做网站怎么切psd图,网站搜索查询,公司网站排名优化手段,响应式网站的发展现状安全机制
墨菲定律
如果有两种选择#xff0c;其中一种将导致灾难#xff0c;则必定有人会作出这种选择。即#xff1a;做事不要有侥幸心理。
常用安全技术
认证、授权、审计、安全通信
加密算法和协议
对称加密算法
加密和解密使用同一个秘钥。
特性
加密、解密使…安全机制
墨菲定律
如果有两种选择其中一种将导致灾难则必定有人会作出这种选择。即做事不要有侥幸心理。
常用安全技术
认证、授权、审计、安全通信
加密算法和协议
对称加密算法
加密和解密使用同一个秘钥。
特性
加密、解密使用同一个秘钥效率高将原始数据分割为固定大小的块逐个加密
缺陷
秘钥过多秘钥分发数据来源无法确认
常见算法
DES、3DES、AES、IDEA、Blowfish、RC6
非对称加密算法
秘钥是成对出现
公钥public key公开给所有人主要给别人加密使用私钥secret keyprivate key自己留存必须保证其私密性用于自己加密签名特点用公钥加密数据只能使用与之配对的私钥解密反之亦然
功能
数据加密适合加密较小数据如加密对称秘钥数字签名主要在于让接收方确认发送方身份
缺点
密钥长算法复杂加密解密效率低下
常见算法
RSA、DSA、ECC
场景
非对称加密实现加密
接收者生成公钥/秘钥对公开公钥保密秘钥
发送者使用接收者的公钥来加密消息将加密后的消息发送给接收者
接收者使用秘钥来解密消息
非对称加密实现数字签名
发送者生成公钥/秘钥对公开公钥保密秘钥使用秘钥加密消息将加密后的消息发送给接收者
接收者使用发送者的公钥来解密
CA和证书
中间人攻击MTM
攻击者与通讯的两端分别创建独立的联系并交换其所收到的数据使通讯的两端认为他们正在通过一个私密的连接与对方直接对话但事实上整个会话都被攻击者完全控制。 在中间人攻击中攻击者可以拦截通讯双方的通话并插入新的内容。 SSL/TLS
SSLSecure Socket Layer TLSTransport Layer Security
功能
身份验证SSL身份验证指在客户端与服务器之间建立SSL连接时通过SSL证书对服务器进行身份验证的过程。SSL证书是由可信的第三方机构称为CA机构颁发的用于证明服务器身份的数字证书。数据加密SSL数据加密指在客户端与服务器之间建立SSL连接后通过使用加密算法对传输的数据进行加密处理以保证数据在传输过程中不被窃听、篡改或伪造。数据完整性SSL数据完整性是指通过数字签名等技术在客户端与服务器之间建立的SSL连接中保证传输的数据在传输过程中不被篡改或损坏。
HTTPS
http协议 ssl/tls协议。
工作流程
1. 客户端发起HTTPS请求
用户在浏览器里输入一个https网址然后连接到服务器的443端口
2. 服务端的配置
采用HTTPS协议的服务器必须要有一套数字证书可以自己制作也可以向组织申请。区别就是自己颁发的证书需要客户端验证通过才可以继续访问而使用受信任的公司申请的证书则不会弹出提示页面。这套证书其实就是一对公钥和私钥
3. 传送服务器的证书给客户端
证书里其实就是公钥并且还包含了很多信息如证书的颁发机构过期时间等等
4. 客户端解析验证服务器证书
这部分工作是由客户端的TLS来完成的首先会验证公钥是否有效比如颁发机构过期时间等 等如果发现异常则会弹出一个警告框提示证书存在问题。如果证书没有问题那么就生成一 个随机值。然后用证书中公钥对该随机值进行非对称加密
5. 客户端将加密信息传送服务器
这部分传送的是用证书加密后的随机值目的就是让服务端得到这个随机值以后客户端和服务端 的通信就可以通过这个随机值来进行加密解密了
6. 服务端解密信息
服务端将客户端发送过来的加密信息用服务器私钥解密后得到了客户端传过来的随机值
7. 服务器加密信息并发送信息
服务器将数据利用随机值进行对称加密,再发送给客户端
8. 客户端接收并解密信息
客户端用之前生成的随机值解密服务段传过来的数据于是获取了解密后的内容
术语
PKI公共秘钥加密体系
CA签证机构
RA注册机构
CRL证书吊销列表
证书存取库
X.509定义了证书的结构以及认证协议标准
版本号序列号签名算法颁发者有效期限主体名称
证书类型
证书授权机构的证书服务器证书用户证书
获取证书两种方法
自签名证书自己签发自己的公钥使用证书授权机构 生成证书请求CSR将证书请求CSR发送给CACA签名颁发证书
OpenSSL
OpenSSL是一个开放源代码的软件库包应用程序可以使用这个包来进行安全通信避免窃听同时确认另一端连线者的身份。
组件
ibcrypto用于实现加密和解密的库libssl用于实现ssl通信协议的安全库openssl多用途命令行工具
命令
两种运行模式
交互模式批处理模式 三种子命令
标准命令消息摘要命令加密命令
单向哈希加密
工具openssl dgst
算法md5sum, sha1sum, sha224sum,sha256sum 生成用户密码
openssl passwd [options] [password] 常用选项 -1表示使用MD5加密算法 -5表示使用SHA256加密算法 -6表示使用SHA512加密算法/etc/shadow使用该算法 -in表示从文件中读取密码 -stdin表示从标准输入读取密码 -salt指定salt值不使用随机产生的salt。在使用加密算法进行加密时即使密码一样salt不一样所计算出来的hash值也不一样。除非密码一样salt值也一样计算出来的hash值才一样。
[rootcentos8 ~]#echo wenzi | openssl passwd -6 -salt Y16DiwuVQtL6XCQK -stdin
$6$Y16DiwuVQtL6XCQK$MQEkn8e5iJ7haOIpJcO9cGkPS5c7gBG..7DxCVnr/9ozge2K5oAVpvoNDOWI0pBG7czyCMU4TaGmDo5W1H4c91创建新用户同时指定密码在CentOS8和Ubuntu都通用
[rootcentos8 ~]#useradd -p echo admin | openssl passwd -6 -salt abcdefghijk -stdin liubei
查看
[rootcentos8 ~]#getent shadow liubei
liubei:$6$abcdefghijk$heeR9m6lKuX0TKg/89kyy.po/71nRAlKWIocZj5Jg7AylICvzBMi8ZSYZJoOJ1V4lxMu4bxxWWGmyG2DQUHJr.:19721:0:99999:7:::生成随机数
openssl rand -base64
生成随机10位长度密码
[rootcentos8 ~]#openssl rand -base64 9 | head -c 10
l0t440TrGA[rootcentos8 ~]#tr -dc [[:alnum:]] /dev/urandom | head -c 10
a1YZyCEtkB
实现PKI
文档man genrsa
生成私钥
(umask 077;openssl genrsa -out 私钥存储路径 2048)
[rootcentos8 ~]#(umask 077;openssl genrsa -out /data/test1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................
.
e is 65537 (0x010001)
[rootcentos8 ~]#cat /data/test1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqdmKz6zw6NNUnOxd00e5qa3kTzzhvjylQvixBMd4IethRptV
HddgmYcveFR6FbDwjEhoxyRNnAYWXX2J3pUyq0qTN2r/Mk5k3PI9ucznbfHgLz5
SJJs19eRuTUniDYLObaRqA6KhhCOauiQinQwWlUpS97e9Rqy7EO/3m0IC4WhK8
X0wpIlHnIAeGHDf9VOgWLP/PuzNeVkxk7nScQVfNCQ5eh5qfuCDhjkotAtK89IM
3cSsKHuYbnR55RqGm5Z4fVk4AziiW8UgWBVmjyMHL4SZfRDFBDo1qi0NrJMNVB1Q
SUdcfdljYewdRhCEUeL5dXhA2Jsn4CxxLVl61wIDAQABAoIBAQCTFFV21sxa4T2h
EbGB1td4jqNo1lCpOrzlDJPFjrGBteErkjEXwTzeVckOiyCZDfqPj9hjshUeqcrO
NHqh61LQL6jh0V6hgm8nQQGglkZF18tKUdoQNPPZyMtgtR3BfwMjewPul/MDiQ1
gaRAsL71RjRuGW2Kz7VJ5hp51LjDToSFPzq85I479fXl/QGBl4G9ZoXjMRu/ef
YPE9DzXnTVa54aPr1E0lRcDfEPgcunvFRVZDOZZf0X2WBWv14tq1P5hyoBQj2aW5
k9yQkJEJWPDhmndpjvsPYw6NhnOI6tcNSjJt/PHF0/jJ0ruIPSWTz4Tu4Rsu4N7D
fDyjspoJAoGBANkNWe556n56XkQnoGcnU04kTVoJFpmsmHemAiEQaDaXYd6xSaHx
9HPQpIt0G2n4MPcoPDu86jnUBC/IDIJP6ag7wnlKOcfVu43k3/tkiB1jJv5hxP
aJECBIr2JMybmUZrBKGb9ZitRUj0CVpXvOhJRoWRLuIwIf1zlNIpnY79AoGBAMhT
3y2AMX6bsNsFzSqcWmPdh5oKjDrVnSC/Txf/Cd8fuC4TzVN8UwfxmCae4EGjRyG
Hcmenmq6KVqyBZDRW8rBfQuk9Va1k01wns6XMwf68hdHdjENe6Iicct6uqwsC1
GQbEBW8isfnEv2hwmviVd8ME86AlA/2uayuJtjAoGAN3bk8z6uQHGuowXpRFLV
Q9Oc/JPz9YMYVwLR6ncR2llmxgxRv5NfnzTCx2v9EWA9yvq6IZ3N0Mcv5rHdGHOp
Rrc2o93m0/z293R0ERCJVcgUDUt/TAmn2N5GIOhzUOG2EjuIrG95G/GzEchil3Zy
LH2FCt6lt2ELXoPplKbTv1UCgYEAh6aTp6H44fzXQ1ioV0RMyPcHjb26u1RO9A/X
pS4kJxy5gSoTjYiWKLATivLQ0sv23evLW225BpvSmTl8xwtdlTrYDkSPTnbEB7
vSoGEItFBAZZ4aDtIlMeMVH25Z3aBtgavEQcUk9fwoGskGbq2lcHQuRQvTLAD/Ig
brty2nUCgYB00pNNZUBr3LFJV5tQcv5dCJC6ydlVwNaljsULYq8QfHxGuFeJ//6P
ktMngrII33qb/EffNBXF/0nDhqxKfTzi77izzywN35kUYIgMkdRf9yYl8p21ijv9
CHnO9jVnYPwqR3Xtq/0f9LAbCVJekBjIK8da6EYjj2YFNYucKDq5Q
-----END RSA PRIVATE KEY-----解密加密的私钥
openssl rsa -in 原私钥路径 -out 新私钥路径
生成加密的私钥
[rootcentos8 data]#openssl genrsa -out /data/test1.key -des3 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........................................
.........
e is 65537 (0x010001)
Enter pass phrase for /data/test1.key:
Verifying - Enter pass phrase for /data/test1.key:
[rootcentos8 data]#cat /data/test1.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7FB3B71681AD9D1CM/hy2ShToDhzdE4fLHNHonBZBSL3yRVMmxwMCcsN8ZZ8fynzH9mhQI5VlF8yi8f
PLUrG3clQCYozZVNGsoGS/FObN2NpULU6hTUpQqgRnBqyB9UXcSfOK/0fUqgG
iQ0IJ7em4OsTiGwHlwE23/xbsST6eTEnjXcYe6TszSh0YwsFcCfu7WlWtOLTvfb
P/GDnQqtaMhGcUVUqdkRok6188AmX1f9YI693I5DkJxbAhSyuhgqFjzRnt7zcyDM
kv8VTHGmkuJZCLaQIdTbNpDkrx41rrExdYOLdnvQQr71eEYr34egAXGf6pU7MW
fm69skDcrQJqBjt2hyI0mp0RwQ9rYYGEdRaa7oHlwSXPnMWJu1fOg9o1wZmOgPu
pm4pu/ugu46/f0XMaIyvwMKn/5dVBuKpOpg/hj13wGfYeRbFSwIsVJIZPCbfYZ
fLqAcmNaFWmDXkuUoLppfnY2wuMf7Kf3zGdZqx30LaDg1U21NZN9hreyMqxIl
tvc66Vf1BiaTNiyLZibS9TzCO/DiXtERMJmPETcSx4zwdOTHJaP0rck1M/lgHSZU
42/ODk9le8EcKSOGO6BfksTysL1MXUxwRXCl4UB6bV9xu33GelPM2PR8wfc8p
SI5J85/YditCXdpO85geNPvljAizn/0YYbJasHwPZNGUm6QGPLCECBQWWAyM3A0
2tOH7lMa3g4ZFV383GZ6CTS1U7kMZeKTysIqTnLfPirTnhcTBTJG0C8FiThJWmt
hmfa7dSTSa5NoToIeoSGB12IE05ZyCvUDhwQojbivOEb8OUS9dYw
-----END RSA PRIVATE KEY-----解密加密的私钥
[rootcentos8 data]#openssl rsa -in /data/test1.key -out /data/test2.key
Enter pass phrase for /data/test1.key:
writing RSA key
[rootcentos8 data]#ll /data/
total 8
-rw------- 1 root root 963 Dec 31 03:50 test1.key
-rw------- 1 root root 887 Dec 31 03:51 test2.key
[rootcentos8 data]#cat test2.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD3Xxxc1vhCK10Arz3ENbaMX/2QYl8MdULe6lrPhM4wsp9uzkOv
KYD2ORTAC70GAdE3kbGmq24z09/232iUB0AJxBvQpMusDgTr3OpEB/1YLL9a
ZusvjEfgUIkLNL0lTVsEAu7cY2p4yPuWBDwpyEZoxzVYn/2k4xSRFPgtIQIDAQAB
AoGAITNmvx8rGtZvGRRsGdWLtrN7eNF7KFTksL6LiaatdePDej83dnqeUG3A34Z
uxtwivZHqEhCYLeSV/rBlfNioCtGGL/yAbMm/Oke4ztraBmObFLYKCRj6l6pzHQ
NbPN/qOxuERFwEloHCf5jO6TaCRjnn/5c3lTQKpGylJOVzECQQD9VQcQdc/Sx3M
qZWZlr3vtXdAiSGG/ZGT49jPpfE55Yzw9jUg35URRyZ83F5iblGCJpiZmvI99I7
jbPX0wLAkEAfn7D27PWPlusvd5nNCY5NQ3UVi98L6xyf1UjsINo6etNntYpGg1
OLHyIDJ98i513q7hCEIxj7JLVXgPspN7AwJBAIJUJHfLF6WkS2xjQmeFual8viEh
a3I7OY3QBlatlHCouTFdOO/0logRBqft51DUWHKQ0KkVodJl4qz2AnhlQkCQQDK
lYSZpTv053CHKXgtVgASssmB62FDUcfT4rI8X5eeIa2Gkb/svWckY1HONh1Lv8tW
hHNqtfpkciILShmup0bxAkAkxNRZLVpZsTsD07FfmuIL5DhXHCRlZ7PF5N6RouM
fpStaqpbqUc17ffm2HdnfA8NaH5dwbzrfWxCYKDY8WG
-----END RSA PRIVATE KEY-----从私钥中提取公钥
openssl rsa -in 私钥路径 -pubout -out 公钥存储路径
[rootcentos8 ~]#openssl rsa -in /data/test1.key -pubout -out /data/test1.key.pub
writing RSA key
[rootcentos8 ~]#ll /data/
total 8
-rw------- 1 root root 1679 Dec 31 03:38 test1.key
-rw-r--r-- 1 root root 451 Dec 31 03:42 test1.key.pub
[rootcentos8 ~]#cat /data/test1.key.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdmKz6zw6NNUnOxd00e5
qa3kTzzhvjylQvixBMd4IethRptVHddgmYcveFR6FbDwjEhoxyRNnAYWXX2J3pUy
q0qTN2r/Mk5k3PI9ucznbfHgLz5SJJs19eRuTUniDYLObaRqA6KhhCOauiQinQ
wWlUpS97e9Rqy7EO/3m0IC4WhK8X0wpIlHnIAeGHDf9VOgWLP/PuzNeVkxk7nS
cQVfNCQ5eh5qfuCDhjkotAtK89IM3cSsKHuYbnR55RqGm5Z4fVk4AziiW8UgWBVm
jyMHL4SZfRDFBDo1qi0NrJMNVB1QSUdcfdljYewdRhCEUeL5dXhA2Jsn4CxxLVl6
1wIDAQAB
-----END PUBLIC KEY-----
建立私有CA实现证书申请颁发
openssl配置文件/etc/pki/tls/openssl.cnf
其中重要项
[ CA_default ]dir /etc/pki/CA CA的主要目录用于存储证书、私钥、CRL等文件。
certs $dir/certs 存储已颁发的证书
crl_dir $dir/crl 存储已签名的证书撤销列表CRL
database $dir/index.txt 数据库索引文件存储证书对应哪个网站
#unique_subject no # Set to no to allow creation of# several certs with same subject.
new_certs_dir $dir/newcerts 新证书的默认存储位置certificate $dir/cacert.pem CA的证书文件
serial $dir/serial 当前的序列号用于标识新证书
#crlnumber $dir/crlnumber # the current crl number# must be commented out to leave a V1 CRL
crl $dir/crl.pem 当前的CRL文件
private_key $dir/private/cakey.pem CA的私钥文件x509_extensions usr_cert 要添加到证书的扩展[ policy_match ] 匹配策略用于定义证书主题字段的匹配规则
countryName match
stateOrProvinceName match
organizationName match
organizationalUnitName optional
commonName supplied
emailAddress optional
三种策略
match要求申请填写的信息根CA设置的信息必须一致optional可有可无跟CA设置信息可不一致supplied必须填写这项信息
建立私有CA OpenCAOpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件 openssl相关包 openssl和openssl-libs
1、创建CA所需要文件
生成证书索引数据库文件 touch /etc/pki/CA/index.txt
指定第一个颁发证书的序列号 echo 01 /etc/pki/CA/serial
2、生成CA私钥
cd /etc/pki/CA;(umask 066; openssl genrsa -out private/cakey.pem 2048)
3、生成CA自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
选项说明 -new生成新证书签署请求 -x509专用于CA生成自签证书 -key生成请求时用到的私钥文件 -days n证书的有效期限 -out /PATH/TO/SOMECERTFILE: 证书的保存路径
CentOS7
从CentOS7将/etc/pki/CA目录内容复制到CentOS8免去建立目录的步骤
[rootwenzi ~]#tree -d /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
[rootwenzi ~]#scp -r /etc/pki/CA root192.168.28.10:/etc/pki/CentOS8
生成CA私钥
[rootcentos8 ~]#cd /etc/pki/CA;(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................................
........................................................................................................................................................................................
e is 65537 (0x010001)
[rootcentos8 CA]#ll private/cakey.pem
-rw------- 1 root root 1675 Dec 31 04:42 private/cakey.pem生成CA自签名证书
[rootcentos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 国家
State or Province Name (full name) []:henan 省份
Locality Name (eg, city) [Default City]:zhengzhou 市名
Organization Name (eg, company) [Default Company Ltd]:wenzi 公司
Organizational Unit Name (eg, section) []:yunwei 部门
Common Name (eg, your name or your servers hostname) []:www.wenzi.com 使用证书的网站域名
Email Address []:999qq.com 邮箱查看生成的CA自签证书,建议将此文件传输到windows系统后缀改为.crt
[rootcentos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number:52:27:46:0b:52:67:5f:60:c8:bf:38:25:b9:c7:0e:66:d4:52:95:6aSignature Algorithm: sha256WithRSAEncryptionIssuer: C CN, ST henan, L zhengzhou, O wenzi, OU yunwei, CN www.wenzi.com, emailAddress 999qq.comValidityNot Before: Dec 30 20:50:35 2023 GMTNot After : Dec 27 20:50:35 2033 GMTSubject: C CN, ST henan, L zhengzhou, O wenzi, OU yunwei, CN www.wenzi.com, emailAddress 999qq.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:bc:ac:9d:47:2c:4c:83:a6:2c:12:52:ba:f7:93:6b:33:a6:e1:f0:9b:e7:4c:51:59:b0:95:db:b2:68:ec:4a:2c:36:57:73:72:11:3c:21:6e:d3:fb:5a:0f:a4:ca:05:21:fd:d5:a6:d7:4d:1f:72:91:15:3e:60:da:cf:3a:e3:b2:c6:7b:c3:0e:4e:39:14:2c:94:f1:ae:47:30:64:27:95:76:84:12:2e:a2:e0:60:2f:7c:c9:83:3b:c9:d9:6a:4d:1f:78:a6:41:ea:ac:12:85:d3:9a:43:f9:24:c7:66:f0:09:c7:01:91:ee:6a:ec:1d:a4:7f:72:19:43:ca:91:78:ac:23:9e:6b:43:84:5e:40:09:61:5e:b6:32:f2:19:9d:c6:b7:00:f8:d0:00:fd:66:f3:f7:a2:a3:5a:81:71:1a:b0:2a:c2:e7:42:f8:a9:b7:54:f6:1e:da:47:87:4a:6a:29:26:7f:16:20:b9:e9:76:a7:92:b2:19:3a:4e:de:b0:ab:63:12:6e:7a:f3:64:e5:91:93:1f:35:09:0b:b6:79:dd:a3:27:8d:7a:2d:9a:3b:7f:a1:b1:d3:df:a2:0a:81:60:0e:ec:69:9b:1a:a7:32:19:71:fa:9a:f1:93:91:e7:48:8f:be:2a:85:a4:6d:f7:90:92:92:d7:08:06:94:65Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier:5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05X509v3 Authority Key Identifier:keyid:5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05X509v3 Basic Constraints: criticalCA:TRUESignature Algorithm: sha256WithRSAEncryption5d:65:b2:c9:2d:8c:89:79:85:46:12:0a:17:12:87:21:3f:e1:f3:bb:f5:c4:82:24:b9:43:74:c2:d6:52:5c:80:65:75:9d:3c:45:fa:c4:88:5f:43:6d:1d:0e:3d:84:a0:e7:ab:60:35:f6:88:c0:ac:8e:c7:ca:70:f7:71:09:ea:03:6f:3a:c7:2f:4e:bd:3b:35:4c:ca:4e:ce:17:90:67:5a:8f:4b:8a:ef:3d:ce:3a:bc:9c:ee:2a:cf:7d:3a:f0:36:9b:f7:19:71:73:f5:e7:4d:30:50:8c:12:f8:f1:92:02:91:f7:3b:30:ce:07:4e:09:b9:f6:0f:72:92:4d:76:c4:11:6c:a9:e3:56:ca:2f:fc:9e:05:b5:dd:e4:86:45:6a:dd:c4:77:70:3e:bc:4a:5f:55:6e:eb:74:7d:46:4f:00:c4:db:23:bc:d3:71:74:ef:e0:e4:06:27:8a:29:b6:e0:62:b3:04:7e:fe:51:71:91:04:52:f4:61:12:55:37:48:8e:63:6a:50:05:a3:e2:15:8f:cf:e5:d1:5b:d1:9c:bc:33:b1:88:6e:1b:21:89:5b:3c:3f:34:0a:a3:b2:95:29:cf:8b:b6:fa:b9:47:28:17:56:ff:95:28:20:68:fe:94:c6:49:79:f7:8e:16:03:46:f0:68:bd:cd:a6:73:3c 申请证书并颁发证书
1、为需要使用证书的主机生成生成私钥
(umask 066; openssl genrsa -out /data/test.key 2048)
2、为需要使用证书的主机生成证书申请文件
openssl req -new -key /data/test.key -out /data/test.csr
3、在CA签署证书并将证书颁发给请求者
可以将客户端生成的申请文件发送至CA生成证书后再把证书传送至客户端
openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 100
注意默认要求 国家省公司名称三项必须和CA一致
4、查看证书中的信息
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
查看指定编号的证书状态
openssl ca -status SERIAL
用户生成自己的私钥私钥应该存放至各应用相应目录下
[rootwenzi ~]#(umask 066;openssl genrsa -out /data/test.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................
.....
e is 65537 (0x010001)生成证书申请文件其中国家代码、省名、公司名必须和CA中一致
[rootwenzi ~]#openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:luoyang
Organization Name (eg, company) [Default Company Ltd]:wenzi
Organizational Unit Name (eg, section) []:kaifa
Common Name (eg, your name or your servers hostname) []:www.wenzi.org
Email Address []:666163.comPlease enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:将客户端证书申请文件上传至CA
[rootwenzi ~]#rsync -av /data/test.csr root192.168.28.10:/data/
root192.168.28.10s password:
sending incremental file list
test.csrsent 1,135 bytes received 35 bytes 780.00 bytes/sec
total size is 1,041 speedup is 0.89在CA上颁发证书
提前创建这两个必须存在的文件不然会报错提示找不到文件
[rootcentos8 CA]#touch /etc/pki/CA/index.txttouch /etc/pki/CA/serial指定证书颁发起始序号
[rootcentos8 CA]#echo 01 /etc/pki/CA/serial颁发证书
[rootcentos8 CA]#openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Dec 31 02:41:47 2023 GMTNot After : Apr 9 02:41:47 2024 GMTSubject:countryName CNstateOrProvinceName henanorganizationName wenziorganizationalUnitName kaifacommonName www.wenzi.orgemailAddress 999163.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:35:72:9F:AE:C3:0D:1C:CE:43:34:84:F1:83:88:59:0E:DE:5E:B5:7CX509v3 Authority Key Identifier:keyid:5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05Certificate is to be certified until Apr 9 02:41:47 2024 GMT (100 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated查看当前CA目录下文件
[rootcentos8 CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old查看下一个颁发证书的序号
[rootcentos8 CA]#cat /etc/pki/CA/serial
02查看颁发记录。 有效期 序号 信息
[rootcentos8 CA]#cat /etc/pki/CA/index.txt
V 240409024147Z 01 unknown /CCN/SThenan/Owenzi/OUkaifa/CNwww.wenzi.org/emailAddress999163.com查看证书信息
[rootcentos8 CA]#openssl x509 -in /etc/pki/CA/certs/test.crt -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number: 1 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: C CN, ST henan, L zhengzhou, O wenzi, OU yunwei, CN www.wenzi.com, emailAddress 999qq.comValidityNot Before: Dec 31 02:41:47 2023 GMTNot After : Apr 9 02:41:47 2024 GMTSubject: C CN, ST henan, O wenzi, OU kaifa, CN www.wenzi.org, emailAddress 999163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:f2:cf:6e:74:80:8f:e2:19:09:19:20:8f:3d:5b:d6:3c:96:99:30:d7:07:9e:a0:5a:7c:79:a2:9a:d6:63:cb:a9:77:f1:10:d5:5f:69:55:53:90:8a:13:66:f9:77:7b:69:2c:0d:fe:fe:56:78:fa:fe:2e:43:c7:f9:88:b9:a2:42:d2:47:4b:73:e0:5d:da:c7:66:ce:fe:3f:e8:9f:fe:93:39:46:a4:7a:05:95:74:ef:fb:91:7d:8f:63:d8:ed:d4:6a:71:77:8d:b0:f8:37:38:a2:94:cf:69:f7:02:73:8e:ba:b7:c8:7f:c6:5f:4f:71:2d:d3:b1:9f:92:03:66:79:26:cb:1e:44:67:11:29:35:17:bb:a9:c7:98:0f:8c:b9:2b:89:13:9f:32:27:69:e7:15:3e:5c:05:6c:dc:0d:e9:81:24:ad:83:2c:71:da:f4:42:04:6b:68:13:2b:ce:19:aa:a8:63:c7:3a:ac:4f:6e:4e:4b:12:69:a9:2c:96:c9:d8:df:eb:7a:17:82:3f:d4:82:5b:0c:7a:7b:01:89:3b:ac:6c:51:f7:f7:c0:3e:46:49:b2:a7:0d:65:df:ac:d9:ec:e6:21:77:8b:56:00:f7:35:b7:01:b3:76:07:63:bc:1e:28:84:a6:99:7e:91:21:17:b2:cd:cc:ab:40:1c:9dExponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:35:72:9F:AE:C3:0D:1C:CE:43:34:84:F1:83:88:59:0E:DE:5E:B5:7CX509v3 Authority Key Identifier:keyid:5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05Signature Algorithm: sha256WithRSAEncryption91:8a:ba:32:4a:c4:36:0e:83:bd:e2:95:48:52:02:ce:d6:78:5a:6b:73:ea:73:59:c7:68:f8:3e:fe:f7:52:2f:0a:3a:7b:8d:4c:ac:bf:d8:d4:46:73:c3:34:25:3e:51:cd:b2:85:a5:a1:1b:03:86:92:58:dd:f9:07:d6:72:ba:23:18:79:32:42:71:7d:c2:ce:f9:0f:00:99:36:00:45:f5:c6:e3:4f:93:aa:e4:5c:aa:ad:94:89:73:ca:09:e0:9d:64:41:7a:d6:60:da:35:c8:07:d8:f7:7b:6c:46:41:3c:4c:ee:af:9a:82:b0:1e:25:e8:09:7f:88:e8:55:7e:de:4e:23:3d:9c:21:ad:1b:e7:f9:7b:df:16:13:64:bc:5f:fb:95:4f:79:15:cd:01:7b:e9:30:fa:4d:7d:0d:97:fe:9e:06:40:c6:d0:e7:1f:ec:8a:4a:fd:ee:be:b3:50:8a:7a:9c:4d:86:b6:33:81:75:af:3e:88:a2:d4:9b:6c:12:73:8a:1e:c5:46:d7:7e:41:dc:ee:c1:15:29:74:f4:59:63:09:e9:9b:f3:53:4f:b5:e9:2d:a7:cc:cd:82:17:a0:1e:54:a1:36:a7:f6:a4:3e:eb:f0:14:de:be:41:e0:cc:78:36:d5:7a:ba:bb:04:8b:84:fb:3b:40:53:81:dd将证书发送至客户端完成
[rootcentos8 CA]#rsync -a certs/test.crt root192.168.28.20:/data/
将客户端收到的证书传递至windows系统查看 吊销证书
在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在CA上根据客户提交的serial与subject信息对比检验是否与index.txt文件中的信息一致吊销证书
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
指定第一个吊销证书的编号,注意第一次更新证书吊销列表前才需要执行
echo 01 /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件
openssl crl -in /etc/pki/CA/crl.pem -noout -text
