【實戰-Linux】--搭建CA認證中心實現https取證
環境
CA認證中心服務端:xuegod63.cn IP:192.168.1.63
客戶端:xuegod64.cn IP:192.168.1.64
CA認證中心簡述
CA :CertificateAuthority的縮寫,通常翻譯成認證權威或者認證中心,主要用途是為使用者發放數字證書。
功能:證書發放、證書更新、證書撤銷和證書驗證。
作用:身份認證,資料的不可否認性
埠:443
過程:
證書請求檔案:CSR是Cerificate Signing Request的英文縮寫,即證書請求檔案,也就是證書申請者在申請數字證書時由CSP(加密服務提供者)在生成私鑰的同時也生成證書請求檔案,證書申請者只要把CSR檔案提交給證書頒發機構後,證書頒發機構使用其根證書的私鑰簽名就生成了證書檔案,也就是頒發給使用者的證書。
使用者使用CA證書確認伺服器身份過程:
一:搭建CA認證中心
配置一個自己的CA認證中心
[[email protected]CA]#vim/etc/pki/tls/openssl.cnf 改:172#basicConstraints=CA:FALSE 為:172basicConstraints=CA:TRUE#讓自己成為CA認證中心
配置認證中心,生成私鑰與根證書
[[email protected]CA]#/etc/pki/tls/misc/CA-h#檢視幫助 usage:/etc/pki/tls/misc/CA-newcert|-newreq|-newreq-nodes|-newca|-sign|-verify [[email protected]~]#/etc/pki/tls/misc/CA-newca#配置一個新的CA認證中心 CAcertificatefilename(orentertocreate)#直接回車 MakingCAcertificate... Generatinga2048bitRSAprivatekey ....................+++ ..........................................................................+++ writingnewprivatekeyto'/etc/pki/CA/private/./cakey.pem' EnterPEMpassphrase:123456#輸入密碼,保護私鑰 Verifying-EnterPEMpassphrase:123456#再次輸入密碼 ----- Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ---- CountryName(2lettercode)[XX]:CN#國家地區 StateorProvinceName(fullname)[]:beijing#城市 LocalityName(eg,city)[DefaultCity]:haidian#當地名稱 OrganizationName(eg,company)[DefaultCompanyLtd]:xuegod#組織名稱 OrganizationalUnitName(eg,section)[]:IT#組織部門名稱 CommonName(eg,yournameoryourserver'shostname)[]:xuegod63.cn#通用名稱(例如,您的姓名或您的伺服器的主機名),隨便寫 EmailAddress[]:[email protected]#郵箱 Pleaseenterthefollowing'extra'attributes tobesentwithyourcertificaterequest#新增一個“額外”的屬性,讓客戶端傳送CA證書,請求檔案時,要輸入的密 Achallengepassword[]:#直接加車 Anoptionalcompanyname[]:#直接加車 Usingconfigurationfrom/etc/pki/tls/openssl.cnf#CA伺服器的配置檔案。上面修改的內容會新增到這個配置檔案中 Enterpassphrasefor/etc/pki/CA/private/./cakey.pem:123456#輸入剛才保護CA金鑰的密碼 Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber: c9:16:bb:49:48:20:ed:16 Validity NotBefore:Dec2012:00:192014GMT NotAfter:Dec1912:00:192017GMT Subject(主題): countryName=CN stateOrProvinceName=beijing organizationName=xuegod organizationalUnitName=IT commonName=shenjianming emailAddress=[email protected] X509v3extensions: X509v3SubjectKeyIdentifier: BF:E3:16:CC:EB:42:BD:6D:56:8E:A4:21:70:E6:72:40:0C:77:C0:C0 X509v3AuthorityKeyIdentifier: keyid:BF:E3:16:CC:EB:42:BD:6D:56:8E:A4:21:70:E6:72:40:0C:77:C0:C0 X509v3BasicConstraints: CA:TRUE CertificateistobecertifieduntilDec1912:00:192017GMT(1095days) Writeoutdatabasewith1newentries DataBaseUpdated
#這裡了配置CA認證中心,在裡面就生成了CA認證根證書的私鑰,在配置完結束之後,就會生成一個根證書,這個根證書中有這證書的 公鑰
注:到此CA認證中心就搭建好了。
檢視生成的CA根證書:
[[email protected]CA]#vim/etc/pki/CA/cacert.pem#存在CA認證下的根證書,這裡麵包含了根證書的公鑰。 Certificate: Data: Version:3(0x2) SerialNumber: c0:1d:ed:ba:fc:7e:b4:40 SignatureAlgorithm:sha1WithRSAEncryption Issuer:C=CN,ST=beijing,O=xuegod,OU=IT,CN=shenjianming/[email protected] 63.com#CA機構資訊 Validity NotBefore:May911:54:202015GMT NotAfter:May811:54:202018GMT Subject:C=CN,ST=beijing,O=xuegod,OU=IT,CN=shenjianming/[email protected] 163.com SubjectPublicKeyInfo:#CA認證中心公鑰資訊 PublicKeyAlgorithm:rsaEncryption Public-Key:(2048bit) Modulus:
#這裡檢視根證書的中,我們可以看到裡面存在著根證書的公鑰。
檢視根證書的私鑰
[[email protected]CA]#vim/etc/pki/CA/private/cakey.pem#存在CA認證下根證書的私鑰 (cakey.pem)。 -----BEGINENCRYPTEDPRIVATEKEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI2JxR6+eEWI0CAggA MBQGCCqGSIb3DQMHBAjjVO7+mmTUuwSCBMil6B4xGLDfbskPQd++sEtyMtV8Y62l GztBjiSSNCE0amDVvhi5hG5dZpq9i/ik1Jh31DQ6siet10vm7/EZC4KSqagDsi66
二:使用證書搭建https
1、安裝:httpd
[[email protected]~]#yuminstallhttpd [[email protected]~]#vim/etc/httpd/conf/httpd.conf 改:#ServerNamewww.example.com:80 為:ServerName192.168.1.64:80 [[email protected]~]#servicehttpdrestart
2、xuegod64生成證書請求檔案
[[email protected]~]#opensslgenrsa-h#檢視幫助 usage:genrsa[args][numbits] -desencryptthegeneratedkeywithDESincbcmode -des3encryptthegeneratedkeywithDESinedecbcmode(168bitkey) -ideaencryptthegeneratedkeywithIDEAincbcmode -seed encryptPEMoutputwithcbcseed -aes128,-aes192,-aes256 encryptPEMoutputwithcbcaes -camellia128,-camellia192,-camellia256 encryptPEMoutputwithcbccamellia -outfileoutputthekeyto'file -passoutargoutputfilepassphrasesource -f4useF4(0x10001)fortheEvalue -3use3fortheEvalue -engineeuseenginee,possiblyahardwaredevice. -randfile:file:... loadthefile(orthefilesinthedirectory)into therandomnumbergenerator
2.1:生一個私鑰金鑰:
[[email protected]~]#opensslgenrsa-des3-out/etc/httpd/conf.d/server.key GeneratingRSAprivatekey,512bitlongmodulus .....++++++++++++ ..............................++++++++++++ eis65537(0x10001) Enterpassphrasefor/etc/httpd/conf.d/server.key:123456#輸入保護私鑰的密碼 Verifying-Enterpassphrasefor/etc/httpd/conf.d/server.key:123456 [[email protected]~]#cat/etc/httpd/conf.d/server.key#檢視一下私鑰 -----BEGINRSAPRIVATEKEY-----# Proc-Type:4,ENCRYPTED DEK-Info:DES-EDE3-CBC,D1CCE8B91BCAD4F4#進行了二次加密 TlIQpxnrXh9WgLpqfqvKymsCdDDYUjvGyc2C9FOdZtEo+4B2toHGRKjyCyyRcWb7 PV9AJU5FsGyMDVDnOvTcBjYy5MPFhSPUpJ7Y5WeQBWZ6cn5Yh5OtVqQh5EyIxhVJ j1m6XOrcAVpgRDOfyH68r+mipmse95kiBAjxh2gm5OzLLJt27dFZ5XRmd7oXys0q V1SFftuN7M7DEx6Qzsut/C4teAZ64Bx3kM1RlXjAESixZUmrPyB/l12rVxd/kMQT h2gvHM40mn52iNddaXQu8EeKy9CzJUpou85154v7tlqftJ98Hg9oFxebhIhS/16f:
2.2:生成請求檔案
[[email protected]~]#opensslreq-new-key/etc/httpd/conf.d/server.key-out/server.csr#注意後期新增的國家,省,組織等資訊要和CA保持一致 Enterpassphrasefor/etc/httpd/conf.d/server.key:123456#輸入私鑰的密碼 Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:beijing LocalityName(eg,city)[DefaultCity]:haidian OrganizationName(eg,company)[DefaultCompanyLtd]:xuegod OrganizationalUnitName(eg,section)[]:IT CommonName(eg,yournameoryourserver'shostname)[]:xuegod64.cn #這裡要求輸入的CommonName必須不通過瀏覽器訪問您網站的URL完全相同,否則使用者會發現您伺服器證書的通用名不站點的名字丌匹配,使用者就會懷疑您的證書的真實性。可以使域名也可以使IP地址。 EmailAddress[]:[email protected] Pleaseenterthefollowing'extra'attributes tobesentwithyourcertificaterequest Achallengepassword[]:#不輸密碼直接回車 Anoptionalcompanyname[]:
3:將證書請求檔案發給CA伺服器:
[[email protected]~]#scp/server.csr192.168.1.63:/tmp/ Theauthenticityofhost'192.168.1.63(192.168.1.63)'can'tbeestablished. RSAkeyfingerprintisf5:49:15:f3:62:37:05:0c:d5:15:ca:18:ea:c3:df:13. Areyousureyouwanttocontinueconnecting(yes/no)?yes Warning:Permanentlyadded'192.168.1.63'(RSA)tothelistofknownhosts. [email protected]'spassword:123456 server.csr100%6880.7KB/s00:00
4:CA認證中心進行CA簽名
[[email protected]CA]#opensslca-h#檢視CA認證中心的幫助內容 [[email protected]~]#opensslca-keyfile/etc/pki/CA/private/cakey.pem-cert/etc/pki/CA/cacert.pem-in/tmp/server.csr-out/server.crt Usingconfigurationfrom/etc/pki/tls/openssl.cnf Enterpassphrasefor/etc/pki/CA/private/cakey.pem:123456 Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber: ce:60:e0:a3:fe:ee:88:09 Validity NotBefore:Dec2114:25:532014GMT NotAfter:Dec2114:25:532015GMT Subject: countryName=CN stateOrProvinceName=beijing organizationName=xuegod organizationalUnitName=IT commonName=xuegod64.cn emailAddress=[email protected] X509v3extensions: X509v3BasicConstraints: CA:TRUE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier: 1B:30:0B:28:4A:31:EA:FC:05:7D:54:A3:87:A0:6E:BE:F8:D6:3C:F8 X509v3AuthorityKeyIdentifier: keyid:6D:0F:0C:C5:96:32:A8:8B:D3:FF:36:39:5B:14:5B:9B:31:12:4A:C3 CertificateistobecertifieduntilDec2114:25:532015GMT(365days)#證書有效期是365天。證書進行認證,直到12月21日十四時25分53秒格林尼治標準時間2015年(365天) Signthecertificate?[y/n]:y#註冊證書 1outof1certificaterequestscertified,commit?[y/n]y#確認 Writeoutdatabasewith1newentries DataBaseUpdated 將證書複製到xuegod64 [[email protected]CA]#scp/server.crt192.168.1.64:/
#這裡的認證中心進行的簽名是用自己的私鑰進行簽名,
5:CA認證中心進行頒發證書
[[email protected]~]#scp/server.csr192.168.1.64:/ Theauthenticityofhost'192.168.1.64(192.168.1.64)'can'tbeestablished. RSAkeyfingerprintisf5:49:15:f3:62:37:05:0c:d5:15:ca:18:ea:c3:df:13. Areyousureyouwanttocontinueconnecting(yes/no)?yes Warning:Permanentlyadded'192.168.1.64'(RSA)tothelistofknownhosts. [email protected]'spassword:123456 server.csr100%6880.7KB/s00:00
#這裡再頒發之前,CA認證中心會使用自己的公鑰進行加密
三:使用證書實現https
SSL:(Secure Socket Layer)安全套接字層,通過一種機制在網際網路上提供金鑰傳輸。其主要目標是保證兩個應用間通訊資料的保密性和可靠性,可在伺服器端和使用者端同時支援的一種加密演算法。目前主流版本SSLV2、SSLV3(常用)。
SSL四次握手安全傳輸:
加密協議: SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S 1. 請求一個安全的會話,協商演算法
C <------------------------------------------------- S 2. 將自己Server端的證書給客戶端,證書中包括了64自己的公鑰。
C -------------------------------------------------> S 3. 客戶端用瀏覽中存放CA的根證書檢測xuegod64證書,如果對,使用CA根證書中的公鑰解密。得到xuegod64的公鑰; 然後生成一把對稱的加密金鑰,用xuegod64的公鑰加密這個金鑰發給xuegod64。 後期使用對稱金鑰加密資料
C <------------------------------------------------> S
4. xuegod64使用私鑰解密,得到對稱的加密金鑰然後,使用對稱加密金鑰來進行安全快速傳輸資料
1:配置HTTPSweb伺服器: xuegod64
安裝複製並檢視
[[email protected]~]#yuminstallmod_ssl-y安裝:SSL模組 [[email protected]~]#cp/server.crt/etc/httpd/conf.d/#複製證書 [[email protected]~]#cat/server.crt ertificate: Data: Version:3(0x2) SerialNumber: 96:db:28:b4:8b:a7:fb:bc SignatureAlgorithm:sha1WithRSAEncryption Issuer:C=CN,ST=beijing,O=xuegod,OU=IT,頒發者是63- CN=xuegod63.cn/[email protected] Validity NotBefore:Nov311:12:342015GMT NotAfter:Nov211:12:342016GMT Subject:C=CN,ST=beijing,O=xuegod,OU=IT,CN=xuegod63.cn/[email protected]請求的是64,這裡我沒有修改 SubjectPublicKeyInfo:這裡可以看出,證書中用了公鑰加密 PublicKeyAlgorithm:rsaEncryption Public-Key:(1024bit) Modulus: [[email protected]~]#ls/etc/httpd/conf.d/server.key#檢視私鑰 /etc/httpd/conf.d/server.key [[email protected]~]#vim/etc/httpd/conf.d/ssl.conf 104#certificatecanbegeneratedusingthegenkey(1)command. 改: 105SSLCertificateFile/etc/pki/tls/certs/localhost.crt 為: SSLCertificateFile/etc/httpd/conf.d/server.crt 106#SSLCertificateFile/etc/pki/tls/certs/localhost.crt 107 108#ServerPrivateKey: 109#Ifthekeyisnotcombinedwiththecertificate,usethis 110#directivetopointatthekeyfile.Keepinmindthatif 111#you'vebothaRSAandaDSAprivatekeyyoucanconfigure 112#bothinparallel(toalsoallowtheuseofDSAciphers,etc.) 改:113SSLCertificateKeyFile/etc/pki/tls/private/localhost.key 為: SSLCertificateKeyFile/etc/httpd/conf.d/server.key 114#SSLCertificateKeyFile/etc/pki/tls/private/localhost.key
啟勱服務:
[[email protected]~]#servicehttpdrestart Stoppinghttpd:[OK] Startinghttpd:Apache/2.2.15mod_ssl/2.2.15(PassPhraseDialog) Someofyourprivatekeyfilesareencryptedforsecurityreasons. Inordertoreadthemyouhavetoprovidethepassphrases. Serverbt-199-034.bta.net.cn:443(RSA) Enterpassphrase:123456#保護私鑰密碼 OK:PassPhraseDialogsuccessful. [OK]
測試:
檢視埠: [[email protected]~]#netstat-antup|grep443#發現找丌到 訪問:https://192.168.1.64/後 再檢視: [[email protected]~]#netstat-antup|grep443 tcp00:::443:::*LISTEN5138/httpd 只有呼叫一下https,才會開啟。像ftp:20傳輸資料,21監聽服務,傳輸命令。沒有資料傳輸時,看不到20埠。修改物理機:C:\Windows\System32\drivers\etc\hosts新增: 192.168.1.64xuegod64.cn
2:檢視證書安裝證書
轉載於:https://blog.51cto.com/blxueyuan/1709987