一、
SSL/TLS
1.机密性: 数据加密(对称加密)
2.完整性:保证数据不会被篡改(或是因为数据传输丢失) (单向加密,提高特征码,附加到数据后)
3. 可靠性:
二、概述
如何实现“身份验证和数据加密”
发送方:
计算数据特征值 --》 使用发送方的私钥进行加密特征值 --》随机生成密钥对加密整个数据 --》使用接受方公钥加密
{用随机码加密整个数据(数据本身)【用发送方的私钥加密(特征值)】}【用接受方的公钥进行加密{随机码}】
接受方:
使用私钥解密(能获得随机码) --》用随机码进行解密,获得整个数据 --》 使用发送公钥解密,验证身份 --》 比较数据特征值
谁来管理公钥,任何在互联网上传播的数据都不安全,更不用说传递公钥,它如果被篡改,那么就无法验证身份了。所以不可能用户自己颁发公钥
CA:正式颁发机构
PKI:公钥基础设施,公钥基础框架
证书:里面存放用户各种信息,最核心就是公钥
谁来给CA颁发公钥 =》 CA自己给自己颁发公钥
三、
1.安装openssl
[root@hf0001 conf.d]# rpm -qa|grep opensslopenssl-1.0.1e-16.el6_5.15.x86_64
2.构建CA
hf0001作为CA服务器
[root@hf0001 conf.d]# cd /etc/pki/CA[root@hf0001 CA]# pwd/etc/pki/CA首先CA服务器自己给自己颁发证书1.CA服务器生成生成private/cakey.pem 目录可以随意,默认在/etc/pki/CA/private目录下,其他目录需要配置[root@hf0001 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)......2.CA服务器给自己颁发证书(需要填写必要休息,如国家、城市、机构)[root@hf0001 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650...... 2.1 也可以修改配置文件,添加默认参数(找到req_distinguished_name节点) [root@hf0001 CA]# vim /etc/pki/tls/openssl.conf ... ... [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) #stateOrProvinceName_default = Default Province stateOrProvinceName_default = JiangSu ... 3.新建相关文件[root@hf0001 CA]# pwd/etc/pki/CAindex.txt相关于db,记录必要的信息,serial 序列号,只要颁发一个证书,则++[root@hf0001 CA]# touch index.txt serial crlnumber[root@hf0001 CA]# echo 00 > serial4.修改openssl.conf的配置文件[root@hf0001 CA]# vim /etc/pki/tls/openssl.conf......[ CA_default ] => 修改该节点下的配置项,对应位置如dir = /etc/pki/CA # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.#unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem# The private key ....
3.hf0002作为web服务器,
3.1安装httpd
3.2 安装ssl_module
3.3 配置基于域名的虚拟主机
[root@hf0002 conf.d]# pwd/etc/httpd/conf.d[root@hf0001 conf.d]# vim virtual-domain.conf Listen 80NameVirtualHost 10.224.243.57:80ServerName www.harry.com DocumentRoot "/var/www/html/harry.com" ServerName www.harry3.com DocumentRoot "/var/www/html/harry3.com" ServerName www.harry4.com DocumentRoot "/var/www/html/harry4.com"
3.4 web服务器生成秘钥,CA给该服务器颁发证书
3.4.1 安装openssl
3.4.2 生成秘钥
[root@hf0002 httpd]# pwd/etc/httpd[root@hf0002 httpd]# mkdir ssl[root@hf0002 httpd]# cd ssl[root@hf0002 ssl]# pwd/etc/httpd/ssl生成秘钥[root@hf0002 httpd]# (umask 077;openssl genrsa -out httpd.key 1024)生成证书请求信息[root@hf0002 ssl]# openssl req -new -key httpd.key -out httpd.cst 注意这里也要添加必要的信息,这样信息必须和CA服务的保持一致。 其中有一项需要添加域名 添加自己的SSL服务的域名 ......把证书请求信息发送给hf0001[root@hf0002 ssl]# scp httpd.crt ocp@10.224.243.57:/home/ocp....
3.4.3 CA服务器给该请求进行认证,并颁发证书
对之前hf0002发送的httpd.crt进行认证[root@hf0001 ssl]# openssl ca -in httpd.cst -out httpd.crt -days 365把证书发送给hf0002[root@hf0001 ssl]# scp httpd.crt ocp@10.224.243.58:/home/ocp
3.4.4 这样hf002web服务器就有了CA服务器颁发的证书了,
3.4.5 配置SSL服务
[root@hf0002 conf.d]# pwd/etc/httpd/conf.d[root@hf0002 conf.d]# vim ssl.conf...Listen 443...# General setup for the virtual host, inherited from global configurationDocumentRoot "/var/www/html/harry.com" => 根路径ServerName ... 指向CA服务器颁发的证书文件# Server Private Key:# If the key is not combined with the certificate, use this# directive to point at the key file. Keep in mind that if# you've both a RSA and a DSA private key you can configure# both in parallel (to also allow the use of DSA ciphers, etc.)SSLCertificateKeyFile /etc/httpd/ssl/httpd.key => 指向私钥文件...
3.5 验证
因为我既配置了http 也配置了 https
[root@hf0001 conf.d]# curl 'http://www.harry.com'SSL www.harry.com:443
=> 目录需要自己定义,index.html需要自己写[root@hf0001 conf.d]# curl 'https://www.harry.com' => 需要提供证书curl: (60) Peer certificate cannot be authenticated with known CA certificatesMore details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. 注意:客户端需要谁的证书CA服务器还是Httpd服务的? 理解过程:CA服务器提供了加密服务,以及身份验证.但是CA服务器本身的身份谁来认证? 没有人。我们必须前提认为CA服务器是权威的。所以我们客户端需要CA服务器的证书 CA生成的证书发送给客户端 [root@hf0001 conf.d]# curl --cacert /etc/pki/CA/cacert.pem 'https://www.harry.com'SSL www.harry.com:443
对于浏览器,需要把cacert.pem => cacert.crt 并导入到浏览器中,即可。并信任该证书