CA證書和TLS介紹
數字簽名
用本身的私鑰給數據加密就叫數字簽名算法
公鑰傳輸威脅
在A和B的通訊中,C能夠把本身的公鑰發給A,讓A把C的公鑰當成B的公鑰,這樣的話.B拿到加密數據反而沒法解密,而C卻能夠解密出數據.從而實現C截獲AB之間的數據shell
因此在二者的通訊中必需要對公鑰的來源進行確認windows
A和B若是想安全交換公鑰,就必須經過CA(證書頒發機構) 證書的通訊過程 A和B首先都內置了CA的公鑰centos
根CA的證書是本身給本身簽名的(自簽名)瀏覽器
CA和證書
PKI: Public Key Infrastructure 安全
簽證機構:CA(Certificate Authority) bash
註冊機構:RA 服務器
證書吊銷列表:CRL app
證書存取庫: X.509:定義了證書的結構以及認證協議標準 dom
版本號 序列號 簽名算法 頒發者 有效期限 主體名稱 主體公鑰 CRL分發點 擴展信息 發行者簽名
SSL
SSL(Secure Socket Layer)和TLS(Transport Layer Security )自己是一個東西
實現功能: 機密性 認證 完整性 重放保護(正確一樣的數據不能重複發送)
兩階段協議,分爲握手階段和應用階段
握手階段(協商階段):
客戶端和服務器端認證對方身份(依賴於PKI體系,利用數字證書進行 身份認證),並協商通訊中使用的安全參數、密碼套件以及主密鑰.
後續通訊使用的全部密鑰都是 經過MasterSecret生成。
應用階段:
在握手階段完成後進入,在應用階段通訊雙方使用握手階段協商好的密鑰進行安全通訊
taobao 證書 https的通訊過程
taobao 證書內容包含 SCA(Ptaobao) CA密鑰加密簽名過的taobao公鑰 + CA證書描述+過時時間+證書其它信息 taobao網站把證書發給客戶端
客戶端因爲信任CA而且拿到了CA的公鑰,就能夠解密SCA(Ptaobao) 得到taobao的公鑰 Ptaobao
客戶端(瀏覽器)會在本地生成一個對稱密鑰(key)用taobao的公鑰加密發送給taobao Ptaobao(key) sendto taobao
taobao經過本身的私鑰解密獲得客戶端發送過來的key Staobao(Ptaobao(key)) = key 這樣在客戶端和服務端都存在相同的對稱密鑰key
客戶端和服務端就能夠經過key(data)對大量的網頁數據進行對稱加密,實現通訊雙方的安全通訊
OpenSSL 開源實現證書申請和頒發
base64編碼 是6bit編碼 包含字符a-z,A-Z,/,+ 總共64個符號
生成私鑰
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS (umask 077; openssl genrsa –out test.key –des 2048) -des表示對密鑰對稱稱加密
openssl rsa -in test.key –out test2.key 將加密key解密
從私鑰中提取出公鑰
openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE openssl rsa –in test.key –pubout –out test.key.pub
實驗:向CA申請證書
創建Root CA
1. 建立CA重要的配置文件openssl的配置文件:/etc/pki/tls/openssl.cnf
2. 默認CA的工做目錄在 /etc/pki/CA
1 [root@centos7 ~]# cd /etc/pki/CA 2 #建立CA服務器的私鑰 3 [root@centos7 CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096) 4 Generating RSA private key, 4096 bit long modulus 5 ...................................................++ 6 ..............................................................................................................................................................................................................................................................................................++ 7 e is 65537 (0x10001) 8 [root@centos7 CA]# ls private 9 cakey.pem 10 11 #根CA給本身的私鑰簽名證書 12 [root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 13 You are about to be asked to enter information that will be incorporated 14 into your certificate request. 15 What you are about to enter is what is called a Distinguished Name or a DN. 16 There are quite a few fields but you can leave some blank 17 For some fields there will be a default value, 18 If you enter '.', the field will be left blank. 19 ----- 20 Country Name (2 letter code) [XX]:CN 21 State or Province Name (full name) []:beijing 22 Locality Name (eg, city) [Default City]:beijing 23 Organization Name (eg, company) [Default Company Ltd]:mage 24 Organizational Unit Name (eg, section) []:M30 25 Common Name (eg, your name or your server's hostname) []:www.yxh.com 26 Email Address []: 27 #以可讀的文本格式顯示證書內容 28 [root@centos7 CA]# openssl x509 -in cacert.pem -noout -text 29 Certificate: 30 Data: 31 Version: 3 (0x2) 32 Serial Number: 33 f9:72:0f:e1:6c:80:e3:aa 34 Signature Algorithm: sha256WithRSAEncryption 35 Issuer: C=CN, ST=beijing, L=beijing, O=mage, OU=M30, CN=www.yxh.com 36 Validity 37 Not Before: May 19 08:58:14 2018 GMT 38 Not After : May 16 08:58:14 2028 GMT 39 Subject: C=CN, ST=beijing, L=beijing, O=mage, OU=M30, CN=www.yxh.com 40 Subject Public Key Info: 41 Public Key Algorithm: rsaEncryption 42 Public-Key: (4096 bit) 43 Modulus: 44 00:e4:70:ef:fe:9a:43:87:41:ca:05:3d:a6:98:df: 45 89:19:64:ac:fb:24:04:42:be:bc:87:7a:e9:b5:be: 46 9d:21:40:cf:c7:08:a1:ab:8e:03:92:29:e9:50:ed: 47 dd:8d:06:3c:5f:fa:23:9f:96:04:76:b9:be:56:43: 48 58:f8:43:db:24:cf:79:87:be:cc:bd:c0:af:41:04: 49 d4:e1:6b:78:fb:b1:74:8e:25:93:22:9e:f1:22:98: 50 97:7e:dd:dc:af:45:97:93:16:93:8a:89:5c:b0:00: 51 62:a5:2f:72:ec:54:aa:3a:ec:0b:24:72:34:4a:c0: 52 70:ab:02:d8:36:53:93:d1:cc:98:43:a9:a8:f2:3b: 53 b7:fb:be:44:64:9d:c6:bb:7d:16:b5:39:d1:1f:6d: 54 e2:89:c7:9f:b7:e6:10:87:37:01:41:25:af:61:b5: 55 7c:93:3c:bd:75:cb:46:ff:0e:e2:58:92:aa:25:2b: 56 06:b1:25:27:e5:7d:76:02:d8:c5:63:db:d0:e6:ab: 57 ef:ce:69:37:7e:eb:b1:f3:59:05:e1:bf:47:b7:d1: 58 4c:59:45:c9:d6:f0:35:dd:95:b0:c2:69:5b:7e:83: 59 3e:64:8e:66:28:ba:06:f4:99:30:00:4d:76:72:a3: 60 16:d7:7e:f1:9e:9d:fe:15:88:d0:b8:e4:8f:cd:56: 61 c3:89:5c:cf:40:a5:2b:9d:38:56:e2:30:09:85:22: 62 b2:f6:58:20:c2:c0:65:b9:0e:61:f0:b3:a2:94:ea: 63 57:72:77:90:26:7d:90:11:98:18:52:ab:dc:a1:78: 64 68:0d:f0:d8:6b:01:c5:5d:e5:ca:a5:36:68:81:ba: 65 ca:4c:b9:98:fd:f4:54:e3:eb:7f:3d:30:50:34:a6: 66 5e:38:1c:82:93:9b:91:76:34:ab:df:e8:95:dd:2e: 67 d0:c6:98:c5:77:a6:67:13:aa:96:3f:7c:70:7e:54: 68 50:77:cc:5c:d0:70:34:93:90:4a:83:25:d8:1e:1d: 69 6c:17:3c:84:20:df:ee:78:28:e7:63:7f:d5:44:9c: 70 c3:cb:ec:78:a7:2f:05:dc:e7:e9:20:32:34:38:66: 71 fc:1f:54:79:64:bc:92:e9:59:c5:bf:35:4c:aa:1f: 72 93:7a:e7:8c:29:b2:58:03:bf:4f:19:36:da:2f:bd: 73 00:e0:0e:cd:32:09:0b:c7:1d:6c:12:19:b4:fa:4c: 74 a2:b0:24:be:d3:1e:47:55:17:c3:14:ce:cd:af:01: 75 ca:d8:48:44:12:40:99:f2:9f:87:1e:ea:2f:cb:0f: 76 a7:0d:b7:99:d5:e1:3b:68:50:00:80:6f:59:7c:19: 77 96:72:51:bb:9d:6b:02:01:c1:7b:88:d9:20:57:64: 78 1f:86:95 79 Exponent: 65537 (0x10001) 80 X509v3 extensions: 81 X509v3 Subject Key Identifier: 82 C6:80:BB:D0:7D:12:F4:EF:1A:69:CD:92:D3:F7:E1:3D:8A:27:CD:76 83 X509v3 Authority Key Identifier: 84 keyid:C6:80:BB:D0:7D:12:F4:EF:1A:69:CD:92:D3:F7:E1:3D:8A:27:CD:76 85 86 X509v3 Basic Constraints: 87 CA:TRUE 88 Signature Algorithm: sha256WithRSAEncryption 89 a0:df:1a:b4:22:69:a7:8f:92:8b:c0:67:91:66:df:5f:0f:47: 90 2d:2e:6a:fd:d7:21:48:29:46:e7:7e:9b:6a:46:32:04:39:c2: 91 fb:06:2e:eb:d2:f5:25:16:f7:03:f9:d1:e5:d1:d8:1d:96:8e: 92 22:fc:37:d7:22:97:36:4c:2c:f2:8f:09:24:5b:61:a2:29:13: 93 48:21:c9:db:1e:1e:24:18:d0:02:2f:ff:35:fd:21:4c:b6:af: 94 36:33:8a:d0:2f:22:75:f4:89:8b:99:4f:32:69:55:35:13:35: 95 00:d4:f3:82:44:5f:25:a8:82:1c:51:01:31:e2:7b:c0:72:0a: 96 5d:a8:a8:37:30:a7:64:e5:2b:86:e4:92:57:59:ae:0b:a9:7b: 97 fa:be:64:be:7a:d4:f1:6a:1d:9e:07:d4:79:7d:9c:d9:c5:98: 98 ec:fc:d0:0d:55:45:41:81:c9:5a:d1:0e:ba:f1:14:c1:43:ea: 99 26:62:a3:c2:8f:fe:54:fe:03:9d:8c:ca:96:48:66:9f:83:88: 100 c3:e7:d8:6b:e9:43:34:3c:77:b6:2f:97:54:65:39:74:09:a5: 101 a3:c6:d1:aa:52:7b:d3:91:44:32:ee:1a:45:40:ff:1e:46:b9: 102 47:06:68:6e:91:a6:88:77:4a:df:07:bd:81:ae:6e:a0:2d:67: 103 39:15:b6:9b:28:e3:0a:34:bf:0d:f0:01:af:8a:f2:2b:8b:3f: 104 12:a7:8b:cf:c4:eb:c5:bc:58:58:10:6a:84:85:26:01:39:9a: 105 fa:aa:1a:dc:83:46:61:1b:12:90:ad:5a:d7:67:78:68:a9:8c: 106 72:71:f0:64:b7:bf:08:85:9b:71:4a:3f:00:94:43:a7:73:3b: 107 c3:95:da:07:1f:8b:ca:f4:d7:a4:af:34:95:42:a5:e0:46:e8: 108 18:22:29:c4:b7:b0:a0:9a:7b:e8:e5:b1:11:67:07:f3:7d:bd: 109 f7:2f:5f:65:5e:32:5d:0c:65:a1:70:ad:50:6c:02:5c:a5:e6: 110 0c:41:c9:26:9d:95:c4:1b:df:26:a2:43:4f:b6:e0:98:6f:ba: 111 cb:83:e6:1c:00:ba:d6:48:cc:a4:2e:8d:cc:6c:f4:9d:5a:ee: 112 62:0e:57:e2:2e:1f:8c:6c:cd:a3:2d:63:4b:0f:6b:11:bd:18: 113 47:23:0b:b7:7c:fc:d5:45:01:6e:72:a0:7c:43:29:6b:ef:dd: 114 33:d1:39:2a:14:cd:c3:2e:91:4f:78:3d:e2:08:a5:dd:bd:00: 115 aa:18:19:48:03:3a:a1:9d:1c:e7:c3:87:51:a4:42:7a:fd:7f: 116 90:40:c6:bb:ba:8e:22:be:63:5a:10:bb:a4:fd:ef:21:4f:d1: 117 84:a9:fb:2e:61:cc:b0:76 118 119 [root@centos7 CA]# openssl x509 -in cacert.pem -noout -issuer 120 issuer= /C=CN/ST=beijing/L=beijing/O=mage/OU=M30/CN=www.yxh.com
用戶或者服務器申請證書
1.生成私鑰文件 [root@yxh6 data]# (umask 077;openssl genrsa -out app.key 1024) Generating RSA private key, 1024 bit long modulus ..............................++++++ .....................++++++ e is 65537 (0x10001) [root@yxh6 data]# ls app.key 2.利用私鑰文件生成申請文件 [root@yxh6 data]# openssl req -new -key app.key -out app.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:mage Organizational Unit Name (eg, section) []:M30 Common Name (eg, your name or your server's hostname) []:www.yxh.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@yxh6 data]# ls app.csr app.key 3.將申請文件發送給CA scp app.csr 192.168.33.130:/etc/pki/CA 4.CA頒發證書 回到CA服務器執行頒發證書 touch index.txt echo 0F > serial [root@centos7 CA]# openssl ca -in app.csr -out certs/app.crt -days 100 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 15 (0xf) Validity Not Before: May 19 09:35:37 2018 GMT Not After : Aug 27 09:35:37 2018 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = mage organizationalUnitName = M30 commonName = www.yxh.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 71:DC:D4:AE:8A:5A:16:A4:13:62:D7:3A:C9:C7:DD:A7:9C:95:B0:4F X509v3 Authority Key Identifier: keyid:C6:80:BB:D0:7D:12:F4:EF:1A:69:CD:92:D3:F7:E1:3D:8A:27:CD:76 Certificate is to be certified until Aug 27 09:35:37 2018 GMT (100 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@centos7 certs]# ls app.crt 5.證書發送客戶端 scp app.csr 192.168.33.129:/data 客戶端能夠拿着這個證書在應用程序中使用
windows下查看生成的證書信息和安裝證書
能夠把證書cacert.pem下載到windows中進行可視化查看證書信息
須要.pem(cacert.pem)後綴名改爲windows能識別的.cer(cacert.cer)或者.crt 點擊安裝證書能夠把此證書安裝到可信任的證書路徑中
證書管理
查看證書中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
openssl ca -status SERIAL 查看指定編號的證書狀態
吊銷證書
在客戶端獲取要吊銷的證書的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在CA上,根據客戶提交的serial與subject信息,對比檢驗是否與index.txt文件中的信息一致,吊 銷證書:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
指定第一個吊銷證書的編號,注意:第一次更新證書吊銷列表前,才須要執行 echo 01 > /etc/pki/CA/crlnumber
更新證書吊銷列表 openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件: openssl crl -in /etc/pki/CA/crl.pem -noout -text
SSH安全服務
ssh: secure shell, protocol, 22/tcp, 安全的遠程登陸
兩種方式的用戶登陸認證:
1.基於password
1.客戶端向服務端發送SSH請求
2.服務端收到請求,發送公鑰給客戶端
3.客戶端輸入用戶名和密碼經過公鑰加密回傳給服務端
4.服務端經過私鑰解密獲得用戶名和密碼和本地的用戶名密碼進行驗證匹配
2.基於key
1.首先在客戶端生成一對密鑰對
2.客戶端將公鑰拷貝給服務端並重命名爲 authorized_keys
3.客戶端向服務端發送一個鏈接請求,信息包括ip,用戶名
4.服務端獲得客戶端消息後,會到authorized_keys查找是否有對應信息而且隨機生成一個字符串
5.服務端把隨機生成的字符串用客戶端公鑰加密發送給客戶端
6.客戶端接收到加密字符串後用本身的私鑰對字符串進行解密,而且把解密後的字符串發送給服務端
7.服務端會把接收到的字符串和原來本身生成的隨機字符串進行驗證匹配
ssh客戶端:
1.客戶端配置文件 /etc/ssh/ssh_config ssh服務端的配置文件 /etc/ssh/sshd_config
ssh客戶端會在第一次鏈接的時候把遠程主機的公鑰下載到本機,若是須要冒充其它已經鏈接過的主機,須要把對方的私鑰拷貝到本地來
實現基於ssh key的認證
實現指定用戶無密碼鏈接,默認是root用戶 在ssh-copy-id命令中指定特定的用戶名就會把公鑰文件拷貝到指定用戶的家目錄下
ssh-copy-id yxh@192.168.33.130
1.在客戶端生成密鑰對 [root@yxh6 data]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 84:69:ce:6b:19:1d:09:c4:94:66:06:2e:76:57:8b:0b root@yxh6.localdomain The key's randomart image is: +--[ RSA 2048]----+ | .=+.. | | . ** o | | o E+* = | | . o * + . | | = S | | + | | + | | . | | | +-----------------+ [root@yxh6 data]# cd /root/.ssh [root@yxh6 .ssh]# ls id_rsa id_rsa.pub known_hosts 2.把公鑰複製到服務端主機 [root@yxh6 .ssh]# ssh-copy-id 192.168.33.130 root@192.168.33.130's password: Now try logging into the machine, with "ssh '192.168.33.130'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. 3.直接鏈接遠程主機 [root@yxh6 .ssh]# ssh 192.168.33.130 Last login: Sat May 19 17:31:50 2018 from 192.168.33.1 this is etc/motd,welcome.... [root@centos7 ~]#
多臺主機之間實現相互key認證登陸
1.在一臺主機A上生成一對密鑰對全部主機使用同一密鑰
2.ssh-copy-id A
3.scp -rp /root/.ssh B:/root
4.scp -rp /root/.ssh C:/root
ssh key認證腳本自動化
expect匹配輸出規則:
#Are you sure you want to continue connecting (yes/no)?
#root@192.168.33.129's password:
1 生成ip列表文件 2 [root@centos7 .ssh]# cat ip.txt 3 192.168.33.129 4 192.168.33.130 5 6 #!/bin/bash 7 rpm -q expect &> /dev/null || yum install -y expect 8 ssh-keygen -P "" -f "/root/.ssh/id_rsa" 9 password=root 10 while read ipaddr;do 11 echo $ipaddr 12 expect <<EOF 13 spawn ssh-copy-id $ipaddr 14 expect { 15 "yes/no" { send "yes\n";exp_continue } 16 "password:" { send "$password\n" } 17 } 18 expect eof 19 EOF 20 done < ip.txt 21 22 給腳本文件設置執行權限 23 chmod +x ssh_key.sh 24 25 執行腳本 26 ./ssh_key.sh
- 1. 02-建立 TLS CA證書及密鑰
- 2. CA認證和證書
- 3. SSL和TLS-TLS 介紹
- 4. SSL數字證書之CA根證書、CA中間證書和SSL證書
- 5. 帶入gRPC:基於 CA 的 TLS 證書認證
- 6. 細說 CA 和證書
- 7. CA證書
- 8. CA (證書)
- 9. ca 證書
- 10. 證書和SSL或TLS
- 更多相關文章...
- • 網站主機 介紹 - 網站主機教程
- • Spring目錄結構和基礎JAR包介紹 - Spring教程
- • Java Agent入門實戰(一)-Instrumentation介紹與使用
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. 安裝cuda+cuDNN
- 2. GitHub的使用說明
- 3. phpDocumentor使用教程【安裝PHPDocumentor】
- 4. yarn run build報錯Component is not found in path 「npm/taro-ui/dist/weapp/components/rate/index「
- 5. 精講Haproxy搭建Web集羣
- 6. 安全測試基礎之MySQL
- 7. C/C++編程筆記:C語言中的複雜聲明分析,用實例帶你完全讀懂
- 8. Python3教程(1)----搭建Python環境
- 9. 李宏毅機器學習課程筆記2:Classification、Logistic Regression、Brief Introduction of Deep Learning
- 10. 阿里雲ECS配置速記
- 1. 02-建立 TLS CA證書及密鑰
- 2. CA認證和證書
- 3. SSL和TLS-TLS 介紹
- 4. SSL數字證書之CA根證書、CA中間證書和SSL證書
- 5. 帶入gRPC:基於 CA 的 TLS 證書認證
- 6. 細說 CA 和證書
- 7. CA證書
- 8. CA (證書)
- 9. ca 證書
- 10. 證書和SSL或TLS