通讯加密及私有CA

发表于

记一次加密通讯的过程

第一阶段:ClientHello:
支持的协议版本,比如tls 1.2;
客户端生成一个随机数,稍后用户生成“会话密钥”
支持的加密算法,比如AES、3DES、RSA;
支持的压缩算法;

第二阶段:ServerHello
确认使用的加密通信协议版本,比如tls 1.2;
服务器端生成一个随机数,稍后用于生成“会话密钥”
确认使用的加密方法;
服务器证书;

第三阶段:
验正服务器证书,在确认无误后取出其公钥;(发证机构、证书完整性、证书持有者、证书有效期、吊销列表)
发送以下信息给服务器端:
一个随机数;
编码变更通知,表示随后的信息都将用双方商定的加密方法和密钥发送;
客户端握手结束通知;

第四阶段:
收到客户端发来的第三个随机数pre-master-key后,计算生成本次会话所有到的“会话密钥”;
向客户端发送如下信息:
编码变更通知,表示随后的信息都将用双方商定的加密方法和密钥发送;
服务端握手结束通知;

下图来个通俗版的(密匙版本,可能不是完全吻合):

创建私有CA的过程,以及为客户端发来的证书请求进行颁发证书

创建私有CA的过程

第一步:生成私钥

1
2
3
4
5
6
7
8
9
[root@centos private]# (umask 077; openssl genrsa -out /etc/pki/CA/private/jerry_cakey.pam 8192)
Generating RSA private key, 8192 bit long modulus
......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++
..........++
e is 65537 (0x10001)
[root@centos private]# ll
总用量 8
-rw------- 1 root root 6363 2月  24 15:39 jerry_cakey.pam
[root@centos private]#

第二步:生成自签证书

1
2
3
4
5
6
7
8
9
10
11
[root@centos private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655

-new:生成新证书签署请求;

-x509:生成自签格式证书,专用于创建私有CA时;

-key:生成请求时用到的私有文件路径;

-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;

-days:证书的有效时长,单位是day;

第三步:为CA提供所需的目录及文件;**

1
2
3
[root@centos private]# mkdir  -pv  /etc/pki/CA/{certs,crl,newcerts}
[root@centos private]# touch  /etc/pki/CA/{serial,index.txt}
[root@centos private]# echo  01 > /etc/pki/CA/serial

为客户端发来的证书请求进行颁发证书

第一步:用到证书的主机生成私钥:

1
2
3
4
5
6
7
[root@centos ~]# cd /etc/httpd/ssl
[root@centos ssl]# (umask  077; openssl  genrsa -out  /etc/httpd/ssl/httpd.key  8192)
Generating RSA private key, 8192 bit long modulus
......................................................................................................................................................................................................................................................................++
......................................................................................................................................................................................++
e is 65537 (0x10001)
[root@centos ssl]#

第二步:生成证书签署请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@centos ssl]#  openssl  req  -new  -key  /etc/httpd/ssl/httpd.key  -out /etc/httpd/ssl/httpd.csr  -days  365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Hubei
Locality Name (eg, city) [Default City]:Wuhan
Organization Name (eg, company) [Default Company Ltd]:wanghuakeji
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:whmall.com
Email Address []:caadmin@whmall.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:qweasdzxc
An optional company name []:            
[root@centos ssl]#

第三步:将请求通过可靠方式发送给CA主机

两台主机就用scp,我这里是都在一台虚拟机上就用cp命令,过于简单,就不贴过程了

第四步:在CA主机上签署证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[root@centos ssl]# openssl ca  -in  /etc/httpd/ssl/httpd.csr  -out  /etc/pki/CA/certs/httpd.crt  -days  365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 24 09:08:16 2017 GMT
            Not After : Feb 24 09:08:16 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Hubei
            organizationName          = FBI
            organizationalUnitName    = Ops
            commonName                = xxx.com
            emailAddress              = caadmin@xxx.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                D9:4A:37:A2:3E:C4:0D:B8:DF:BF:97:D2:DF:6F:21:6D:B5:56:E1:47
            X509v3 Authority Key Identifier: 
                keyid:07:17:C7:46:2F:05:5C:12:D3:10:65:DE:58:83:36:A3:A9:0D:02:17

Certificate is to be certified until Feb 24 09:08:16 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos ssl]#

0%