2 OpenSSL
2.1 OpenSSL 介绍
OpenSSL 计划在 1998 年开始,其目标是发明一套自由的加密工具,在互联网上使用。OpenSSL 以 EricYoung 以及 Tim Hudson 两人开发的 SSLeay 为基础,随着两人前往 RSA 公司任职,SSLeay 在 1998 年 12 月停止开发。因此在 1998 年 12 月,社群另外分支出 OpenSSL,继续开发下去
OpenSSL 管理委员会当前由 7 人组成有 13 个开发人员具有提交权限(其中许多人也是 OpenSSL 管理委员会的一部分)。只有两名全职员工(研究员),其余的是志愿者
该项目每年的预算不到 100 万美元,主要依靠捐款。 TLS 1.3 的开发由 Akamai 赞助
OpenSSL 是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,避免窃听,同时确认另一端连线者的身份。这个包广泛被应用在互联网的网页服务器上
其主要库是以 C 语言所写成,实现了基本的加密功能,实现了 SSL 与 TLS 协议。OpenSSL 可以运行在 OpenVMS、 Microsoft Windows 以及绝大多数类 Unix 操作系统上(包括 Solaris,Linux,Mac OS X 与各种版本的开放源代码 BSD 操作系统)
心脏出血漏洞:OpenSSL1.0.1 版本(不含 1.0.1g)含有一个严重漏洞,可允许攻击者读取服务器的内存信息。该漏洞于 2014 年 4 月被公诸于世,影响三分之二的活跃网站
包括三个组件:
- libcrypto:用于实现加密和解密的库
- libssl:用于实现 ssl 通信协议的安全库
- openssl:多用途命令行工具
2.2 Base64 编码
Base64 是网络上最常见的用于传输 8Bit 字节码的编码方式之一,Base64 就是一种基于 64 个可打印字符来表示二进制数据的方法
base64 的编码过程如下:
将每 3 个字节放入一个 24 位的缓冲区中,最后不足 3 个字节的,缓冲区的剩余部分用 0 来填补。然后每次 取出 6 位(2 的 6 次方为 64,使用 64 个字符即可表示所有),将高 2 位用 0 来填充,组成一个新的字节,计算出这个新字节的十进制值,对应上面的编码表,输出相应的字符。这样不断地进行下去,就可完成对所有数据的编码工作。
按照以上规则对文本 Man 编码如下:
范例:
[19:32:04 root@centos7 ~]#echo -n Man | base64 #进行编码
TWFu
[20:47:36 root@centos7 ~]#echo -n TWFu | base64 -d #解码
Man
[20:48:10 root@centos7 ~]#echo -n ab | base64
YWI=
[20:48:20 root@centos7 ~]#echo -n ab | base64 | base64 -d
ab
范例:破解下面密文
[20:48:44 root@centos7 ~]#]#echo -n JXU0RjYwJXU1OTdEJXU2NzBCJXU1M0NCJXVGRjAxJXU2ExJXU2NjJGJXU3MzhCJXU2 NjUzJXU2NjI1 JXVGRjBDJXU2MjExJXU3Njg0UVEldUZGMUEyOTMwODYyMCV1RkYwQyV1NTNFRiV1NEVFNSV1NTJBMCV1 NEUyQSV1NTk3RCV1NTNDQiV1NTQxNyV1RkYxRiUwQQ== | base64 -d
%u4F60%u597D%u670B%u53CB%uFF01%u6211%u662F%u738B%u6653%u6625base64: invalid input
[20:49:34 root@centos7 ~]#echo -n %u4F60%u597D%u670B%u53CB%uFF01%u6211%u662F%u738B%u6653%u6625 | base64 -d
base64: invalid input
2.3 openssl 命令
两种运行模式:
- 交互模式
- 批处理模式
三种子命令:
- 标准命令
- 消息摘要命令
- 加密命令
范例: openssl 的交互和非交互式查看版本
[19:32:15 root@centos8 ~]#openssl version
OpenSSL 1.1.1g FIPS 21 Apr 2020
[20:52:31 root@centos8 ~]#openssl
OpenSSL> version
OpenSSL 1.1.1g FIPS 21 Apr 2020
2.3.1 openssl 命令对称加密
工具:openssl enc, gpg
算法:3des, aes, blowfish, twofish
enc 命令:帮助:man enc
加密:
[20:57:20 root@centos8 ~]#openssl enc -e -des3 -a -salt -in fstab -out zhang.cipher
解密:
[20:57:42 root@centos8 ~]#openssl enc -d -des3 -a -salt -in zhang.cipher -out zhang
注意:需要输入密码
2.3.2 openssl 命令单向哈希加密
工具:openssl dgst
算法:md5sum, sha1sum, sha224sum,sha256sum…
dgst 命令:帮助:man dgst
openssl dgst -md5 [-hex默认] /PATH/SOMEFILE
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE
[21:00:07 root@centos8 ~]#openssl md5 fstab
MD5(fstab)= 305613baf4b7a3319ee340fb8d53d2cf
[21:00:10 root@centos8 ~]#openssl sha512 fstab
SHA512(fstab)= ce24e2d29c1c65f6b7808f47aa91fa840ac11f43337f0d7a10af56666e02f4646888c532590187daddfbc70f70c73b739ee87c1e581d9f1d9e5e7867e8ae4f62
[21:00:21 root@centos8 ~]#sha512sum fstab
ce24e2d29c1c65f6b7808f47aa91fa840ac11f43337f0d7a10af56666e02f4646888c532590187daddfbc70f70c73b739ee87c1e581d9f1d9e5e7867e8ae4f62 fstab
补充知识:
MAC: Message Authentication Code,单向加密的一种延伸应用,用于实现网络通信中保证所传输数据的完整性机制
HMAC:hash-based MAC,使用哈希算法
2.3.3 openssl 命令生成用户密码
passwd 命令:帮助 man sslpasswd
[21:00:43 root@centos8 ~]#openssl passwd --help
Usage: passwd [options]
Valid options are:
-help Display this summary
-in infile Read passwords from file
-noverify Never verify when reading password from terminal
-quiet No warnings
-table Format output as table
-reverse Switch table columns
-salt val Use provided salt
-stdin Read passwords from stdin
-6 SHA512-based password algorithm
-5 SHA256-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-1 MD5-based password algorithm
-aixmd5 AIX MD5-based password algorithm
-crypt Standard Unix password algorithm (default)
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
[20:50:55 root@centos7 ~]#openssl passwd --help
Usage: passwd [options] [passwords]
where options are
-crypt standard Unix password algorithm (default)
-1 MD5-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-salt string use provided salt
-in file read passwords from file
-stdin read passwords from stdin
-noverify never verify when reading password from terminal
-quiet no warnings
-table format output as table
-reverse switch table columns
范例:
[09:14:25 root@centos8 ~]#getent shadow zhang
zhang:$6$0nQwTH1iY2ZSQYbl$WkasOxw7n5k8ZRY.5fa49mkXhuJGNi7YGHccEgoyi9TsVd1nf/5QBvmQ9jnChGHXJGHENXH3wYsRamP/CB4/B1:18639:0:99999:7:::
[09:14:31 root@centos8 ~]#echo 123456 | openssl passwd -6 -salt 0nQwTH1iY2ZSQYbl -stdin
$6$0nQwTH1iY2ZSQYbl$WkasOxw7n5k8ZRY.5fa49mkXhuJGNi7YGHccEgoyi9TsVd1nf/5QBvmQ9jnChGHXJGHENXH3wYsRamP/CB4/B1
[09:15:07 root@centos8 ~]#openssl passwd -6 -salt 0nQwTH1iY2ZSQYbl 123456
$6$0nQwTH1iY2ZSQYbl$WkasOxw7n5k8ZRY.5fa49mkXhuJGNi7YGHccEgoyi9TsVd1nf/5QBvmQ9jnChGHXJGHENXH3wYsRamP/CB4/B1
范例:利用 Python 程序在 Centos7,生成 sha512 加密密码,centos7 openssl 版本原因没有 sha521 加密算法
[21:03:46 root@centos7 ~]#python -c 'import crypt,getpass;pw="magedu";print(crypt.crypt(pw))'
$6$pxOXH9vfPThLDqmQ$FI3OLfvAbxFtwMhB.L6qKADg5XxYnpQA1q5sFqDen4Z/sJYbu4NAKpddO/g.PMU9F2GPvNyDtD7Ja6F19W4qj.
范例:创建新用户同时指定密码,在 CentOS8 和 Ubuntu 都通用
[09:18:30 root@centos8 ~]#useradd -p `echo 123456 | openssl passwd -6 -salt 0nQwTH1iY2ZSQYbl -stdin` wang
[09:19:12 root@centos8 ~]#getent shadow zhang
zhang:$6$0nQwTH1iY2ZSQYbl$WkasOxw7n5k8ZRY.5fa49mkXhuJGNi7YGHccEgoyi9TsVd1nf/5QBvmQ9jnChGHXJGHENXH3wYsRamP/CB4/B1:18639:0:99999:7:::
[09:19:21 root@centos8 ~]#getent shadow wang
wang:$6$0nQwTH1iY2ZSQYbl$WkasOxw7n5k8ZRY.5fa49mkXhuJGNi7YGHccEgoyi9TsVd1nf/5QBvmQ9jnChGHXJGHENXH3wYsRamP/CB4/B1:18639:0:99999:7:::
范例:
[09:21:03 root@centos8 ~]#openssl passwd -1 -salt SALT(最多8位)
[09:21:11 root@centos8 ~]#openssl passwd -1 -salt centos
2.3.4 openssl 命令生成随机数
随机数生成器:伪随机数字,利用键盘和鼠标,块设备中断生成随机数
/dev/random #仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom #从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞
帮助:man sslrand
openssl rand -base64|-hex NUM
NUM: 表示字节数,使用-hex,每个字符为十六进制,相当于4位二进制,出现的字符数为NUM*2
范例:生成随机 10 位长度密码
[09:24:11 root@centos8 ~]#openssl rand -base64 9 |head -c10
Vy8567ZT4x
[09:25:40 root@centos8 ~]#tr -dc '[:alnum:]' < /dev/urandom | head -c 10
3hl4sC5geK
2.3.5 openssl 命令实现 PKI
公钥加密:
- 算法:RSA, ELGamal
- 工具:gpg, openssl rsautl(man rsautl)
数字签名:
- 算法:RSA, DSA, ELGamal
密钥交换:
- 算法:dh
- DSA:Digital Signature Algorithm
- DSS:Digital Signature Standard
- RSA:
openssl 命令生成密钥对儿:man genrsa
生成私钥
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE [-des3] [NUM_BITS,默认2048]
@对称加密算法:man genrsa
-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, - camellia192, -camellia256, -des, -des3, -idea
解密加密的密钥
openssl rsa -in /PATH/TO/PRIVATEKEY.FILE -out /PATH/TO/PRIVATEKEY2.FILE
范例:
#生成对称秘钥加密的私钥,通过设置严格的权限实现安全,应用更广泛
[09:26:54 root@centos8 ~]#(umask 077 ; openssl genrsa -out app.key 2048)
[09:31:16 root@centos8 ~]#cat app.key
#将加密对称秘钥key解密,此方式更安全,但是不方便
[09:34:18 root@centos8 ~]#openssl genrsa -out app2.key -des3 2048
[09:35:40 root@centos8 ~]#cat app2.key
从私钥中提取出公钥
openssl rsa -in PRIVATEKEYFILE -pubout -out PUBLICKEYFILE
范例:默认长度和指定长度的文件大小
[09:41:08 root@centos8 ~]#(umask 077;openssl genrsa -out app.key)
[09:41:12 root@centos8 ~]#ll
total 4
-rw------- 1 root root 1679 Jan 12 09:41 app.key
[09:41:17 root@centos8 ~]#openssl genrsa -out app.key 1024
[09:41:53 root@centos8 ~]#ll
total 4
-rw------- 1 root root 891 Jan 12 09:41 app.key
范例:从私钥提取公钥
[09:41:58 root@centos8 ~]#openssl rsa -in /root/app.key -pubout -out app.key.pub
writing RSA key
[09:43:02 root@centos8 ~]#ls
app.key app.key.pub
[09:43:03 root@centos8 ~]#cat app.key.pub
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjXRDEyJQpyAavttGBHdymjkgz
A6rA85IWmPCq7kZ9eE69IuiJX6tsCt+vIVZpDtRuZaksMjXFZYm2EybDTSCnd6hV
aEptBaQbjCfFDBB5071Z7KZIF6LcUDh/T3yCU3SLDwnmORi2326pfO5FcL9hkyim
rLfs76TYmNcZN5IlLQIDAQAB
-----END PUBLIC KEY-----
范例:生成加密的私钥,并解密
[09:46:10 root@centos8 ~]#openssl genrsa -out /root/app.key -des3 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
......+++++
....+++++
e is 65537 (0x010001)
Enter pass phrase for /root/app.key:
Verifying - Enter pass phrase for /root/app.key:
[09:46:18 root@centos8 ~]#ll
total 4
-rw------- 1 root root 963 Jan 12 09:46 app.key
[09:46:21 root@centos8 ~]#cat app.key
[09:46:30 root@centos8 ~]#openssl rsa -in /root/app.key -out /root/app.key
Enter pass phrase for /root/app.key:
writing RSA key
[09:47:07 root@centos8 ~]#ls -l
total 4
-rw------- 1 root root 887 Jan 12 09:47 app.key
[09:47:11 root@centos8 ~]#cat /root/app.key
2.4 建立私有 CA 实现证书申请颁发
建立私有 CA:
- OpenCA:OpenCA 开源组织使用 Perl 对 OpenSSL 进行二次开发而成的一套完善的 PKI 免费软件
- openssl:相关包 openssl 和 openssl-libs
证书申请及签署步骤:
- 生成证书申请请求
- RA 核验
- CA 签署
- 获取证书
范例:openssl-libs 包
[09:47:25 root@centos8 ~]#rpm -ql openssl-libs
/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/ct_log_list.cnf
/etc/pki/tls/misc
...
openssl 的配置文件:
[09:49:35 root@centos8 ~]#cat /etc/pki/tls/openssl.cnf
三种策略:match 匹配、optional 可选、supplied 提供
match:要求申请填写的信息跟CA设置信息必须一致
optional:可有可无,跟CA设置信息可不一致
supplied:必须填写这项申请信息
2.4.1 创建私有 CA
1.创建 CA 所需要的文件
#生成证书索引数据库文件
touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列号
echo 01 > /etc/pki/CA/serial
2.生成 CA 私钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)
3.生成 CA 自签证书
#需要手动输入机构信息
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
范例:一键生成自签名证书
[09:50:22 root@centos8 ~]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.zhangzhuo.org" -keyout app.key -nodes -x509 -out app.crt
[09:56:25 root@centos8 ~]#openssl x509 -in app.crt -noout -text
2.4.2 申请证书并颁发证书
1.为需要使用证书的主机生成私钥
(umask 066; openssl genrsa -out /data/test.key 2048)
2.为需要使用证书的主机生成证书申请文件
openssl req -new -key /data/test.key -out /data/test.csr
3.在 CA 签署证书并将证书颁发给请求者
openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 100
注意:默认要求国家,省,公司名称三项必须和 CA 一致
4.查看证书中的信息
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
#查看指定编号的证书状态
openssl ca -status SERIAL
2.4.3 吊销证书
在客户端获取要吊销的证书的 serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在 CA 上,根据客户提交的 serial 与 subject 信息,对比检验是否与 index.txt 文件中的信息一致,吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看 crl 文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
2.4.4 CentOS7 创建自签名证书
#只有centos7有这个功能使用make创建自签证书
[09:07:30 root@centos7 ~]#cd /etc/pki/tls/certs
[10:05:58 root@centos7 certs]#make
[10:06:01 root@centos7 certs]#ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[10:06:11 root@centos7 certs]#cat Makefile
[10:08:32 root@centos7 certs]#make app.crt
[10:09:30 root@centos7 certs]#ls
app.crt app.key ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[10:09:34 root@centos7 certs]#openssl x509 -in app.crt -noout -text
2.4.5 实战案例:在 Centos8 上实现私有 CA 和证书申请
2.4.5.1 创建 CA 相关目录和文件
[10:12:13 root@centos8 ~]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[10:13:06 root@centos8 ~]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[10:13:27 root@centos8 ~]#touch /etc/pki/CA/index.txt
[10:13:58 root@centos8 ~]#echo 00 > /etc/pki/CA/serial
index.txt 和 serial 文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf 140040142845760:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r') 140040142845760:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory error while loading serial number
140240559408960:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r') 140240559408960:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
2.4.5.2 创建 CA 的私钥
[10:14:24 root@centos8 ~]#cd /etc/pki/CA/
[10:16:14 root@centos8 CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048)
[10:16:45 root@centos8 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[10:16:50 root@centos8 CA]#ll private/
total 4
-rw------- 1 root root 1679 Jan 12 10:16 cakey.pem
[10:17:06 root@centos8 CA]#cat private/cakey.pem
2.4.5.3 给 CA 颁发自签名证书
[10:17:15 root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----------------------------------------------
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:neimeng
Locality Name (eg, city) [Default City]:baotou
Organization Name (eg, company) [Default Company Ltd]:zhangzhuo
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.zhangzhuo.org
Email Address []:admin@zhangzhuo.org
[10:19:47 root@centos8 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[10:19:49 root@centos8 CA]#cat /etc/pki/CA/cacert.pem
[10:20:14 root@centos8 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击可以看到下面显示
2.4.5.4 用户生成私钥和证书申请
[10:24:15 root@centos8 CA]#mkdir -p /data/app1
[10:30:11 root@centos8 CA]#(umask 066;openssl genrsa -out /data/app1/app1.key 2048)
[10:30:39 root@centos8 CA]#cat /data/app1/app1.key
[10:30:45 root@centos8 CA]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
[10:32:48 root@centos8 CA]#ll /data/app1/
total 8
-rw-r--r-- 1 root root 1066 Jan 12 10:32 app1.csr
-rw------- 1 root root 1675 Jan 12 10:30 app1.key
默认有三项内容必须和 CA 一致:国家,省份,组织,如果不同,会出现下面的提示
[root@centos8 ~]#openssl ca -in /data/app2/app2.csr -out
/etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok
The stateOrProvinceName field is different between CA certificate (beijing) and the request (hubei)
2.4.5.5 CA 颁发证书
[10:37:25 root@centos8 CA]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 12 02:37:26 2021 GMT
Not After : Oct 9 02:37:26 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = neimeng
organizationName = zhangzhuo
organizationalUnitName = devops
commonName = app.zhangzhuo.org
emailAddress = root@zhangzhuo.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
08:0B:BD:FA:EF:0E:88:2F:AF:4D:3D:D5:2A:85:68:7B:76:7B:0E:92
X509v3 Authority Key Identifier:
keyid:80:B9:1E:65:EF:5C:8B:75:C4:D3:C0:A8:A0:0D:91:4F:D8:87:48:3A
Certificate is to be certified until Oct 9 02:37:26 2023 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[10:38:12 root@centos8 CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 00.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
2.4.5.6 查看证书
[10:38:21 root@centos8 CA]#cat /etc/pki/CA/certs/app1.crt
[10:39:21 root@centos8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
[10:39:57 root@centos8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt --noout -issuer
issuer=C = CN, ST = neimeng, L = baotou, O = zhangzhuo, OU = devops, CN = ca.zhangzhuo.org, emailAddress = admin@zhangzhuo.org
[10:40:49 root@centos8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt --noout -subject
subject=C = CN, ST = neimeng, O = zhangzhuo, OU = devops, CN = app.zhangzhuo.org, emailAddress = root@zhangzhuo.org
[10:41:03 root@centos8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt --noout -dates
notBefore=Jan 12 02:37:26 2021 GMT
notAfter=Oct 9 02:37:26 2023 GMT
[10:41:27 root@centos8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt --noout -serial
serial=00
#验证指定编号对应证书的有效性
[10:42:26 root@centos8 CA]#openssl ca -status 00
Using configuration from /etc/pki/tls/openssl.cnf
00=Valid (V)
[10:42:37 root@centos8 CA]#cat /etc/pki/CA/index.txt
V 231009023726Z 00 unknown /C=CN/ST=neimeng/O=zhangzhuo/OU=devops/CN=app.zhangzhuo.org/emailAddress=root@zhangzhuo.org
[10:43:02 root@centos8 CA]#cat /etc/pki/CA/index.txt.old
[10:43:17 root@centos8 CA]#cat /etc/pki/CA/serial
01
[10:43:31 root@centos8 CA]#cat /etc/pki/CA/serial.old
00
2.4.5.7 将证书相关文件发送到用户端使用
[10:45:44 root@centos8 CA]#cp /etc/pki/CA/certs/app1.crt /data/app1/
[10:45:59 root@centos8 CA]#tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
2.4.5.8 证书的信任
默认生成的证书,在 windows 上是不被信任的,可以通过下面的操作实现信任
打开 internet 属性导入证书就可以了
2.4.5.9 证书的吊销
[10:48:34 root@centos8 CA]#openssl ca -revoke /etc/pki/CA/newcerts/00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 00.
Data Base Updated
[10:48:54 root@centos8 CA]#openssl ca -status 00
Using configuration from /etc/pki/tls/openssl.cnf
00=Revoked (R)
[10:49:08 root@centos8 CA]#cat /etc/pki/CA/index.txt
R 231009023726Z 210112024854Z 00 unknown /C=CN/ST=neimeng/O=zhangzhuo/OU=devops/CN=app.zhangzhuo.org/emailAddress=root@zhangzhuo.org
2.4.5.10 生成证书吊销列表文件
#吊销证书
[10:48:34 root@centos8 CA]#openssl ca -revoke /etc/pki/CA/newcerts/00.pem
[10:48:54 root@centos8 CA]#openssl ca -status 00
00=Revoked (R)
#生成吊销证书文件
[10:50:29 root@centos8 CA]#echo 01 > /etc/pki/CA/crlnumber
[10:51:08 root@centos8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[10:51:34 root@centos8 CA]#cat /etc/pki/CA/crlnumber
02
[10:51:50 root@centos8 CA]#cat /etc/pki/CA/crl.pem
[10:51:58 root@centos8 CA]#openssl crl -in /etc/pki/CA/crl.pem --noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = neimeng, L = baotou, O = zhangzhuo, OU = devops, CN = ca.zhangzhuo.org, emailAddress = admin@zhangzhuo.org
Last Update: Jan 12 02:51:34 2021 GMT
Next Update: Feb 11 02:51:34 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 00
Revocation Date: Jan 12 02:48:54 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
23:14:1b:01:2d:67:d6:5a:70:13:7b:f2:68:e5:7f:d6:91:91:
76:1f:c2:f2:11:39:6d:d2:87:a5:0b:d0:2b:15:f9:cd:55:84:
a9:b5:1c:7e:c1:01:30:5f:7d:c1:c3:8a:ef:ad:ee:32:21:d6:
77:1c:46:d9:30:92:1d:56:ad:40:54:59:19:5e:95:e1:78:20:
0f:ff:cd:e7:22:be:f5:6a:e0:28:a8:55:89:26:40:d8:23:d0:
76:0d:f6:8b:b9:7a:12:89:a2:70:46:37:aa:8f:6d:0e:31:8a:
08:34:78:04:cb:15:3a:95:ec:3e:ac:67:d0:6b:be:48:0f:92:
39:e9:e3:ab:25:89:04:99:b2:2c:83:fe:96:79:5c:36:85:62:
7b:d2:00:f2:8f:c0:7d:d0:f3:8b:a6:58:db:3d:57:56:fa:64:
55:a7:f8:03:cc:ca:7b:79:4a:7b:21:d0:62:48:7a:8b:51:a2:
c2:3a:5d:a7:e3:98:7c:c5:b1:db:37:e7:32:19:41:e0:8d:c4:
95:e7:de:a2:05:bb:9f:62:30:76:69:cb:7d:4d:a9:75:66:c6:
94:48:7a:72:20:b2:0b:d6:73:d9:32:55:60:0b:25:ff:88:18:
56:46:90:f6:58:17:35:3e:b1:6e:38:b4:b0:dd:95:e3:43:7e:
73:0e:1c:f0
[10:52:32 root@centos8 CA]#sz /etc/pki/CA/crl.pem
#将此文件crl.pem传到windows上并改后缀为crl.pem.crl,双击可以查看以下显示
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于