1. 程式人生 > >SSL證書自簽名使用及監控

SSL證書自簽名使用及監控

前言

證書簡介

資訊保安越來越受重視,HTTPS已經相當普及,要讓我們的HTTP介面支援HTPPS,只需要一個SSL證書就可以啦

  • 全稱公鑰證書(Public-Key Certificate, PKC),裡面儲存著歸屬者的基本資訊,以及證書過期時間、歸屬者的公鑰,並由認證機構(Certification Authority, CA)施加數字簽名,表明,某個認證機構認定該公鑰的確屬於此人
  • 自簽名的證書,就是我們來充當 認證機構,這種證書推薦在測試開發過程中,生產環境直接上CA證書省心!

實踐

證書生成

準備

  • 確保有openssl庫

  • 建立目錄

    # 根證書目錄
    [root@centos7 ~]# mkdir -p /var/ssl/crt/root
    # 伺服器端證書目錄
    [root@centos7 ~]# mkdir -p /var/ssl/crt/server

生成根證書

  • 私鑰,RSA對稱加密,aes比des更安全,金鑰長度2048

    openssl genrsa -aes256 -out /var/ssl/crt/root/ca.key -passout pass:"123456" 2048
  • 請求流程,包含證書資訊,其中比較關鍵的是CN,是填你的域名,根證書不起服務可以隨便寫,

    openssl req -new -key /var/ssl/crt/root/ca.key -out /var/ssl/crt/root/ca.csr -subj "/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=www.ca.crt.com/[email protected]" -passin pass:"123456"
  • 頒發證書,這個生成的就是可以用的證書了,注意不加v3_ca這個外掛,瀏覽器匯入不了

    openssl x509 -req -sha256 -extensions v3_ca -days 3650 -in /var/ssl/crt/root/ca.csr -out /var/ssl/crt/root/ca.crt -signkey /var/ssl/crt/root/ca.key -CAcreateserial -passin pass:"123456"

生成服務端證書

  • 私鑰,RSA對稱加密,aes比des更安全,金鑰長度2048

    openssl genrsa -aes256 -out /var/ssl/crt/server/svc1-server.key -passout pass:"123456" 2048
  • 請求流程,包含證書資訊,其中比較關鍵的是CN,是填你的域名

    openssl req -new -key /var/ssl/crt/server/svc1-server.key -out /var/ssl/crt/server/svc1-server.csr -subj "/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=www.svc1.com/[email protected]" -passin pass:"123456"
  • 頒發證書,這個生成的就是可以用的證書了,注意不加v3_ca這個外掛,瀏覽器匯入不了

    openssl x509 -req -sha256 -extensions v3_req -days 3650 -in /var/ssl/crt/server/svc1-server.csr -out /var/ssl/crt/server/svc1-server.crt -signkey /var/ssl/crt/server/svc1-server.key -CAkey /var/ssl/crt/root/ca.key -CA /var/ssl/crt/root/ca.crt -CAcreateserial -passin pass:"123456"
  • 驗證證書

    openssl verify -CAfile /var/ssl/crt/root/ca.crt /var/ssl/crt/server/svc1-server.crt

證書使用

Unubtu為例

apt install nginx -y

配置

vi /etc/nginx/sites-available/default

# 到最後加上如下內容
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  www.svc1.com;
    root         /usr/share/nginx/html;
    ssl_certificate "/var/ssl/crt/server/svc1-server.crt";
    ssl_certificate_key "/var/ssl/crt/server/svc1-server.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    include /etc/nginx/default.d/*.conf;
    location / {
    }
    error_page 404 /404.html;
    location = /40x.html {
    }
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}
vi /etc/hosts

127.0.0.1 www.svc1.com

啟動

root@CN-00013965:/# sudo service nginx restart 
 * Restarting nginx nginx                                                                                                                                                           Enter PEM pass phrase:
Enter PEM pass phrase:                              [ OK ]

測試

  • 不用證書 失敗

    root@CN-00013965:/# wget https://www.svc1.com
    --2019-10-18 16:37:48--  https://www.svc1.com/
    Resolving www.svc1.com (www.svc1.com)... 127.0.0.1
    Connecting to www.svc1.com (www.svc1.com)|127.0.0.1|:443... connected.
    ERROR: cannot verify www.svc1.com's certificate, issued by ‘[email protected],CN=www.ca.crt.com,OU=mygroup,O=myorganization,L=mycity,ST=myprovince,C=CN’:
      Unable to locally verify the issuer's authority.
    To connect to www.svc1.com insecurely, use `--no-check-certificate'.
  • 用根證書訪問 成功

    root@CN-00013965:/# wget --ca-certificate=/var/ssl/crt/root/ca.crt https://www.svc1.com
    --2019-10-18 16:39:50--  https://www.svc1.com/
    Resolving www.svc1.com (www.svc1.com)... 127.0.0.1
    Connecting to www.svc1.com (www.svc1.com)|127.0.0.1|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 612 [text/html]
    Saving to: ‘index.html.1’
    
    index.html.1                                         100%[===================================================================================================================>]     612  --.-KB/s    in 0s      
    
    2019-10-18 16:39:50 (32.4 MB/s) - ‘index.html.1’ saved [612/612]

匯入Java應用

java應用要讀取服務端證書需要通過pkcs12格式的keystore檔案,我們可以把不同的服務端證書用別名區分。然後我們讀取trustkeystore去訪問HTTPS其他服務

  • 生成keystore

    openssl pkcs12 -export -clcerts -in /var/ssl/crt/server/svc1-server.crt -inkey /var/ssl/crt/server/svc1-server.key -out /var/ssl/crt/server/svc1-server.p12 -name svc1 -passin pass:"123456" -password pass:"123456"

    keytool命令是JDK自帶的到${JAVA_HOME}/bin下執行,-srcstorepass是我們證書的密碼,其他兩個是keystore的密碼

    keytool -importkeystore -trustcacerts -noprompt -deststoretype pkcs12 -srcstoretype pkcs12 -srckeystore /var/ssl/crt/server/svc1-server.p12 -destkeystore /var/ssl/crt/server/svc1-server.keystore -alias svc1 -deststorepass "123456" -destkeypass "123456" -srcstorepass "123456"
  • 生成trustkeystore

    keytool -import -trustcacerts -noprompt -alias CA -file /var/ssl/crt/root/ca.crt -keystore /var/ssl/crt/root/ca.trustkeystore -storepass "123456"

監控

證書起到服務埠上了,我們怎麼檢視證書資訊,或者實時檢查證書過期資訊呢,已預設443埠為例

root@CN-00013965:/# echo 'Q' | timeout 5 openssl s_client -connect 127.0.0.1:443  2>/dev/null | openssl x509 -noout -subject -dates

subject=C = CN, ST = myprovince, L = mycity, O = myorganization, OU = mygroup, CN = www.svc1.com, emailAddress = [email protected]
notBefore=Oct 18 08:09:32 2019 GMT
notAfter=Oct 15 08:09:32 2029 GMT

如果postgresql資料庫起的HTTPS,那麼直接openssl不能直接拿到埠證書,我們可以藉助python指令碼,指令碼是Github上找的

#!/usr/bin/env python

import argparse
import socket
import ssl
import struct
import subprocess
import sys

try:
    from urlparse import urlparse
except ImportError:
    from urllib.parse import urlparse


def main():
    args = get_args()
    target = get_target_address_from_args(args)
    sock = socket.create_connection(target)
    try:
        certificate_as_pem = get_certificate_from_socket(sock)
        print(certificate_as_pem.decode('utf-8'))
    except Exception as exc:
        sys.stderr.write('Something failed while fetching certificate: {0}\n'.format(exc))
        sys.exit(1)
    finally:
        sock.close()


def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('database', help='Either an IP address, hostname or URL with host and port')
    return parser.parse_args()


def get_target_address_from_args(args):
    specified_target = args.database
    if '//' not in specified_target:
        specified_target = '//' + specified_target
    parsed = urlparse(specified_target)
    return (parsed.hostname, parsed.port or 5432)


def get_certificate_from_socket(sock):
    request_ssl(sock)
    ssl_context = get_ssl_context()
    sock = ssl_context.wrap_socket(sock)
    sock.do_handshake()
    certificate_as_der = sock.getpeercert(binary_form=True)
    certificate_as_pem = encode_der_as_pem(certificate_as_der)
    return certificate_as_pem


def request_ssl(sock):
    version_ssl = postgres_protocol_version_to_binary(1234, 5679)
    length = struct.pack('!I', 8)
    packet = length + version_ssl

    sock.sendall(packet)
    data = read_n_bytes_from_socket(sock, 1)
    if data != b'S':
        raise Exception('Backend does not support TLS')


def get_ssl_context():
    for proto in ('PROTOCOL_TLSv1_2', 'PROTOCOL_TLSv1', 'PROTOCOL_SSLv23'):
        protocol = getattr(ssl, proto, None)
        if protocol:
            break
    return ssl.SSLContext(protocol)


def encode_der_as_pem(cert):
    cmd = ['openssl', 'x509', '-inform', 'DER']
    pipe = subprocess.PIPE
    process = subprocess.Popen(cmd, stdin=pipe, stdout=pipe, stderr=pipe)
    stdout, stderr = process.communicate(cert)
    if stderr:
        raise Exception('OpenSSL error when converting cert to PEM: {0}'.format(stderr))
    return stdout.strip()


def read_n_bytes_from_socket(sock, n):
    buf = bytearray(n)
    view = memoryview(buf)
    while n:
        nbytes = sock.recv_into(view, n)
        view = view[nbytes:] # slicing views is cheap
        n -= nbytes
    return buf


def postgres_protocol_version_to_binary(major, minor):
    return struct.pack('!I', major << 16 | minor)


if __name__ == '__main__':
    main()

使用方法:如果python檔名叫get_postgres_cert.py

python get_postgres_cert.py 127.0.0.1:5432