1G
DES 4m 8m
RSA 1m 64h
有实验证明,对称加密算法比非对称加密算法快大约1500倍
避免乱码
[root@localhost ~]# echo 川 | base64
5bedCg==
[root@localhost ~]# echo 5bedCg== | base64 -d
川
mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@localhost ~]# echo 123456 | openssl passwd -6 --stdin #SHA512算法 $6$WNoUVbFvp40Aw7aL$d7T63djg2TnXnF7SZyogKoHhrV9xG6PGksnnC0x3FYzTFoIBSn1y15n322WgJmpphkRxXtyvRIj5FvTfkeEVn0
[root@localhost ~]# echo 123456 | openssl passwd -6 --stdin -salt "WNoUVbFvp40Aw7aL" $6$WNoUVbFvp40Aw7aL$d7T63djg2TnXnF7SZyogKoHhrV9xG6PGksnnC0x3FYzTFoIBSn1y15n322WgJmpphkRxXtyvRIj5FvTfkeEVn0
[root@localhost ~]# cat /etc/shadow root:$6$GuXYkkXUI59mp6Md$4fycaS6olcfwfCkYx6EqI0Nv3OXK7.fTDqBfUb4bRbo8pfVZXrFXPwdhBnRIcNuugjQd8a0CB4jYG4nrKdZoI/::0:99999:7::: [root@localhost ~]# echo 1 | openssl passwd -6 --stdin -salt GuXYkkXUI59mp6Md $6$GuXYkkXUI59mp6Md$4fycaS6olcfwfCkYx6EqI0Nv3OXK7.fTDqBfUb4bRbo8pfVZXrFXPwdhBnRIcNuugjQd8a0CB4jYG4nrKdZoI/建立私有CA: OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件 openssl:相关包 openssl和openssl-libs 证书申请及签署步骤: 1、生成证书申请请求 2、RA核验 3、CA签署 4、获取证书 三种策略:match匹配、optional可选、supplied提供
match:要求申请填写的信息跟CA设置信息必须一致 optional:可有可无,跟CA设置信息可不一致 supplied:必须填写这项申请信息
vim /etc/pki/tls/openssl.cnf
1、创建CA所需要的文件 2、 生成CA私钥[root@localhost CA]# touch /etc/pki/CA/index.txt [root@localhost CA]# echo 01 > /etc/pki/CA/serial [root@localhost CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus (2 primes) .............................................+++++ ...............................+++++ e is 65537 (0x010001)3、生成CA自签名证书
-new:生成新证书签署请求 -x509:专用于CA生成自签证书 -key:生成请求时用到的私钥文件 -days n:证书的有效期限 -out /PATH/TO/SOMECERTFILE: 证书的保存路径
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 36000 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:zhengfu Organizational Unit Name (eg, section) []:guofangbu Common Name (eg, your name or your server's hostname) []:www.baidu.com Email Address []:
[root@localhost CA]# openssl x509 -in cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 38:5b:5c:9e:32:31:5d:ed:a0:5a:9c:3e:bb:65:d0:6d:02:04:bb:01 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = beijing, L = beijing, O = zhengfu, OU = guofangbu, CN = www.baidu.com Validity Not Before: Apr 23 08:51:56 2022 GMT Not After : Nov 15 08:51:56 2120 GMT Subject: C = CN, ST = beijing, L = beijing, O = zhengfu, OU = guofangbu, CN = www.baidu.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a2:e7:e0:35:58:82:88:3f:de:5a:f6:5b:f0:7e: b4:52:10:a2:0c:16:f2:35:e9:78:e7:58:77:6c:d1: f9:28:dc:8b:a7:23:8a:45:07:ed:b2:e3:e1:d5:05: 24:b3:93:b0:41:94:1c:15:20:6b:7f:e6:95:13:f6: 86:65:12:12:74:a6:45:fd:38:a6:a5:d6:a6:52:74: 1c:f3:c4:a6:ac:db:c6:c1:dc:a3:50:e4:8b:16:8e: 2c:33:0b:b7:c9:3d:45:98:ee:41:85:31:b2:b1:69: 6f:e1:70:5a:2a:33:49:8b:41:ca:db:50:bf:dc:25: 5d:23:cb:f9:2d:c2:67:f4:a5:37:73:6a:1c:86:60: a0:92:e4:2a:a0:32:9a:b9:56:c7:b6:7b:66:b6:89: 3e:2b:ab:f0:e5:e2:a2:77:ec:bf:b9:2a:91:d8:29: c6:40:e5:12:9f:39:db:0e:33:5c:6a:61:0d:de:c8: 9b:ea:39:8a:2a:2a:7f:fb:95:e0:c2:a0:d2:17:3d: 85:05:00:df:39:21:cd:e4:36:13:1f:fa:26:db:4c: d4:c7:9a:6b:c0:78:72:44:5f:2a:8c:04:a8:87:a5: 6c:e7:9e:d4:dd:32:70:7a:6a:01:c0:d4:02:0a:9a: b6:48:cc:cf:b2:82:6f:2a:da:f3:34:4d:51:f8:a8: 93:97 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 61:D0:AA:08:90:F1:01:59:EC:7C:E5:93:A0:FF:74:74:44:FC:59:A6 X509v3 Authority Key Identifier: keyid:61:D0:AA:08:90:F1:01:59:EC:7C:E5:93:A0:FF:74:74:44:FC:59:A6 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 2d:52:26:fa:ed:36:02:03:b2:28:6e:89:41:6a:5d:85:7f:37: c6:3a:c8:db:f9:82:62:8e:80:d9:8f:fb:06:1a:bc:03:cd:3d: 3d:a1:79:5c:7d:9e:e7:4c:8e:c5:99:b5:32:bb:ed:3e:d8:a6: cc:b3:1c:c7:3e:00:87:32:9e:6f:62:ac:a0:27:76:97:ea:03: 34:37:3c:2d:5c:7d:58:75:0e:fc:df:3e:3c:28:7e:53:b0:db: 4a:f5:07:65:cf:43:90:8c:44:30:8e:f5:91:9a:71:1a:00:53: 51:df:7c:8c:06:63:84:a3:db:26:53:63:19:ba:91:ee:ec:a6: 4a:28:40:3d:24:63:23:c0:de:9d:09:bc:21:31:57:ec:7e:4c: a6:bc:13:1d:03:03:12:86:65:5c:72:e5:cc:e9:c6:49:8d:22: 87:ee:31:81:b8:c5:61:23:33:fd:28:07:92:be:44:fa:d5:ee: 80:95:b0:94:ef:67:d6:a0:f9:94:b0:53:db:b2:23:05:57:85: 51:f1:fc:cb:d0:35:fd:fa:65:f5:be:49:d9:6d:22:73:63:c6: b0:f9:f2:ed:03:2f:5e:3b:83:15:38:8b:0d:72:ca:97:01:62: 6d:f0:5f:aa:f6:db:93:b1:65:4a:7b:ec:ab:48:8f:ae:51:82: df:bf:85:48
cacert.pem .crt
申请证书并颁发证书 1、为需要使用证书的主机生成生成私钥
[root@localhost CA]# (umask 066;openssl genrsa -out /data/test.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) .......................................................................................+++++ ..+++++ e is 65537 (0x0100012、为需要使用证书的主机生成证书申请文件
[root@localhost CA]# openssl req -new -key /data/test.key -out /data/test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:jinan Organization Name (eg, company) [Default Company Ltd]:zhengfu Organizational Unit Name (eg, section) []:guofangbu Common Name (eg, your name or your server's hostname) []:www.chuan.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:3、在CA签署证书并将证书颁发给请求者
[root@localhost CA]# openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 36000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 23 09:25:31 2022 GMT Not After : Nov 15 09:25:31 2120 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = zhengfu organizationalUnitName = guofangbu commonName = www.chuan.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 60:63:F8:E7:1B:4C:03:07:2C:6D:C6:FA:E2:DC:C1:C9:72:25:63:2E X509v3 Authority Key Identifier: keyid:31:1F:D6:D9:B8:A2:82:30:0B:24:5C:C7:58:15:FD:2B:17:A8:85:02 Certificate is to be certified until Nov 15 09:25:31 2120 GMT (36000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
注意:默认要求 国家,省,公司名称三项必须和CA一致
vim /etc/pki/tls/openssl.cnf [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
4、查看证书中的信息
[root@localhost CA]# tree . ├── ├── cacert.pem ├── certs │ └── test.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 10 files
[root@localhost CA]# cat serial 02
[root@localhost CA]# cat index.txt V 21201115092531Z 01 unknown /C=CN/ST=beijing/O=zhengfu/OU=guofangbu/CN=www.chuan.com
policy = policy_anything
[root@localhost data]# (umask 066;openssl genrsa -out /data/test2.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ....................................................................................................+++++ ...............................+++++ e is 65537 (0x010001)
[root@localhost data]# openssl req -new -key /data/test2.key -out /data/test2.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:newyork Locality Name (eg, city) [Default City]:newyork Organization Name (eg, company) [Default Company Ltd]:zhengfu Organizational Unit Name (eg, section) []:guofangbu Common Name (eg, your name or your server's hostname) []:www.chuan.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
[root@localhost CA]# openssl ca -in /data/test2.csr -out /etc/pki/CA/certs/test2.crt -days 36000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok The countryName field is different between CA certificate (CN) and the request (US)
vim /etc/pki/tls/openssl.cnf
policy = policy_anything
[root@localhost CA]# openssl ca -in /data/test2.csr -out /etc/pki/CA/certs/test2.crt -days 36000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Apr 23 09:50:51 2022 GMT Not After : Nov 15 09:50:51 2120 GMT Subject: countryName = US stateOrProvinceName = newyork localityName = newyork organizationName = zhengfu organizationalUnitName = guofangbu commonName = www.chuan.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1B:1A:15:BF:3C:E8:71:ED:18:D6:F5:53:AB:ED:81:F0:2B:A7:BD:34 X509v3 Authority Key Identifier: keyid:31:1F:D6:D9:B8:A2:82:30:0B:24:5C:C7:58:15:FD:2B:17:A8:85:02 Certificate is to be certified until Nov 15 09:50:51 2120 GMT (36000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
吊销证书
[root@localhost ~]# openssl ca -revoke /etc/pki/CA/newcerts/02.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 02. Data Base Updated
[root@localhost CA]# cat index.txt V 21201115092531Z 01 unknown /C=CN/ST=beijing/O=zhengfu/OU=guofangbu/CN=www.chuan.com R 21201115095051Z 220423095539Z 02 unknown /C=US/ST=newyork/L=newyork/O=zhengfu/OU=guofangbu/CN=www.chuan.com指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem [root@localhost CA]# cat /etc/pki/CA/crl.pem -----BEGIN X509 CRL----- MIIB3jCBxwIBATANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjEQMA4GA1UE CAwHYmVpamluZzEQMA4GA1UEBwwHYmVpamluZzEQMA4GA1UECgwHemhlbmdmdTES MBAGA1UECwwJZ3VvZmFuZ2J1MRYwFAYDVQQDDA13d3cuYmFpZHUuY29tFw0yMjA0 MjMxMDA1MDJaFw0yMjA1MjMxMDA1MDJaMBQwEgIBAhcNMjIwNDIzMDk1NTM5WqAO MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAJ1Jf8QebJd7mKsFjXpN IbkJv7H7YysMcWzs3xycDXQqXkRxn9TMT1OTyDNSyBjFgQui/SXzLQA9jcmjIPGD z8kuAIZDuDPHzGhZeFCj6uFogUeg8J+YHAPrj4EWqFjh8ZXeTuM+NznzxPc02sBU zWN6zd/Zh3bRuhYsyrMZ3/i79j/PpEeipipYfF0iXli9QOExknawhiHZlEPsfW8P 7jeYVWXyOUH/9+jVKUIp++Nce/DxkeiZfoo/dq4LF5GYNyzid0xNVkIBIYX7g2LS gSfLN46g6eL+Gh81wyedT/fBA3eYG0JdV41xac5di/MSbMFS3mJGPAtHShD4Qsrh l2I= -----END X509 CRL-----
查看文件
[root@localhost CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
crl.pem.crl