加密与安全
我们在前面学习网络知识中了解到,跨主机之间的通信是通信是通过套接字方式来实现的,服务器监听,客户端请求,服务器根据客户端请求,获取资源,并发送给服务端,但发送是明文发送的,没有加密,任何人都可以获取内容,这样就暴露了隐私。因此需要加密机制保护互联网数据在传输过程中的隐私性了。
安全机制:
信息安全防护的目标
- 保密性 Confidentiality
- 完整性 Integrity
- 可用性 Usability
- 可控制性Controlability
- 不可否认性 Non-repudiation
运维工作职责:保障数据安全、保障系统可用性
- 物理安全:各种设备/主机、机房环境
- 系统安全:主机或设备的操作系统
- 应用安全:各种网络服务、应用程序
- 网络安全:对网络访问的控制、防火墙规则
- 数据安全:信息的备份与恢复、加密解密
- 管理安全:各种保障性的规范、流程、方法
防火墙:将内部系统与外部系统隔离
防水墙:防止企业内部安全的机制
安全算法:
密码算法和协议:
对称加密
公钥加密
单向加密
认证协议
Linux系统:OpenSSL, gpg(pgp协议的实现)
对称加密算法:
对称加密:加密和解密使用同一个密钥
特性:
1、加密、解密使用同一个密钥,效率高
2、将原始数据分割成固定大小的块,逐个进行加密
缺陷:
1、密钥过多
2、密钥分发难
3、数据来源无法确认
非对称加密算法:
公钥加密:密钥是成对出现
公钥:公开给所有人;public key
私钥:自己留存,必须保证其私密性;secret key
特点:用公钥加密数据,只能使用与之配对的私钥解密;反之亦然
功能:
- 数字签名:主要在于让接收方确认发送方身份
- 对称密钥交换:发送方用对方的公钥加密一个对称密钥后发送给对方
- 数据加密:适合加密较小数据
缺点:密钥长,加密解密效率低下
算法:
RSA(加密,数字签名),DSA(数字签名),ELGamal
注意:加密算法都是算法公开,密钥不公开
非对称加密:
基于一对公钥/密钥对
• 用密钥对中的一个加密,另一个解密
实现加密:
• 接收者
生成公钥/密钥对:P和S
公开公钥P,保密密钥S
• 发送者
使用接收者的公钥来加密消息M
将P(M)发送给接收者
• 接收者
使用密钥S来解密:M=S(P(M))
实现数字签名:私钥加密,公钥解密
• 发送者
生成公钥/密钥对:P和S
公开公钥P,保密密钥S
使用密钥S来加密消息M
发送给接收者S(M)
• 接收者
使用发送者的公钥来解密M=P(S(M))
单向散列:(hash算法)
将任意数据缩小成固定大小的“指纹”
• 任意长度输入
• 固定长度输出
• 若修改数据,指纹也会改变(“不会产生冲突”)
• 无法从指纹中重新生成数据(“单向”)
功能:数据完整性
常用工具
• md5sum | sha1sum [ –check ] file
–check 检查hash值是否相同
• openssl、gpg
• rpm -V
注意:hash(data)=digest摘要
data 不同,digest必不相同
digest反推不出data
digest长度固定大小
密钥交换
密钥交换:IKE( Internet Key Exchange )
公钥加密:
DH (Deffie-Hellman):生成会话密钥
DH:
1、A: a,p 协商生成公开的整数a, 大素数p (a为5 ,p为23)
B: a,p
2、A:生成隐私数据 😡 (x<p ),计算得出 a^x%p,发送给B(x为6)
B:生成隐私数据 :y,计算得出 a^y%p,发送给A (y为7)
3、A:计算得出 [(a^y%p)^x] %p = a^xy%p,生成为密钥
B:计算得出 [(a^x%p)^y] %p = a^xy%p,生成为密钥
[root@centos6 bin]#bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
5^6%23
8
5^7%23
17
17^6%23
12
8^7%23
12
^C
(interrupt) Exiting bc.
使用gpg实现对称加密
对称加密file文件
gpg -c file
[root@centos6 app]#cat a.txt
i love you
[root@centos6 app]#gpg -c a.txt
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
Xlib: extension "RANDR" missing on display "localhost:11.0".
(pinentry-gtk-2:14063): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable'
Xlib: extension "RANDR" missing on display "localhost:11.0".
(pinentry-gtk-2:14066): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable'
[root@centos6 app]#ls
a.txt
a.txt.gpg
[root@centos6 app]#cat a.txt.gpg
¥[Y䇦 ࠽x ¸Eþ鲸Jj-6腓¢±ٳµM{¸ߏ[root@centos6 app]#
[root@centos6 app]#scp a.txt.gpg root@172.18.254.13:/app
The authenticity of host '172.18.254.13 (172.18.254.13)' can't be established.
RSA key fingerprint is c2:63:99:85:62:c5:9f:14:2d:a7:d8:0a:5a:70:8a:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.254.13' (RSA) to the list of known hosts.
root@172.18.254.13's password:
a.txt.gpg 100% 55 0.1KB/s 00:00
在另一台主机上解密file
gpg -o file -d file.gpg
[root@localhost app]# cat a.txt.gpg
¥[Y䇦 ࠽x ¸Eþ鲸Jj-6腓¢±ٳµM{¸ߏ[root@localhost app]# ^C
[root@localhost app]# gpg -d a.txt.gpg
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
i love you
gpg: WARNING: message was not integrity protected
使用gpg工具实现公钥加密
在hostB主机上用公钥加密,在hostA主机上解密
在hostA主机上生成公钥/私钥对
gpg –gen-key
注意:centos6在虚拟机上使用 即 不可以在远程终端使用,centos7可以
[root@centos6~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: centos6
Email address:
Comment:
You selected this USER-ID:
"centos6"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
在hostA主机上查看公钥
gpg –k
[root@centos6 .gnupg]#gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/9BF04D6B 2018-09-01
uid centos6
sub 1024R/71AC2BE1 2018-09-01
gpg –K
[root@centos6 .gnupg]#gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 1024R/9BF04D6B 2018-09-01
uid centos6
ssb 1024R/71AC2BE1 2018-09-01
在hostA主机上导出公钥到centos6.key
gpg -a –export -o centos6.key(-a选项是输出格式,-o是导出文件,文件名,随意起)
[root@centos6 .gnupg]#gpg -a --export -o centos6.key
从hostA主机上复制公钥文件到需加密的B主机上
scp centos6.key hostB:/app
[root@centos6 .gnupg]#scp centos6.key root@172.18.254.13:/app
root@172.18.254.13's password:
centos6.key 100% 1853 1.8KB/s 00:00
在需加密数据的hostB主机上生成公钥/私钥对
gpg –gen-key //生成的公钥为centos7
[root@localhost ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: centos7
Email address:
Comment:
You selected this USER-ID:
"centos7"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 2FC17934 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/2FC17934 2018-09-04
Key fingerprint = 2EC4 00DF 8E2A 5ECA AC9F 9B63 324E CDBF 2FC1 7934
uid centos7
sub 1024R/1D46A946 2018-09-04
在hostB主机上导入hostA的公钥
gpg –import centos6.key
[root@localhost app]# gpg --import centos6.key
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 9BF04D6B: public key "centos6" imported
gpg: key E1A58968: public key "centos6" imported
gpg: Total number processed: 2
gpg: imported: 2 (RSA: 2)
gpg –list-keys //查看目前所拥有的公钥
[root@localhost ~]# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/9BF04D6B 2018-09-01
uid centos6
sub 1024R/71AC2BE1 2018-09-01
pub 1024R/2FC17934 2018-09-04
uid centos7
sub 1024R/1D46A946 2018-09-04
用从hostA主机导入的公钥,加密hostB主机的文件file,生成file.gpg
gpg -e -r centos6 file
[root@localhost app]# gpg -e -r centos6 a.txt
gpg: 71AC2BE1: There is no assurance this key belongs to the named user
pub 1024R/71AC2BE1 2018-09-01 centos6
Primary key fingerprint: 66D2 DDCB 748D D1CB C96F 65B7 5BEF FE67 9BF0 4D6B
Subkey fingerprint: 2D0A B786 7146 A121 D80B F72F 776C 82F6 71AC 2BE1
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
File `a.txt.gpg' exists. Overwrite? (y/N) y
[root@localhost app]# ls
apache24 a.txt a.txt.gpg centos6.key
复制加密文件到hostA主机
scp file.gpg hostA:/app
[root@localhost app]# scp a.txt.gpg root@172.18.250.42:/app
root@172.18.250.42's password:
a.txt.gpg 100% 219 54.0KB/s 00:00
在hostA主机解密文件
gpg -d file.gpg
gpg -o file -d file.gpg //解密文件并生成一个新的文件file
[root@centos6 app]#gpg -o a.txt -d a.txt.gpg
You need a passphrase to unlock the secret key for
user: "centos6"
1024-bit RSA key, ID 71AC2BE1, created 2018-09-01 (main key ID 9BF04D6B)
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
Xlib: extension "RANDR" missing on display "localhost:10.0".
(pinentry-gtk-2:15749): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable'
gpg: encrypted with 1024-bit RSA key, ID 71AC2BE1, created 2018-09-01
"centos6"
删除公钥和私钥
gpg –delete-keys wangxiaochun //删除公钥
[root@localhost ~]# gpg --delete-keys centos6
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024R/9BF04D6B 2018-09-01 centos6
Delete this key from the keyring? (y/N) y
gpg –delete-secret-keys wangxiaochun //删除私钥
注意:密钥是成对出现的,如果私钥存在,先删除私钥在删除公钥
[root@centos6 .gnupg]#gpg --delete-secret-keys centos6
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec 1024R/9BF04D6B 2018-09-01 centos6
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
CA和证书:
PKI: Public Key Infrastructure 【公共的秘钥体系】
签证机构:CA(Certificate Authority)(验证公钥是否合法;使用自己的私钥封装公钥)
注意: CA上还可以有多个上级CA(最上级CA,自己给自己签名,声称自己是最权威机构)
注册机构:RA
证书吊销列表:CRL
证书存取库: 【存取了已颁发证书的信息】
X.509:定义了证书的结构以及认证协议标准
证书的获取:
证书类型:
证书授权机构的证书:
服务器
用户证书
获取证书的两种方法:
1. 使用证书授权机构
生成签名请求(csr)
将csr发送给CA
从CA处接受签名
2. 自签名的证书 【根CA】
自己签发自己的公钥
安全协议:
SSL: Secure Socket Layer
功能:机密性,认证,完整性,重放保护
两阶段协议,分为握手阶段和应用阶段
握手阶段(协商阶段):客户端和服务器端认证对方身份(依赖于PKI体系,利用数字证书进行身份认证),并协商通信中使用的安全参数、密码套件以及主密钥。后续通信使用的所有密钥都是通过MasterSecret生成。
应用阶段:在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密钥进行安全通信
OpenSSL命令:
对称加密:
工具:openssl enc, gpg
算法:3des, aes, blowfish, twofish
enc命令:
帮助:man enc
加密:
openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher 加密并生成加密文件
[root@localhost app]# openssl enc -e -des3 -a -salt -in a.txt -out a.enc
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
解密:
openssl enc -d -des3 -a -salt –in testfile.cipher -out testfile 解密并生成新文件
[root@localhost app]# openssl enc -d -des3 -a -salt -in a.enc -out f1.txt
enter des-ede3-cbc decryption password:
[root@localhost app]# ls
a.enc apache24 a.txt a.txt.gpg centos6.key f1.txt
[root@localhost app]# cat f1.txt
i love you
openssl passwd -1 -salt SALT(最多8位) //生成md5加密的口令【salt不一样,生成口令不一样,可指定salt】
openssl passwd -1 –salt centos
[root@localhost app]# openssl passwd -1 -salt centos
Password:
$1$centos$Uq6E6Wp5SDZYbs6MCmamP0
OpenSSL
证书申请及签署步骤:
1、生成申请请求
2、RA核验
3、CA签署
4、获取证书
创建CA和申请证书
创建私有CA:
openssl的配置文件:/etc/pki/tls/openssl.cnf 【可再次查看一些所需注意事项】
三种策略:匹配、支持和可选
注意:匹配指要求申请填写的信息跟CA设置信息必须一致,支持指必须填写这项申请信息,可选指可有可无
1、创建所需要的文件
touch /etc/pki/CA/index.txt 生成证书索引数据库文件 (手动创建,空即可)
[root@localhost ~]#cd /etc/pki/CA/
[root@localhost CA]# touch index.txt
[root@localhost CA]# ls
certs crl index.txt newcerts private
echo 00 > /etc/pki/CA/serial 指定第一个颁发证书的序列号 (指定下一个证书编号,16进制)
[root@localhost CA]# echo 00 > serial
[root@localhost CA]# ls
certs crl index.txt newcerts private serial
2、 CA自签证书
生成私钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[root@localhost CA]# (umask 066;openssl genrsa -out private/cakey.pem -des3 2048)
Generating RSA private key, 2048 bit long modulus
.................+++
...................................+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:
生成自签名证书
openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@localhost CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIDqzCCApOgAwIBAgIJANvFyg8v/3E8MA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV
BAYTAkNOMQ4wDAYDVQQIDAVIZU5hbjESMBAGA1UEBwwJWmhlbmdaaG91MRMwEQYD
VQQKDAptYWdlZHUuY29tMQwwCgYDVQQLDANvcHQxFjAUBgNVBAMMDWNhLm1hZ2Vk
dS5jb20wHhcNMTgwOTA0MTEwODUxWhcNMzgwODMwMTEwODUxWjBsMQswCQYDVQQG
EwJDTjEOMAwGA1UECAwFSGVOYW4xEjAQBgNVBAcMCVpoZW5nWmhvdTETMBEGA1UE
CgwKbWFnZWR1LmNvbTEMMAoGA1UECwwDb3B0MRYwFAYDVQQDDA1jYS5tYWdlZHUu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1STNx2cDHewyGrW
43+l1gWRYYpoBtg43NgGh7SeT/e52ER12Ez9n0twDMOt3ME+qHp3JycHR9kJeZUi
JuKd88epfec756bpCftgWYUXe+wvsaczolF2+bOHHwdePXNxYHX3jS7pAxohWeX1
mpu3s/o4hcntNCcK7worTWdCxPy5UJB7dpjmrDYeIiL9jMhd6MyViyDDlexCpr/M
Aj3c0wY278RMChBJi5r99P8E4DZpVMLrLyLr+l3Yko0+J4njs7CvL0oE/heA7yI2
pV86fptJ78R9PkeTbLp4bNBHSJAzzrTVd1ncuqoI0+77D5oj1H72x9aJ3yxxmK9o
so28LwIDAQABo1AwTjAdBgNVHQ4EFgQUbi60ZLCz2bBTwaaxENoN+Mwp85gwHwYD
VR0jBBgwFoAUbi60ZLCz2bBTwaaxENoN+Mwp85gwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAJLppJI6RnCFVDVxmWpRAru81BaT3ZCt3zqzEdocxQ2C5
Pe3ATxg4r2A5SUwfz0Mg/6uSsin0NyMBr0n006G0FoObE78oz5evnTZ1eBCcFJIk
V6HfpWRzjdKx/x8EMN2Z6kFJrA444hPohPvwGcu5smiuEx/iZpbasHjaqeByv79Q
52EAaEHpsFKcP/5x0bY5waojkLDcNNX0ZQXa4/+wPQiOLKC2CJimQ6ryDXxAd37l
wb6JKI3E90u7NEMuNI9fwpFtiKGDiqMCB8KwVGEGlnrQ8yzkN0W561K89T6qkJyG
F3Cfv3s7yaLgAmEMyHHCTymnlpdqWyahw06dm2w4AQ==
-----END CERTIFICATE-----
3、颁发证书
在需要使用证书的主机生成证书请求
给web服务器生成私钥
(umask 066; openssl genrsa –out /etc/pki/tls/private/test.key 2048)
[root@localhost ~]# (umask 066;openssl genrsa -out rhel5.key 1024)
Generating RSA private key, 1024 bit long modulus
...................................++++++
......................++++++
e is 65537 (0x10001)
生成证书申请文件
openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out etc/pki/tls/test.csr
[root@localhost ~]# openssl req -new -key rhel5.key -out rhel5.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HeNan
Locality Name (eg, city) [Newbury]:Luoyang
Organization Name (eg, company) [My Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:rou
Common Name (eg, your name or your server's hostname) []:rhel5.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
将证书请求文件传输给CA
[root@localhost ~]# scp rhel5.csr root@c7:/etc/pki/CA
The authenticity of host 'c7 (172.18.254.13)' can't be established.
RSA key fingerprint is c2:63:99:85:62:c5:9f:14:2d:a7:d8:0a:5a:70:8a:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'c7,172.18.254.13' (RSA) to the list of known hosts.
root@c7's password:
rhel5.csr 100% 660 0.6KB/s 00:00
CA签署证书,并将证书颁发给请求者
openssl ca -in /tmp/test.csr –out /etc/pki/CA/certs/test.crt -days 365
注意:默认国家,省,公司名称三项必须和CA一致
【参数与上类似:地点,省,市,公司写的不一致,将出错。可在/etc/pki/tls/openssl.cnf中修改策略policy=policy_anything】
[root@localhost CA]# openssl ca -in rhel5.csr -out certs/rhel5.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Sep 4 12:09:19 2018 GMT
Not After : Sep 1 12:09:19 2028 GMT
Subject:
countryName = CN
stateOrProvinceName = HeNan
localityName = Luoyang
organizationName = magedu.com
organizationalUnitName = rou
commonName = rhel5.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F1:E9:82:83:E0:2D:39:90:72:63:67:BB:1D:3A:1C:0B:F5:E2:C1:5C
X509v3 Authority Key Identifier:
keyid:6E:2E:B4:64:B0:B3:D9:B0:53:C1:A6:B1:10:DA:0D:F8:CC:29:F3:98
Certificate is to be certified until Sep 1 12:09:19 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost certs]# scp rhel5.crt root@c5:/etc/pki/CA/cacert.pem
root@c5's password:
rhel5.crt 100% 3762 2.3MB/s 00:00
4 在应用软件中使用证书
注意:不可以重复提交相同的申请信息,申请证书【如若想用相同信息申请证书,修改文件index.txt.attr 将yes改为no】
[root@localhost CA]# ls
cacert.pem crl index.txt.attr newcerts rhel5.csr serial.old
certs index.txt index.txt.old private serial
创建CA和证书管理
5、查看证书中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
openssl ca -status SERIAL 查看指定编号的证书状态
6、吊销证书
在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem //吊销证书
指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber //指定下一个要吊销的文件列表
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem //生成吊销列表,先创建crlnumber文件
查看crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text // 查看吊销的证书列表