6:87:a3:d2:bc:4b:48:9b:e7:57:2c:
41:27:fb:3c:8f:35:b9:b9:54:24:cb:41:5b:b7:96:d7:08:dc:
6e:a5:77:bf:d2:c1:5b:76:14:33:cd:0a:2a:90:87:8c:06:1d:
3f:2a:0f:01:82:da:c2:22:b5:b3:69:a4:79:b5:4a:85:c3:d5:
21:61:97:9d:e8:fc:94:11:0c:08:c3:37:6f:cd:ca:d1:56:9d:
c5:97:52:52:f5:15:c5:08:e7:27:16:ce:ad:e6:69:db:06:f3:
62:2b:f2:84
在 widows 系统上查看的效果如下图所示:
