环境
Win7、虚拟机中的CentOS8+OpenSSL
OpenSSL是一个开源并被广泛使用的一个基于密码学的安全开发包,提供的功能相当强大和全面,囊括了主要的密码算法、常用的密钥和证书封装管理功能以及SSL协议,并提供了丰富的应用程序供测试或其它目的使用。
首先进入到虚拟机系统中,查看一下openssl的版本信息:
openssl version -a
OpenSSL 1.1.1c FIPS 28 May 2019
built on: Fri Apr 24 03:32:11 2020 UTC
platform: linux-x86_64
options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines: rdrand dynamic
从上面的信息,我们可以了解到OPENSSLDIR,找到openssl的配置文件:
vim /etc/pki/tls/openssl.cnf
搜索CA_default,我们可以看到一些常用配置信息:
一、创建根证书CA
1、创建根证书CA所需要的目录和文件
我们对照上面的截图,分别新建目录和文件。
mkdir -p /etc/pki/CA
cd /etc/pki/CA
mkdir -pv /etc/pki/CA/certs /etc/pki/CA/crl /etc/pki/CA/newcerts /etc/pki/CA/private
touch /etc/pki/CA/serial /etc/pki/CA/index.txt
2、指明证书的开始编号
echo 01 >> /etc/pki/CA/serial
3、生成根证书的私钥(注意:私钥的文件名与存放位置要与配置文件中的设置相匹配)
umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
4、生成自签证书,即根证书CA(即CA公钥),自签证书的存放位置也要与配置文件中的设置相匹配,生成证书时需要填写相应的信息。
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Xinfei Co.,LTD
Organizational Unit Name (eg, section) []:IT department
Common Name (eg, your name or your server's hostname) []:Ouyang Root CA //对于根证书来说,这里可以不填写域名
Email Address []:vsiryxm@163.com
这样,根证书CAcacert.pem就创建完成了。
5、证书格式转换
openssl x509 -outform der -in /etc/pki/CA/cacert.pem -out /etc/pki/CA/cacert.crt
更多转换参考:https://blog.csdn.net/u010358168/article/details/83508851
二、创建需要证书的服务器A的公私钥
在需要证书的服务器上生成私钥,然后通过此私钥生成证书签署请求。
1、生成私钥(PEM格式)
cd ~
umask 077; openssl genrsa -out my_server.key 2048
2、生成公钥(即证书签署请求)
openssl req -new -key my_server.key -out my_server.csr -days 365
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Xinfei Co.,LTD
Organizational Unit Name (eg, section) []:IT department
//注意以上信息都要与根证书保持一致,这样才算是根证书机构颁发的证书
Common Name (eg, your name or your server's hostname) []:*.test.com
Email Address []:vsiryxm@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //直接回车
An optional company name []: //直接回车
注意:如下信息必须与根证书CA保持一致,这样可以说明这个证书是根证书机构颁发的。
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Xinfei Co.,LTD
Organizational Unit Name (eg, section) []:IT department
3、将私钥、公钥(即证书签署请求)通过可靠的方式发送给根证书CA的主机。
三、在根证书服务器上,颁发证书
1、创建一个req文件夹,将服务器A生成的公私钥保存到这个目录
mkdir /etc/pki/CA/req
cd /etc/pki/CA/req
2、颁发证书
openssl ca -in /etc/pki/CA/req/my_server.csr -out /etc/pki/CA/certs/my_server.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 6 11:22:50 2020 GMT
Not After : Jul 6 11:22:50 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = Xinfei Co.,LTD
organizationalUnitName = IT department
commonName = *.test.com
emailAddress = vsiryxm@test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
82:CE:A8:E7:F0:CB:54:06:C3:33:F6:3A:70:6F:1F:F5:94:D3:D8:FC
X509v3 Authority Key Identifier:
keyid:CA:0F:2A:B8:84:0E:A4:CC:DC:E2:C4:07:6D:89:E9:C3:96:CA:87:CF
Certificate is to be certified until Jul 6 11:22:50 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
3、查看证书关键信息
openssl x509 -in /etc/pki/CA/certs/my_server.crt -noout -serial -subject
serial=01
subject=C = CN, ST = Shanghai, O = "Xinfei Co.,LTD", OU = IT department, CN = *.test.com, emailAddress = vsiryxm@test.com
查看证书具体内容
从以下内容,我们可以看到Issuer(证书发行人)、Subject(证书主题,即给服务器A的test.com域名使用的)、签名算法、服务器A的公钥
cat /etc/pki/CA/certs/my_server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Shanghai, L=Shanghai, O=Xinfei Co.,LTD, OU=IT department, CN=Ouyang Root CA/emailAddress=vsiryxm@163.com
Validity
Not Before: Jul 6 11:22:50 2020 GMT
Not After : Jul 6 11:22:50 2021 GMT
Subject: C=CN, ST=Shanghai, O=Xinfei Co.,LTD, OU=IT department, CN=*.test.com/emailAddress=vsiryxm@test.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a7:75:7a:ad:e9:5a:9a:4b:6a:30:a2:b7:dd:83:
90:42:10:fa:9c:bf:12:5e:22:a1:c8:06:e6:2e:e4:
d7:47:96:33:67:29:b6:5e:be:33:ca:db:0b:36:7e:
96:50:88:ca:02:9e:a5:c6:13:31:31:21:02:5c:1a:
10:1d:80:eb:b9:99:85:a5:23:42:24:4b:9a:7d:34:
59:e2:03:95:35:10:d9:4e:a4:f0:63:fb:8a:cb:f0:
5a:7a:c8:c3:8b:13:3d:fe:7c:cd:f4:f2:da:e1:12:
1b:46:91:7f:be:f2:67:31:61:0b:8b:f6:65:3e:ae:
04:bf:10:92:4b:7f:aa:92:7d:0b:27:1d:ee:f3:f1:
de:05:09:b3:9a:c8:e1:f2:08:cd:f6:b5:fc:11:56:
f7:72:6f:b5:4e:05:7a:93:9c:f1:0a:e8:cd:b3:71:
51:49:1a:04:ba:13:0f:ea:90:3f:ea:92:bc:0c:1a:
25:f9:03:96:a4:92:4c:0e:d9:b9:e9:1c:1e:3c:d6:
dd:07:6d:7e:2e:d7:2d:d5:6d:b5:15:11:59:83:36:
6b:17:02:c8:7b:58:48:59:7c:7d:8f:89:5e:a5:96:
53:16:f6:53:42:dc:3c:14:ed:9a:34:d0:2b:89:c6:
d5:98:b5:ed:6e:56:77:0f:4c:dc:f5:a4:0d:ed:27:
4d:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
82:CE:A8:E7:F0:CB:54:06:C3:33:F6:3A:70:6F:1F:F5:94:D3:D8:FC
X509v3 Authority Key Identifier:
keyid:CA:0F:2A:B8:84:0E:A4:CC:DC:E2:C4:07:6D:89:E9:C3:96:CA:87:CF
Signature Algorithm: sha256WithRSAEncryption
92:e8:c8:c9:65:e2:1b:ed:99:f1:31:63:7e:18:70:0f:57:18:
a8:88:fb:bc:61:60:06:7a:fd:5a:de:8f:59:e0:db:fb:16:80:
ed:cd:09:81:28:cf:a6:72:b9:01:76:e7:0e:22:39:cd:3a:bc:
7a:65:e8:b5:58:4a:8b:60:03:e2:eb:4c:2a:5e:18:3f:84:09:
36:bc:3e:78:a7:f9:42:a2:55:ac:08:d9:d5:d1:e2:4d:8e:46:
53:6e:df:7a:13:fa:53:f4:67:f0:7d:a4:86:55:fd:65:c1:c4:
de:53:88:9c:ab:27:04:21:a9:f3:ed:a0:d3:1f:51:14:5c:02:
1f:56:4d:e9:f9:12:40:11:53:f0:77:40:fb:96:bd:8d:4d:13:
71:00:4f:f0:d2:ab:f8:5d:22:18:f2:4f:40:f4:6a:cd:b0:7f:
44:b0:c2:9e:ff:0c:02:32:95:d2:9c:19:13:93:14:35:b1:5b:
dc:1d:50:4d:88:f4:29:51:8c:97:2c:39:d0:f9:63:18:65:2e:
48:ea:0f:70:84:06:ad:a5:82:36:80:fc:54:e3:4e:37:36:78:
29:8a:fe:d4:7f:83:cd:de:e6:30:47:66:84:2a:31:09:91:e2:
a5:e8:61:8a:95:77:f1:bb:d2:03:12:ee:7e:a8:81:ea:2f:0d:
89:8e:a8:0b
-----BEGIN CERTIFICATE-----
MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhTaGFuZ2hhaTEXMBUGA1UECgwO
WGluZmVpIENvLixMVEQxFjAUBgNVBAsMDUlUIGRlcGFydG1lbnQxFzAVBgNVBAMM
Dk91eWFuZyBSb290IENBMR4wHAYJKoZIhvcNAQkBFg92c2lyeXhtQDE2My5jb20w
HhcNMjAwNzA2MTEyMjUwWhcNMjEwNzA2MTEyMjUwWjCBhzELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCFNoYW5naGFpMRcwFQYDVQQKDA5YaW5mZWkgQ28uLExURDEWMBQG
A1UECwwNSVQgZGVwYXJ0bWVudDETMBEGA1UEAwwKKi50ZXN0LmNvbTEfMB0GCSqG
SIb3DQEJARYQdnNpcnl4bUB0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKd1eq3pWppLajCit92DkEIQ+py/El4iocgG5i7k10eWM2cptl6+
M8rbCzZ+llCIygKepcYTMTEhAlwaEB2A67mZhaUjQiRLmn00WeIDlTUQ2U6k8GP7
isvwWnrIw4sTPf58zfTy2uESG0aRf77yZzFhC4v2ZT6uBL8Qkkt/qpJ9Cycd7vPx
3gUJs5rI4fIIzfa1/BFW93JvtU4FepOc8QrozbNxUUkaBLoTD+qQP+qSvAwaJfkD
lqSSTA7ZuekcHjzW3Qdtfi7XLdVttRURWYM2axcCyHtYSFl8fY+JXqWWUxb2U0Lc
PBTtmjTQK4nG1Zi17W5Wdw9M3PWkDe0nTZkCAwEAAaN7MHkwCQYDVR0TBAIwADAs
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFILOqOfwy1QGwzP2OnBvH/WU09j8MB8GA1UdIwQYMBaAFMoPKriEDqTM
3OLEB22J6cOWyofPMA0GCSqGSIb3DQEBCwUAA4IBAQCS6MjJZeIb7ZnxMWN+GHAP
VxioiPu8YWAGev1a3o9Z4Nv7FoDtzQmBKM+mcrkBducOIjnNOrx6Zei1WEqLYAPi
60wqXhg/hAk2vD54p/lColWsCNnV0eJNjkZTbt96E/pT9GfwfaSGVf1lwcTeU4ic
qycEIanz7aDTH1EUXAIfVk3p+RJAEVPwd0D7lr2NTRNxAE/w0qv4XSIY8k9A9GrN
sH9EsMKe/wwCMpXSnBkTkxQ1sVvcHVBNiPQpUYyXLDnQ+WMYZS5I6g9whAatpYI2
gPxU4043Nngpiv7Uf4PN3uYwR2aEKjEJkeKl6GGKlXfxu9IDEu5+qIHqLw2JjqgL
-----END CERTIFICATE-----
4、格式转换为pfx格式的私钥
openssl pkcs12 -export -out /etc/pki/CA/certs/my_server.pfx -inkey /etc/pki/CA/req/my_server.key -in /etc/pki/CA/certs/my_server.crt
提示需要设置密码(程序读取my_server.pfx文件时需要用到这个密码)
Enter Export Password:
Verifying - Enter Export Password: // 此处测试密码为123456Abc
5、格式转换为cer格式的公钥
openssl x509 -inform pem -in /etc/pki/CA/certs/my_server.crt -outform der -out /etc/pki/CA/certs/my_server.cer
参数含义:
-inform pem,由于输入的test.crt文件是以pem编码的,故需要指定以pem编码来读取。
-outform der,输出的test.cer文件需要以der编码。
6、查看cer证书信息
openssl x509 -in /etc/pki/CA/certs/my_server.cer -inform der -text -noout
返回结果同上面第3小点查看证书具体内容基本一样,区别是,没有证书-----BEGIN CERTIFICATE-----和-----END CERTIFICATE-----之间的内容
或使用:
openssl x509 -in /etc/pki/CA/certs/my_server.cer -text -noout
至此,服务器A的证书颁发就完成了,只需要将此签名证书发送给服务器A,服务器A就可以使用此签名证书/etc/pki/CA/certs/my_server.cer了。
四、测试
1、安装根证书
双击根证书cacert.crt,点击“安装”按钮
2、将根证书存储到“受信任的根证书颁发机构”
3、查看根证书情况
运行 > certmgr.msc
说明:
被预安装到操作系统的根证书,都是一些国际权威机构,都要通过严格的审查流程才能被安装到系统中,如果这些机构把私钥泄露了,给用户造成损失,他们是要负法律责任的。
4、安装服务器A的证书
1)将证书my_server.crt和私钥my_server.key复制到指定目录中:D:\phpstudy_pro\Extensions\Nginx1.15.11\conf\ssl
2)在本地phpStudy面板中,新建一个网站www.test.com,指向目录D:/web/php-study,配置文件如:
server {
#listen 80;
listen 443;
server_name www.test.com test.com;
ssl on; # 启用ssl功能
ssl_certificate ssl/my_server.crt;
ssl_certificate_key ssl/my_server.key;
ssl_session_timeout 5m; # 客户端可以重用会话参数的时间
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 使用的协议
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; # 配置加密套件
ssl_prefer_server_ciphers on;
root "D:/web/php-study";
新建一个phpinfo.php文件,内容就为phpinfo()
5、访问如:https://www.test.com/phpinfo.php,即可看到小绿锁啦,哈哈哈哈......
五、总结
1、从上面提到的证书具体内容,我们可以看到证书里存放了这些内容:
- 证书的发行人:即CA机构的企业信息,包括国家、城市、公司名称、部门、根证书名称等;
- 证书使用者:即CA证书是颁发给谁使用的,包括了允许使用的域名、使用者的公钥(即服务器公钥)使用者的企业信息;
- 证书文件指纹和指纹算法,我们可以了解到证书使用的是sha-2(sha256)来做证书文件指纹,以保证证书的发行人和证书使用者两部分信息没有被篡改;
- 证书签名:即CA机构用自己的私钥对证书文件指纹做了一个数字签名,以此来证明这个证书由本CA机构颁发的;
2、还有一个中级证书的概念,相当于权威CA机构的代理商,这些代理商从权威CA机构里获得认证资格,可以代理颁发证书,也就是浏览器拿到服务器证书不一定是根证书颁发的,于是会递归验证直到拿到根证书,用根证书的公钥去解密验证上一层证书的合法性,再拿上一层证书的公钥去验证更上层证书的合法性,递归回溯,最后验证服务器端的证书是可信任的。
参考:
https://blog.csdn.net/qq_15092079/article/details/82149807
http://www.ruanyifeng.com/blog/2011/08/what_is_a_digital_signature.html
http://blog.creke.net/736.html?spm=a2c6h.12873639.0.0.59281048gCm5g3
https://developer.aliyun.com/article/533588?spm=a2c6h.13813017.0.dArticle738638.57f64f01L3fqHc
https://curl.haxx.se/docs/caextract.html 从Mozilla提取的CA证书
https://www.php.net/manual/zh/ref.openssl.php PHP相关函数
https://www.cnblogs.com/guogangj/p/4118605.html
https://myssl.com/certtools.html 在线生成证书工具
https://www.jianshu.com/p/6bf2f9a37feb 证书链
网友评论