非对称加密 SSL/TLS
非对称加密 SSL/TLS
加密传输的数据
用于验证通信的双方是彼此声称的那个人!
CA简介
CA :CertificateAuthority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书
功能:证书发放、证书更新、证书撤销和证书验证。
作用:身份认证,数据的不可否认性
证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书的私钥签名就生成了证书文件,也就是颁发给用户的证书
HTTP转HTTPS
HTTPS(全称:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。
SSL:(Secure Socket Layer)安全套接字层,通过一种机制在互联网上提供密钥传输 其主要目标是保证两个应用间通信数据的保密性和可靠性,可在服务器端和用户端同时支持的一种加密算法 目前主流版本SSLV2、SSLV3(常用)。
SSL四次握手安全传输:
加密协议: SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S 1. 请求一个安全的会话,协商算法
C <------------------------------------------------- S 2. 将自己Server端的证书给客户端,证书中包括了64自己的公钥
C -------------------------------------------------> S 3. 客户端用浏览器中存放CA的根证书检测client证书,如果对,使用CA根证书中的公钥解密 得到CA的公钥; 然后生成一把对称的加密密钥,用client的公钥加密这个密钥发给CA , 后期使用对称密钥加密数据
C <------------------------------------------------> S 4.client使用私钥解密,得到对称的加密密钥然后,使用对称加密密钥来进行安全快速传输数据
CA认证实现
环境准备:
所有主机
[root@localhost ~]# cat /etc/hosts
...
192.168.2.10 ca.aiops.net.cn
192.168.2.20 www.aiops.net.cn
CA主机
[root@localhost ~]# hostnamectl set-hostname ca
#软件是否安装
[root@ca ~]# rpm -q openssl
openssl-1.0.2k-12.el7.x86_64
修改CA配置文件
#vim /etc/pki/tls/openssl.conf
[ CA_default ]
dir = /etc/pki/CA #保存目录 # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt #修改 # The CA certificate ##
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key #修改 # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = BJ
localityName = Locality Name (eg, city)
localityName_default = BJ
0.organizationName = Organization Name (eg, company)
0.organizationName_default = aiops
生成CA私钥和CA自签名证书
#准备文件
[root@ca tls]# cd /etc/pki/CA
[root@ca CA]# ls
certs crl newcerts private
[root@ca CA]# touch index.txt
[root@ca CA]# echo 00 > serial
[root@ca CA]# ls
certs crl index.txt newcerts private serial
#生成private
[root@ca CA]# (umask 077;openssl genrsa -out private/ca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
...................+++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key: #输入密码
Verifying - Enter pass phrase for private/ca.key: #再次输入密码
[root@ca CA]# ls private/
ca.key
CA生成CA自签名证书
[root@ca CA]# openssl req -new -x509 -days 7300 -key private/ca.key > ca.crt
Enter pass phrase for private/ca.key: #输入密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: #回车
State or Province Name (full name) [Beijing]:#回车
Locality Name (eg, city) [Beijing]:#回车
Organization Name (eg, company) [aiops]:#回车
Organizational Unit Name (eg, section) []:IT #写入部门名称
Common Name (eg, your name or your server's hostname) []:ca.aiops.net.cn #服务器名称,一定能解析。
Email Address []:ca@aiops.net.cn #可写可不写
[root@ca CA]# ls
ca.crt certs crl index.txt newcerts private serial
web服务器(httpd)
[root@localhost ~]# hostnamectl set-hostname web
安装httpd及ssl模块
[root@web ~]# yum -y install httpd mod_ssl
[root@web ~]# echo "test" >> /var/www/html/index.html
生成web服务器私钥
[root@web ~]# openssl genrsa -out /etc/httpd/httpd.key
Generating RSA private key, 2048 bit long modulus
......................................+++
........+++
e is 65537 (0x10001)
生成web证书申请的请求文件
[root@web ~]# openssl req -new -key /etc/httpd/httpd.key -out /tmp/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #与CA一致
State or Province Name (full name) []:Beijing#与CA一致
Locality Name (eg, city) [Default City]:Beijing#与CA一致
Organization Name (eg, company) [Default Company Ltd]:aiops#与CA一致
Organizational Unit Name (eg, section) []:web #自己填写
Common Name (eg, your name or your server's hostname) []:www.aiops.net.cn #与主机名称一致
Email Address []:web@aiops.net.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #回车
An optional company name []:#回车
发送CSR文件给CA
[root@web ~]# scp /tmp/httpd.csr 192.168.2.10:/tmp
CA给web服务器颁发证书
[root@ca CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 26 05:28:03 2019 GMT
Not After : Feb 26 05:28:03 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = aiops
organizationalUnitName = web
commonName = www.aiops.net.cn
emailAddress = web@aiops.net.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
28:AF:47:16:83:C3:EC:2B:06:AE:A1:E1:F0:85:E1:D0:30:6F:C5:0F
X509v3 Authority Key Identifier:
keyid:A0:E3:92:C7:D7:F0:B5:16:17:8E:FD:04:8D:09:4B:38:CC:DF:99:5A
Certificate is to be certified until Feb 26 05:28:03 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA把颁发证书发送给web服务器
[root@ca CA]# scp /tmp/httpd.crt 192.168.2.20:/etc/httpd/
web服务器应用证书
- Apache支持SSL
[root@web ~]# yum -y install mod_ssl
[root@web ~]# ls /etc/httpd/conf.d/
autoindex.conf README ssl.conf userdir.conf welcome.conf
配置指定证书和私钥
[root@httpdweb ~]# cat /etc/httpd/conf.d/www.conf
<VirtualHost 192.168.2.20:80>
DocumentRoot /var/www/html
ServerName www.aiops.net.cn
ServerAlias aiops.net.cn
RewriteEngine On
RewriteRule ^(.*)$ https://www.aiops.net.cn$1 [R=301,L]
</VirtualHost>
<VirtualHost 192.168.2.20:443>
ServerName www.aiops.net.cn
DocumentRoot /var/www/html
SSLEngine on
#SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/httpd.crt
SSLCertificateKeyFile /etc/httpd/httpd.key
</VirtualHost>
Linux客户机验证
[root@localhost ~]# hostnamectl set-hostname webclient
Linux客户机命令行验证
[root@webclient ~]# cat ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
[root@webclient ~]# curl http://www.aiops.net.cn
Linux客户机浏览器验证
客户机浏览器验证结果
web服务器(nginx)
nginx服务器安装
[root@web ~]# yum -y install epel-release
[root@web ~]# yum -y install nginx
证书获取
[root@web cert]# pwd
/etc/nginx/cert
[root@web cert]# ls
nginx.crt nginx.key
nginx服务器配置
[root@web nginx]# cat nginx.conf
server {
listen 80; #修改
server_name www.aiops.net.cn aiops.net.cn; #修改
#root /usr/share/nginx/html;
return 301 https://www.aiops.net.cn/$request_uri; #添加
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
server {
listen 443 ssl; #修改
# listen [::]:443 ssl http2 default_server;
server_name www.aiops.net.cn; #修改
root /usr/share/nginx/html; #开启
ssl on; #开启
ssl_certificate "/etc/nginx/cert/nginx.crt"; #修改
ssl_certificate_key "/etc/nginx/cert/nginx.key"; #修改
# ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m; #开启
ssl_protocols SSLv2 SSLv3 TLSv1; #添加
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
} #开启
}
客户机访问验证结果
互联网证书获取
在日常工作中,我们经常遇到一些网站要求把web访问协议http转成https协议,这就要求我们必须对域名进行SSL证书申请并应用。
申请域名:www.aliyun.com
阅读建议
