asp.net网站运行助手,wordpress视频自动略图,上海外贸仓库,上海网站建设 app开发原文#xff1a;http://blog.51cto.com/183530300/1856773
很多时候#xff0c;我们希望在使用互联网的时候#xff0c;我们的通信是受到保护的#xff0c;而在互联网上活动时使用最多的莫过于使用网站了#xff0c;所以我们就需要考虑如何加密使用网站的过程中所传送的消…原文http://blog.51cto.com/183530300/1856773
很多时候我们希望在使用互联网的时候我们的通信是受到保护的而在互联网上活动时使用最多的莫过于使用网站了所以我们就需要考虑如何加密使用网站的过程中所传送的消息htts加密协议的出现解决了我们的困扰而htts协议是基于证书的方式实现的那如何用证书来保护我们在网站上所传送的消息了要想使用证书要么向互联上的专业证书机构去申请证书要么自己搭建证书服务器CA来给自己的网络设备颁发证书以保证相互之间的通信是通过加密协议传输的。当然如果去向专业的证书机构申请证书是需要花费较大代价的所以很多企业想使用证书加密通信但又不想花太大的代价去申请证书所以就在自己公司的服务器上的搭建属于自己的证书管理服务器CA所以做为一名运维人员就很有必要来探讨一下这个话题了。 一、CA的搭建和管理的相关知识 openssl的配置文件/etc/pki/tls/openssl.cnf (1) 创建所需要的文件 touch /etc/pki/CA/index.txt echo 01 /etc/pki/CA/serial (2) CA自签证书 生成私钥 cd /etc/pki/CA/ (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) 生成自签名证书 openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -new: 生成新证书签署请求 -x509: 专用于CA生成自签证书 -key: 生成请求时用到的私钥文件 -days n证书的有效期限 -out /PATH/TO/SOMECERTFILE: 证书的保存路径 (3) 颁发证书 (a) 在需要使用证书的主机生成证书请求 给web服务器生成私钥 (umask 066; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048) 生成证书申请文件 openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr (b) 将证书请求文件传输给CA (c) CA签署证书并将证书颁发给请求者 openssl ca -in /tmp/httpd.csr –out /etc/pki/CA/certs/httpd.crt -days 365 注意默认国家省 公司名称必须和CA一致 (d) 查看证书中的信息 openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|subject|serial|dates (4) 吊销证书 (a) 在客户端获取要吊销的证书的serial openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject (b) 在CA上根据客户提交的serial与subject信息对比检验是否与index.txt文件中的信息一致 吊销证书openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem (c) 生成吊销证书的编号(第一次吊销一个证书时才需要执行) echo 01 /etc/pki/CA/crlnumber (d) 更新证书吊销列表 openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl 查看crl文件 openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text 二、搭建CA
1、CA环境展示 [rootCentos630G ~]# hostname Centos630G [rootCentos630G ~]# ip addr show eth0 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:e1:ee:04 brd ff:ff:ff:ff:ff:ff inet 10.1.42.61/16 brd 10.1.255.255 scope global eth0 inet6 fe80::20c:29ff:fee1:ee04/64 scope link valid_lft forever preferred_lft forever [rootCentos630G ~]# cd /etc/pki/CA [rootCentos630G CA]# tree . ├── certs ├── crl ├── newcerts └── private 4 directories, 0 files [rootCentos630G CA]# 2、创建CA需要的文件 [rootCentos630G CA]# touch index.txt [rootCentos630G CA]# echo 01 serial [rootCentos630G CA]# ll total 20 drwxr-xr-x. 2 root root 4096 May 9 10:56 certs drwxr-xr-x. 2 root root 4096 May 9 10:56 crl -rw-r--r--. 1 root root 0 Sep 22 12:27 index.txt drwxr-xr-x. 2 root root 4096 May 9 10:56 newcerts drwx------. 2 root root 4096 May 9 10:56 private -rw-r--r--. 1 root root 3 Sep 22 12:27 serial [rootCentos630G CA]# 3、给CA创建私钥 [rootCentos630G CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ................. ............. e is 65537 (0x10001) [rootCentos630G CA]# tree . ├── certs ├── crl ├── index.txt ├── newcerts ├── private │ └── cakey.pem └── serial 4 directories, 3 files [rootCentos630G CA]# 4、给CA生成自签名证书 [rootCentos630G CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:haidian Organization Name (eg, company) [Default Company Ltd]:companyA Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your servers hostname) []:centos630g Email Address []:183530300qq.com [rootCentos630G CA]# ls cacert.pem certs crl index.txt newcerts private serial [rootCentos630G CA]# 三、使用CA给客户颁发证书
1、申请证书的客户机环境展示 [rootcentos730g ~]# hostname centos730g [rootcentos730g ~]# ip addr show eno16777736 2: eno16777736: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4c:4a:32 brd ff:ff:ff:ff:ff:ff inet 10.1.42.71/16 brd 10.1.255.255 scope global eno16777736 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe4c:4a32/64 scope link valid_lft forever preferred_lft forever [rootcentos730g ~]# 2、给客户机生成私钥 [rootcentos730g ~]# (umask 066;openssl genrsa -out centos730g.prikey 2048) Generating RSA private key, 2048 bit long modulus ............................... ............................................................................. e is 65537 (0x10001) [rootcentos730g ~]# ls centos730g.prikey [rootcentos730g ~]# 3、给客户机生成证书申请文件 [rootcentos730g ~]# openssl req -new -key centos730g.prikey -days 365 -out centos730g.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:haidian Organization Name (eg, company) [Default Company Ltd]:companyA Organizational Unit Name (eg, section) []:web Common Name (eg, your name or your servers hostname) []:centos730g Email Address []:183530300qq.com Please enter the following extra attributes to be sent with your certificate request A challenge password []: An optional company name []: [rootcentos730g ~]# ls centos730g.csr centos730g.prikey [rootcentos730g ~]# 4、在客户机上将证书申请文件传输到CA上 [rootcentos730g ~]# scp centos730g.csr 10.1.42.61:/etc/pki/CA/crl The authenticity of host 10.1.42.61 (10.1.42.61) cant be established. RSA key fingerprint is 91:e8:0f:0d:56:3c:38:b4:bf:b0:dd:b5:ee:0c:cb:b4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 10.1.42.61 (RSA) to the list of known hosts. root10.1.42.61s password: centos730g.csr 100% 1050 1.0KB/s 00:00 [rootcentos730g ~]# 5、在CA上给申请签证的客户签署证书 [rootCentos630G CA]# ls crl centos730g.csr [rootCentos630G CA]# openssl ca -in crl/centos730g.csr -out certs/centos730g.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 22 17:15:37 2016 GMT Not After : Sep 22 17:15:37 2017 GMT Subject: countryName cn stateOrProvinceName beijing organizationName companyA organizationalUnitName web commonName centos730g emailAddress 183530300qq.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC X509v3 Authority Key Identifier: keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12 Certificate is to be certified until Sep 22 17:15:37 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [rootCentos630G CA]# ls certs centos730g.crt [rootCentos630G CA]# 6、在CA上将签署好的证书传输给申请的客户 [rootCentos630G CA]# scp certs/centos730g.crt 10.1.42.71:/rootThe authenticity of host 10.1.42.71 (10.1.42.71) cant be established. RSA key fingerprint is f2:c8:a3:77:da:65:42:3a:bf:53:24:e2:0b:0f:23:eb. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 10.1.42.71 (RSA) to the list of known hosts. root10.1.42.71s password: centos730g.crt 100% 4596 4.5KB/s 00:00 [rootCentos630G CA]# 7、客户收到颁发的证书之后就可以配置相应的网络服务开始使用了 [rootcentos730g ~]# ll total 16 -rw-r--r--. 1 root root 4596 Sep 22 17:17 centos730g.crt -rw-r--r--. 1 root root 1050 Sep 22 17:10 centos730g.csr -rw-------. 1 root root 1675 Sep 22 16:41 centos730g.prikey [rootcentos730g ~]# 查看颁发的证书 [rootcentos730g ~]# openssl x509 -in centos730g.crt -noout -te xt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: Ccn, STbeijing, Lhaidian, OcompanyA, OUIT, CNcentos630g/emailAddress183530300qq.com Validity Not Before: Sep 22 17:15:37 2016 GMT Not After : Sep 22 17:15:37 2017 GMT Subject: Ccn, STbeijing, OcompanyA, OUweb, CNcentos730g/emailAddress183530300qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ca:a2:3c:e5:04:7a:5c:88:fd:2a:64:5d:41:18: 95:4f:4e:b4:ae:06:07:5b:e0:ac:d1:74:99:f4:3d: 2a:0a:35:4c:90:49:cf:51:84:69:44:de:e2:c1:9b: 9f:8d:29:9c:b7:5a:c2:b0:fd:a6:29:84:91:73:7f: 1a:f9:ba:00:f0:8f:2d:28:18:a5:bd:24:8b:cc:a0: 31:45:d8:c7:fe:51:da:5f:f5:27:39:02:fb:7e:07: b7:6c:63:0f:b1:ec:7c:f5:57:c7:8c:1a:9f:23:04: e0:2e:d6:c6:3a:ad:b3:5c:42:13:54:62:a1:83:ed: d2:61:48:eb:98:06:a5:32:d3:b2:5b:00:05:0a:6b: fb:97:90:1f:10:d9:8c:e6:00:af:c2:72:cc:ba:08: fd:98:87:99:80:ec:40:41:a2:a6:df:ae:1b:29:bc: 22:25:f0:3f:59:6a:10:31:65:c8:44:7a:2b:2f:0b: 00:ce:d7:a6:3c:ab:83:47:10:20:75:76:46:51:9d: ca:a8:65:b0:7f:28:d9:4c:24:90:47:4f:40:6c:ba: b5:cf:cd:bb:a3:07:f3:35:f0:08:cc:61:52:90:ea: 57:c2:3b:9f:cc:c1:b0:4a:e5:8b:21:8c:c8:74:b2: da:8d:aa:94:de:d3:bb:c3:9e:10:6c:d9:93:7a:b9: 5b:8d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC X509v3 Authority Key Identifier: keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12 Signature Algorithm: sha1WithRSAEncryption 10:23:27:f2:3c:ad:3c:ca:6a:d3:ae:db:1d:fb:51:95:2f:91: ef:ba:f4:b3:b2:91:dc:0a:e0:7a:3f:45:e5:97:16:24:a0:52: a4:3e:51:d1:86:c1:d0:de:d7:3c:7f:62:3c:f1:9e:88:93:03: 15:c4:38:29:ba:cc:ba:0c:78:d0:7e:76:e5:dd:70:a4:6e:17: e7:19:ae:47:f3:39:32:d7:97:67:73:bb:bb:4a:28:ed:a1:f5: ec:d6:46:4d:8c:80:27:e2:48:f7:1b:54:58:1e:cc:cb:52:0b: 91:24:b5:04:28:5c:70:1f:22:aa:3b:7f:4b:7d:f3:8a:f8:35: 07:38:47:68:8c:57:b8:77:64:7a:bd:95:d5:5e:c8:82:32:a8: 5b:ac:2b:c2:72:fa:08:ea:ee:30:1b:a9:39:eb:77:6e:65:32: 90:ee:11:cc:38:05:84:a2:ed:14:d8:cc:73:ac:01:8c:8d:ae: 27:38:c3:de:cd:75:4d:d3:09:9d:6e:b8:c3:e6:b1:c5:79:12: 46:da:f4:c8:fe:97:1c:4b:66:c6:98:d6:b9:7c:fe:4a:a1:30: 97:32:2e:01:cf:3c:eb:b8:bd:e1:da:6f:bc:98:8c:b8:99:b6: dc:42:51:b7:d1:ad:92:ff:95:91:ab:0f:3d:1e:db:e4:9e:1d: b0:b0:99:04 [rootcentos730g ~]# 四、CA上吊销证书
1、在申请吊销证书的客户机上查看需要吊销的证书的serial以及subject信息并提交给CA [rootcentos730g ~]# openssl x509 -in centos730g.crt -noout -serial -subject serial01 subject /Ccn/STbeijing/OcompanyA/OUweb/CNcentos730g/emailAddress183530300qq.com [rootcentos730g ~]# 2、在CA上根据客户提交的serial以及subject信息比对服务器上index.txt文件中的信息一致后执行吊销证书操作 [rootCentos630G CA]# openssl x509 -in certs/centos730g.crt -noout -serial -subject serial01 subject /Ccn/STbeijing/OcompanyA/OUweb/CNcentos730g/emailAddress183530300qq.com [rootCentos630G CA]# cat index.txt V 170922171537Z 01 unknown /Ccn/STbeijing/OcompanyA/OUweb/CNcentos730g/emailAddress183530300qq.com [rootCentos630G CA]# 3、信息确认一致正式执行吊销操作 [rootCentos630G CA]# tree . ├── cacert.pem ├── certs │ └── centos730g.crt ├── crl │ └── centos730g.csr ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 10 files [rootCentos630G CA]# openssl ca -revoke newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated [rootCentos630G CA]# tree . ├── cacert.pem ├── certs │ └── centos730g.crt ├── crl │ └── centos730g.csr ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── newcerts │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 11 files [rootCentos630G CA]# 此时多出了一个新文件index.txt.attr.old 4、生成吊销证书的编号第一次吊销证书时才需要执行本操作 [rootCentos630G CA]# echo 01 crlnumber [rootCentos630G CA]# openssl ca -gencrl -out crl/ca.crl Using configuration from /etc/pki/tls/openssl.cnf [rootCentos630G CA]# tree . ├── cacert.pem ├── certs │ └── centos730g.crt ├── crl │ ├── ca.crl │ └── centos730g.csr ├── crlnumber ├── crlnumber.old ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── newcerts │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 14 files [rootCentos630G CA]# 第一次吊销操作完成后会在CA上多出4个新文件 index.txt.attr.old ca.crl crlnumber.old index.txt.attr.old 查看证书吊销列表文件 [rootCentos630G CA]# openssl crl -in crl/ca.crl -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /Ccn/STbeijing/Lhaidian/OcompanyA/OUIT/CNcentos630g/emailAddress183530300qq.com Last Update: Sep 22 17:44:35 2016 GMT Next Update: Oct 22 17:44:35 2016 GMT CRL extensions: X509v3 CRL Number: 1 Revoked Certificates: Serial Number: 01 Revocation Date: Sep 22 17:29:54 2016 GMT Signature Algorithm: sha1WithRSAEncryption 11:5a:02:a8:9f:a0:9c:85:c0:cd:e8:65:06:98:90:f0:31:83: cc:c6:f5:7d:4b:4b:d7:1a:57:63:c5:ac:ac:51:d4:46:d8:80: f7:0c:94:42:5f:24:f1:87:97:f6:05:23:de:b4:3e:3b:3f:4f: d2:55:ef:13:c0:78:80:d1:eb:fa:47:eb:1c:58:cb:d4:f2:9b: bd:eb:88:2a:d5:be:05:ee:26:f8:ba:ba:cf:a3:7f:8c:73:db: 84:a3:de:74:9c:4d:eb:64:69:be:78:d1:ec:f9:82:10:46:72: 5f:5a:e3:99:c4:f9:1c:36:18:f4:b7:5e:f4:72:6b:20:b0:98: 7a:3c:c1:a4:e6:c3:d5:af:3f:68:44:7b:ae:34:69:0e:49:fd: fc:1f:70:9c:f6:b9:d4:a2:c1:25:d8:d1:e1:75:82:53:c4:63: c2:ce:1a:47:81:4a:73:18:81:35:ba:24:95:ff:8e:b3:61:6f: ce:ae:49:2f:73:d4:14:e3:5a:04:a6:c4:15:71:3b:e2:4c:fa: 7f:05:42:1a:41:02:98:cb:82:70:ee:de:b2:5f:90:a9:cb:18: 93:28:dd:ff:62:e1:90:7e:88:cd:19:41:40:5f:17:47:65:2f: ab:95:0f:27:8f:95:44:05:b7:d9:90:3e:e3:8c:ff:e9:d0:55: 49:05:97:a9 [rootCentos630G CA]# 掌握了上述这些操作的同时搭建及管理私有CA是没什么问题了所以大家可以自行实践有什么问题欢迎留言指正。
