内容字号:默认大号超大号

段落设置:段首缩进取消段首缩进

字体设置:切换到微软雅黑切换到宋体

加密与安全

2018-09-08 10:53 出处:清屏网 人气: 评论(0

我们在前面学习网络知识中了解到,跨主机之间的通信是通信是通过套接字方式来实现的,服务器监听,客户端请求,服务器根据客户端请求,获取资源,并发送给服务端,但发送是明文发送的,没有加密,任何人都可以获取内容,这样就暴露了隐私。因此需要加密机制保护互联网数据在传输过程中的隐私性了。

安全机制:

信息安全防护的目标

  • 保密性 Confidentiality
  • 完整性 Integrity
  • 可用性 Usability
  • 可控制性Controlability
  • 不可否认性 Non-repudiation

运维工作职责:保障数据安全、保障系统可用性

  • 物理安全:各种设备/主机、机房环境
  • 系统安全:主机或设备的操作系统
  • 应用安全:各种网络服务、应用程序
  • 网络安全:对网络访问的控制、防火墙规则
  • 数据安全:信息的备份与恢复、加密解密
  • 管理安全:各种保障性的规范、流程、方法

防火墙:将内部系统与外部系统隔离

防水墙:防止企业内部安全的机制

安全算法:

密码算法和协议:

对称加密

公钥加密

单向加密

认证协议

Linux系统:OpenSSL, gpg(pgp协议的实现)

对称加密算法:

对称加密:加密和解密使用同一个密钥

特性:

1、加密、解密使用同一个密钥,效率高

2、将原始数据分割成固定大小的块,逐个进行加密

缺陷:

1、密钥过多

2、密钥分发难

3、数据来源无法确认

非对称加密算法:

公钥加密:密钥是成对出现

公钥:公开给所有人;public key

私钥:自己留存,必须保证其私密性;secret key

特点:用公钥加密数据,只能使用与之配对的私钥解密;反之亦然

功能:

  • 数字签名:主要在于让接收方确认发送方身份
  • 对称密钥交换:发送方用对方的公钥加密一个对称密钥后发送给对方
  • 数据加密:适合加密较小数据

缺点:密钥长,加密解密效率低下

算法:

RSA(加密,数字签名),DSA(数字签名),ELGamal

注意:加密算法都是算法公开,密钥不公开

非对称加密:

基于一对公钥/密钥对

• 用密钥对中的一个加密,另一个解密

实现加密:

• 接收者

生成公钥/密钥对:P和S

公开公钥P,保密密钥S

• 发送者

使用接收者的公钥来加密消息M

将P(M)发送给接收者

• 接收者

使用密钥S来解密:M=S(P(M))

实现数字签名: 私钥加密,公钥解密

• 发送者

生成公钥/密钥对:P和S

公开公钥P,保密密钥S

使用密钥S来加密消息M

发送给接收者S(M)

• 接收者

使用发送者的公钥来解密M=P(S(M))

单向散列:(hash算法)

将任意数据缩小成固定大小的“指纹”

• 任意长度输入

• 固定长度输出

• 若修改数据,指纹也会改变(“不会产生冲突”)

• 无法从指纹中重新生成数据(“单向”)

功能:数据完整性

常用工具

• md5sum | sha1sum [ --check ] file

--check 检查hash值是否相同

• openssl、gpg

• rpm -V

注意:hash(data)=digest摘要

data 不同,digest必不相同

digest反推不出data

digest长度固定大小

密钥交换

密钥交换:IKE( Internet Key Exchange )

公钥加密:

DH (Deffie-Hellman):生成会话密钥

DH:

1、A: a,p 协商生成公开的整数a, 大素数p   (a为5 ,p为23)

B: a,p

2、A:生成隐私数据 :x (x<p ),计算得出 a^x%p,发送给B(x为6)

B:生成隐私数据 :y,计算得出 a^y%p,发送给A                  (y为7)

3、A:计算得出 [(a^y%p)^x] %p = a^xy%p,生成为密钥       

B:计算得出 [(a^x%p)^y] %p = a^xy%p,生成为密钥

[root@centos6 bin]#bc
 bc 1.06.95
 Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
 This is free software with ABSOLUTELY NO WARRANTY.
 For details type `warranty'. 
 5^6%23
 8
 5^7%23
 17
 17^6%23
 12
 8^7%23
 12
 ^C
 (interrupt) Exiting bc.

使用gpg实现对称加密

对称加密file文件

gpg -c file

[root@centos6 app]#cat a.txt
 i love you
[root@centos6 app]#gpg -c a.txt 
 can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
 Xlib:  extension "RANDR" missing on display "localhost:11.0".
(pinentry-gtk-2:14063): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable'
 Xlib:  extension "RANDR" missing on display "localhost:11.0".
(pinentry-gtk-2:14066): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable'
[root@centos6 app]#ls
a.txt 
a.txt.gpg
[root@centos6 app]#cat a.txt.gpg 
¥[Y䇦 ࠽x ¸Eþ鲸Jj-6腓¢±ٳµM{¸ߏ[root@centos6 app]#
[root@centos6 app]#scp a.txt.gpg root@172.18.254.13:/app
 The authenticity of host '172.18.254.13 (172.18.254.13)' can't be established.
 RSA key fingerprint is c2:63:99:85:62:c5:9f:14:2d:a7:d8:0a:5a:70:8a:29.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added '172.18.254.13' (RSA) to the list of known hosts.
 root@172.18.254.13's password: 
 a.txt.gpg                    100%   55     0.1KB/s   00:00 

在另一台主机上解密file

gpg -o file -d file.gpg

[root@localhost app]# cat a.txt.gpg 
¥[Y䇦 ࠽x ¸Eþ鲸Jj-6腓¢±ٳµM{¸ߏ[root@localhost app]# ^C
 [root@localhost app]# gpg -d a.txt.gpg 
 gpg: directory `/root/.gnupg' created
 gpg: new configuration file `/root/.gnupg/gpg.conf' created
 gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
 gpg: keyring `/root/.gnupg/secring.gpg' created
 gpg: keyring `/root/.gnupg/pubring.gpg' created
 gpg: 3DES encrypted data
 gpg: encrypted with 1 passphrase
 i love you
 gpg: WARNING: message was not integrity protected

使用gpg工具实现公钥加密

在hostB主机上用公钥加密,在hostA主机上解密

在hostA主机上生成公钥/私钥对

gpg --gen-key

注意:centos6在虚拟机上使用 即 不可以在远程终端使用,centos7可以

[root@centos6~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: centos6
Email address: 
Comment: 
You selected this USER-ID:
    "centos6"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

在hostA主机上查看公钥

gpg –k

[root@centos6 .gnupg]#gpg -k
 /root/.gnupg/pubring.gpg
 ------------------------
 pub   1024R/9BF04D6B 2018-09-01
 uid                  centos6
 sub   1024R/71AC2BE1 2018-09-01

gpg –K

[root@centos6 .gnupg]#gpg -K
 /root/.gnupg/secring.gpg
 ------------------------
 sec   1024R/9BF04D6B 2018-09-01
 uid                  centos6
 ssb   1024R/71AC2BE1 2018-09-01

在hostA主机上导出公钥到centos6.key

gpg -a --export -o centos6.key (-a选项是输出格式,-o是导出文件,文件名,随意起)

[root@centos6 .gnupg]#gpg -a --export -o centos6.key

从hostA主机上复制公钥文件到需加密的B主机上

scp centos6.key hostB:/app
[root@centos6 .gnupg]#scp centos6.key root@172.18.254.13:/app
 root@172.18.254.13's password: 
 centos6.key                  100% 1853     1.8KB/s   00:00 

在需加密数据的hostB主机上生成公钥/私钥对

gpg --gen-key //生成的公钥为centos7

[root@localhost ~]# gpg --gen-key
 gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
 Your selection? 
 RSA keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048) 1024
 Requested keysize is 1024 bits
 Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
 Key is valid for? (0) 
 Key does not expire at all
 Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: centos7
 Email address: 
 Comment: 
 You selected this USER-ID:
     "centos7"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
 You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 gpg: key 2FC17934 marked as ultimately trusted
 public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
 gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
 pub   1024R/2FC17934 2018-09-04
       Key fingerprint = 2EC4 00DF 8E2A 5ECA AC9F  9B63 324E CDBF 2FC1 7934
 uid                  centos7
 sub   1024R/1D46A946 2018-09-04

在hostB主机上导入hostA的公钥

gpg --import centos6.key

[root@localhost app]# gpg --import centos6.key 
 gpg: /root/.gnupg/trustdb.gpg: trustdb created
 gpg: key 9BF04D6B: public key "centos6" imported
 gpg: key E1A58968: public key "centos6" imported
 gpg: Total number processed: 2
gpg:               imported: 2  (RSA: 2)

gpg --list-keys //查看目前所拥有的公钥

[root@localhost ~]# gpg -k
 /root/.gnupg/pubring.gpg
 ------------------------
 pub   1024R/9BF04D6B 2018-09-01
 uid                  centos6
 sub   1024R/71AC2BE1 2018-09-01

pub   1024R/2FC17934 2018-09-04
 uid                  centos7
 sub   1024R/1D46A946 2018-09-04

用从hostA主机导入的公钥,加密hostB主机的文件file,生成file.gpg

gpg -e -r centos6 file

[root@localhost app]# gpg -e -r centos6 a.txt
 gpg: 71AC2BE1: There is no assurance this key belongs to the named user

pub  1024R/71AC2BE1 2018-09-01 centos6
  Primary key fingerprint: 66D2 DDCB 748D D1CB C96F  65B7 5BEF FE67 9BF0 4D6B
       Subkey fingerprint: 2D0A B786 7146 A121 D80B  F72F 776C 82F6 71AC 2BE1

It is NOT certain that the key belongs to the person named
 in the user ID.  If you *really* know what you are doing,
 you may answer the next question with yes.

Use this key anyway? (y/N) y
 File `a.txt.gpg' exists. Overwrite? (y/N) y
 [root@localhost app]# ls
 apache24  a.txt  a.txt.gpg  centos6.key

复制加密文件到hostA主机

scp file.gpg hostA:/app

[root@localhost app]# scp a.txt.gpg root@172.18.250.42:/app
root@172.18.250.42's password: 
a.txt.gpg                                          100%  219    54.0KB/s   00:00

hostA主机解密文件

gpg -d file.gpg

gpg -o file -d file.gpg //解密文件并生成一个新的文件file

[root@centos6 app]#gpg -o a.txt  -d a.txt.gpg

You need a passphrase to unlock the secret key for
 user: "centos6"
 1024-bit RSA key, ID 71AC2BE1, created 2018-09-01 (main key ID 9BF04D6B)

can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
 Xlib:  extension "RANDR" missing on display "localhost:10.0".

(pinentry-gtk-2:15749): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable'
 gpg: encrypted with 1024-bit RSA key, ID 71AC2BE1, created 2018-09-01
       "centos6"

删除公钥和私钥

gpg --delete-keys wangxiaochun //删除公钥

[root@localhost ~]# gpg --delete-keys centos6
 gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
 pub  1024R/9BF04D6B 2018-09-01 centos6
Delete this key from the keyring? (y/N) y

gpg --delete-secret-keys wangxiaochun //删除私钥

注意:密钥是成对出现的,如果私钥存在,先删除私钥在删除公钥

[root@centos6 .gnupg]#gpg --delete-secret-keys centos6 
 gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
 sec  1024R/9BF04D6B 2018-09-01 centos6
Delete this key from the keyring? (y/N) y
 This is a secret key! - really delete? (y/N) y

CA和证书:

PKI: Public Key Infrastructure 【公共的秘钥体系】

签证机构:CA(Certificate Authority)(验证公钥是否合法;使用自己的私钥封装公钥)

注意: CA上还可以有多个上级CA(最上级CA,自己给自己签名,声称自己是最权威机构

注册机构:RA

证书吊销列表:CRL

证书存取库: 【存取了已颁发证书的信息】

X.509:定义了证书的结构以及认证协议标准

证书的获取:

证书类型:

证书授权机构的证书:

服务器

用户证书

获取证书的两种方法:

1. 使用证书授权机构

生成签名请求(csr)

将csr发送给CA

从CA处接受签名

2. 自签名的证书 【根CA】

自己签发自己的公钥

安全协议:

SSL: Secure Socket Layer

功能:机密性,认证,完整性,重放保护

两阶段协议,分为握手阶段和应用阶段

握手阶段(协商阶段):客户端和服务器端认证对方身份(依赖于PKI体系,利用数字证书进行身份认证),并协商通信中使用的安全参数、密码套件以及主密钥。后续通信使用的所有密钥都是通过MasterSecret生成。

应用阶段:在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密钥进行安全通信

OpenSSL命令:

对称加密:

工具:openssl enc, gpg

算法:3des, aes, blowfish, twofish

enc命令:

帮助:man enc

加密:

openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher 加密并生成加密文件

[root@localhost app]# openssl enc -e -des3 -a -salt -in a.txt -out a.enc
 enter des-ede3-cbc encryption password:
 Verifying - enter des-ede3-cbc encryption password:

解密:

openssl enc -d -des3 -a -salt –in testfile.cipher -out testfile 解密并生成新文件

[root@localhost app]# openssl enc -d -des3 -a -salt -in a.enc -out f1.txt
 enter des-ede3-cbc decryption password:
 [root@localhost app]# ls
 a.enc  apache24  a.txt  a.txt.gpg  centos6.key  f1.txt
 [root@localhost app]# cat f1.txt 
 i love you

openssl passwd -1 -salt SALT(最多8位) //生成md5加密的口令【salt不一样,生成口令不一样,可指定salt】

openssl passwd -1 –salt centos

[root@localhost app]# openssl passwd -1 -salt centos
 Password: 
 $1$centos$Uq6E6Wp5SDZYbs6MCmamP0

OpenSSL

证书申请及签署步骤:

1、生成申请请求

2、RA核验

3、CA签署

4、获取证书 

创建CA和申请证书

创建私有CA:

openssl的配置文件:/etc/pki/tls/openssl.cnf 【可再次查看一些所需注意事项】

三种策略:匹配、支持和可选

注意:匹配指要求申请填写的信息跟CA设置信息必须一致,支持指必须填写这项申请信息,可选指可有可无

1、创建所需要的文件

touch /etc/pki/CA/index.txt 生成证书索引数据库文件 (手动创建,空即可)
[root@localhost ~]#cd /etc/pki/CA/
[root@localhost CA]# touch index.txt
 [root@localhost CA]# ls
 certs  crl  index.txt  newcerts  private
echo 00 > /etc/pki/CA/serial 指定第一个颁发证书的序列号 (指定下一个证书编号,16进制)
[root@localhost CA]# echo 00 > serial
[root@localhost CA]# ls
certs  crl  index.txt  newcerts  private  serial

2、 CA自签证书

生成私钥

cd /etc/pki/CA/
(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[root@localhost CA]# (umask 066;openssl genrsa -out private/cakey.pem -des3 2048)
 Generating RSA private key, 2048 bit long modulus
 .................+++
 ...................................+++
 e is 65537 (0x10001)
 Enter pass phrase for private/cakey.pem:
 Verifying - Enter pass phrase for private/cakey.pem:

生成自签名证书

openssl req -new -x509 –key  /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

-new: 生成新证书签署请求

-x509: 专用于CA生成自签证书

-key: 生成请求时用到的私钥文件

-days n:证书的有效期限

-out /PATH/TO/SOMECERTFILE: 证书的保存路径

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300
 Enter pass phrase for private/cakey.pem:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:CN
 State or Province Name (full name) []:HeNan 
 Locality Name (eg, city) [Default City]:ZhengZhou
 Organization Name (eg, company) [Default Company Ltd]:magedu.com
 Organizational Unit Name (eg, section) []:opt
 Common Name (eg, your name or your server's hostname) []:ca.magedu.com
 Email Address []:
 [root@localhost CA]# ls
 cacert.pem  certs  crl  index.txt  newcerts  private  serial
 [root@localhost CA]# cat cacert.pem 
 -----BEGIN CERTIFICATE-----
 MIIDqzCCApOgAwIBAgIJANvFyg8v/3E8MA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
 BAYTAkNOMQ4wDAYDVQQIDAVIZU5hbjESMBAGA1UEBwwJWmhlbmdaaG91MRMwEQYD
 VQQKDAptYWdlZHUuY29tMQwwCgYDVQQLDANvcHQxFjAUBgNVBAMMDWNhLm1hZ2Vk
 dS5jb20wHhcNMTgwOTA0MTEwODUxWhcNMzgwODMwMTEwODUxWjBsMQswCQYDVQQG
 EwJDTjEOMAwGA1UECAwFSGVOYW4xEjAQBgNVBAcMCVpoZW5nWmhvdTETMBEGA1UE
CgwKbWFnZWR1LmNvbTEMMAoGA1UECwwDb3B0MRYwFAYDVQQDDA1jYS5tYWdlZHUu
 Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1STNx2cDHewyGrW
 43+l1gWRYYpoBtg43NgGh7SeT/e52ER12Ez9n0twDMOt3ME+qHp3JycHR9kJeZUi
 JuKd88epfec756bpCftgWYUXe+wvsaczolF2+bOHHwdePXNxYHX3jS7pAxohWeX1
 mpu3s/o4hcntNCcK7worTWdCxPy5UJB7dpjmrDYeIiL9jMhd6MyViyDDlexCpr/M
 Aj3c0wY278RMChBJi5r99P8E4DZpVMLrLyLr+l3Yko0+J4njs7CvL0oE/heA7yI2
 pV86fptJ78R9PkeTbLp4bNBHSJAzzrTVd1ncuqoI0+77D5oj1H72x9aJ3yxxmK9o
 so28LwIDAQABo1AwTjAdBgNVHQ4EFgQUbi60ZLCz2bBTwaaxENoN+Mwp85gwHwYD
 VR0jBBgwFoAUbi60ZLCz2bBTwaaxENoN+Mwp85gwDAYDVR0TBAUwAwEB/zANBgkq
 hkiG9w0BAQsFAAOCAQEAJLppJI6RnCFVDVxmWpRAru81BaT3ZCt3zqzEdocxQ2C5
 Pe3ATxg4r2A5SUwfz0Mg/6uSsin0NyMBr0n006G0FoObE78oz5evnTZ1eBCcFJIk
 V6HfpWRzjdKx/x8EMN2Z6kFJrA444hPohPvwGcu5smiuEx/iZpbasHjaqeByv79Q
 52EAaEHpsFKcP/5x0bY5waojkLDcNNX0ZQXa4/+wPQiOLKC2CJimQ6ryDXxAd37l
 wb6JKI3E90u7NEMuNI9fwpFtiKGDiqMCB8KwVGEGlnrQ8yzkN0W561K89T6qkJyG
 F3Cfv3s7yaLgAmEMyHHCTymnlpdqWyahw06dm2w4AQ==
 -----END CERTIFICATE-----

3、颁发证书

在需要使用证书的主机生成证书请求

给web服务器生成私钥

(umask 066; openssl genrsa –out /etc/pki/tls/private/test.key 2048)

[root@localhost ~]# (umask 066;openssl genrsa -out rhel5.key 1024)
 Generating RSA private key, 1024 bit long modulus
 ...................................++++++
 ......................++++++
 e is 65537 (0x10001)

生成证书申请文件

openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out etc/pki/tls/test.csr

[root@localhost ~]# openssl req -new -key rhel5.key -out rhel5.csr
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:CN
 State or Province Name (full name) [Berkshire]:HeNan
 Locality Name (eg, city) [Newbury]:Luoyang
 Organization Name (eg, company) [My Company Ltd]:magedu.com
 Organizational Unit Name (eg, section) []:rou
 Common Name (eg, your name or your server's hostname) []:rhel5.magedu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
 A challenge password []:   
 An optional company name []:

将证书请求文件传输给CA

[root@localhost ~]# scp rhel5.csr root@c7:/etc/pki/CA
 The authenticity of host 'c7 (172.18.254.13)' can't be established.
 RSA key fingerprint is c2:63:99:85:62:c5:9f:14:2d:a7:d8:0a:5a:70:8a:29.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added 'c7,172.18.254.13' (RSA) to the list of known hosts.
 root@c7's password: 
 rhel5.csr                                            100%  660     0.6KB/s   00:00 

CA签署证书,并将证书颁发给请求者

openssl ca -in /tmp/test.csr –out /etc/pki/CA/certs/test.crt -days 365

注意:默认国家,省,公司名称三项必须和CA一致

【参数与上类似:地点,省,市,公司写的不一致,将出错。可在/etc/pki/tls/openssl.cnf中修改策略policy=policy_anything】

[root@localhost CA]# openssl ca -in rhel5.csr -out certs/rhel5.crt -days 3650
 Using configuration from /etc/pki/tls/openssl.cnf
 Enter pass phrase for /etc/pki/CA/private/cakey.pem:
 Check that the request matches the signature
 Signature ok
 Certificate Details:
         Serial Number: 0 (0x0)
         Validity
             Not Before: Sep  4 12:09:19 2018 GMT
             Not After : Sep  1 12:09:19 2028 GMT
         Subject:
             countryName               = CN
             stateOrProvinceName       = HeNan
             localityName              = Luoyang
             organizationName          = magedu.com
             organizationalUnitName    = rou
             commonName                = rhel5.magedu.com
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:FALSE
             Netscape Comment: 
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
                 F1:E9:82:83:E0:2D:39:90:72:63:67:BB:1D:3A:1C:0B:F5:E2:C1:5C
             X509v3 Authority Key Identifier: 
                 keyid:6E:2E:B4:64:B0:B3:D9:B0:53:C1:A6:B1:10:DA:0D:F8:CC:29:F3:98

Certificate is to be certified until Sep  1 12:09:19 2028 GMT (3650 days)
 Sign the certificate? [y/n]:y
 1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated
[root@localhost certs]# scp rhel5.crt root@c5:/etc/pki/CA/cacert.pem 
 root@c5's password: 
 rhel5.crt                                            100% 3762     2.3MB/s   00:00    

4 在应用软件中使用证书

注意:不可以重复提交相同的申请信息,申请证书【如若想用相同信息申请证书,修改文件index.txt.attr 将yes改为no】

[root@localhost CA]# ls
 cacert.pem  crl        index.txt.attr  newcerts  rhel5.csr  serial.old
 certs       index.txt  index.txt.old   private   serial

创建CA和证书管理

5、查看证书中的信息:

openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates

openssl ca -status SERIAL 查看指定编号的证书状态

6、吊销证书

在客户端获取要吊销的证书的serial

openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证书:

openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem //吊销证书

指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行

echo 01 > /etc/pki/CA/crlnumber //指定下一个要吊销的文件列表

更新证书吊销列表

openssl ca -gencrl -out /etc/pki/CA/crl.pem //生成吊销列表,先创建crlnumber文件

查看crl文件:

openssl crl -in /etc/pki/CA/crl.pem -noout -text // 查看吊销的证书列表
分享给小伙伴们:
本文标签: 加密解密安全协议

相关文章

发表评论愿您的每句评论,都能给大家的生活添色彩,带来共鸣,带来思索,带来快乐。

CopyRight © 2015-2016 QingPingShan.com , All Rights Reserved.

清屏网 版权所有 豫ICP备15026204号