1.1 SSL介紹：

SSL（Secure Sockets Layer 安全套接層）是為網(wǎng)絡(luò)通信提供安全及數(shù)據(jù)完整性的一種安全協(xié)議。

1.2 SSL提供的服務(wù)有：

• 認(rèn)證用戶和服務(wù)器，確保數(shù)據(jù)發(fā)送到正確的客戶機(jī)和服務(wù)器；
• 加密數(shù)據(jù)以防止數(shù)據(jù)中途被竊取；
• 維護(hù)數(shù)據(jù)的完整性，確保數(shù)據(jù)在傳輸過程中不被改變。

1.3 Openssl是SSL的一個(gè)開源項(xiàng)目，其由三部分組成：

• libcryto：具有通用功能的加密庫，里面實(shí)現(xiàn)了眾多的加密庫；
• libssl：實(shí)現(xiàn)ssl機(jī)制的，它是用于實(shí)現(xiàn)TLS/SSL的功能；
• openssl：多功能命令行工具，它可以實(shí)現(xiàn)加密解密，甚至還可以當(dāng)CA來用，可以讓你創(chuàng)建證書、吊銷證書。

1.4 Openssl命令用法

• 標(biāo)準(zhǔn)命令
• 信息摘要命令（dgst子命令）
• 加密命令（env子命令）
• 標(biāo)準(zhǔn)命令：enc，ca，req，genrsa等

1.4.1 對稱加密：

工具：

• openssl enc；
• gpg

算法：

• 3des；
• aes；
• blowfish；
• twofish；

enc命令： man enc

特點(diǎn)：

• 加密解密使用同一個(gè)密鑰；
• 將數(shù)據(jù)分割成固定大小的塊，逐個(gè)加密

缺點(diǎn)：

• 密鑰過多
• 密鑰分發(fā)困難
• 主要用于數(shù)據(jù)加密

加密：
openssl enc -e -des3 -a -salt -in fstab -out a.cipher

解密：
openssl enc -d -des3 -a -salt -in a.cipher -out a-2

1.4.2 單向加密：

工具：

• openssl dgst；
• md5sum；
• sha1sum；
• sha224sum；
• sha256sum，不同的位輸出長度的算法

dgst命令：man dgst

• openssl dgst -md5 [-hex默認(rèn)] /PATH/SOMEFILE
• md5sum /PATH/TO/SOMEFILE

生成用戶密碼（passwd、openssl passwd）

• passwd命令：man sslpasswd
• openssl passwd -1 -salt SALT（最多8位）（-1表示md5加密算法）

生成隨機(jī)數(shù)：man sslrand

• openssl rand -base64|-hex NUM
• NUM: 表示字節(jié)數(shù)；-hex時(shí)，每個(gè)字符4位，出現(xiàn)的字符數(shù)為NUM*2

特點(diǎn)：

• 只能加密，不能解密（提取數(shù)據(jù)指紋，數(shù)據(jù)特征碼）
• 定長輸出，雪崩效應(yīng)
• 驗(yàn)證完整性，驗(yàn)證數(shù)據(jù)的完整性

單向加密：

[root@CentOS7 /app]#openssl dgst -md5 fstab
MD5(fstab)= f0dff383430026f3105b32cc1f7e5604
[root@CentOS7 /app]#md5sum fstab
f0dff383430026f3105b32cc1f7e5604  fstab

生成用戶密碼：

[root@CentOS7 /app]#openssl passwd -1 -salt salt
Password: 
$1$salt$IbRkpBgAWG4UIV3zweVwG/

生成隨機(jī)數(shù)：

[root@CentOS7 /app]#openssl rand -base64 10
4WO4sR1MLRxtjA==
[root@CentOS7 /app]#openssl rand -hex 15
3f3b95d08d0617979aa67eab5e77e1

1.4.3 公鑰加密：

加密解密：

• 算法：RSA，ELGamal
• 工具：gpg，openssl rsautl（man rsautl）

數(shù)字簽名：

• 算法：RSA，DSA，ELGamal

密鑰交換

• 算法：DH

生成密鑰對：

• 生成私鑰：
  openssl genrsa -out /tmp/mykey2.private 1024
(umask 077;openssl genrsa -out /tmp/mykey3.private 2048) 設(shè)置權(quán)限為600的private
• 從私鑰中提出公鑰：
  openssl rsa -in /tmp/mykey2.private -pubout

隨機(jī)數(shù)生成器（偽隨機(jī)數(shù)字）：

• 熵池:
  • 在操作系統(tǒng)上有一個(gè)叫做熵池的地方，他是用來保存硬件中斷產(chǎn)生的隨機(jī)數(shù)（每一次硬件中斷都會產(chǎn)生一個(gè)隨機(jī)數(shù)）
• /dev/random:
  • 僅從熵池中返回隨機(jī)數(shù)，隨機(jī)數(shù)耗盡時(shí)，取隨機(jī)數(shù)的進(jìn)程將會被阻塞；
• /dev/unrandom:
  • 僅從熵池中取隨機(jī)數(shù)，隨機(jī)數(shù)耗盡時(shí)，就通過偽隨機(jī)數(shù)生成器生成偽隨機(jī)數(shù)；（偽隨機(jī)數(shù)不安全）
• 熵池中隨機(jī)數(shù)來源
  • 硬盤IO中斷時(shí)間間隔
  • 硬盤IO中斷時(shí)間間隔

2 創(chuàng)建CA和申請證書

2.1 查看有關(guān)ssl證書目錄結(jié)構(gòu)：

[root@CentOS7 ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl  #吊銷的證書
├── newcerts  #存放CA簽署（頒發(fā)）過的數(shù)字證書（證書備份目錄）
└── private  #用于存放CA的私鑰

4 directories, 0 files
[root@CentOS7 ~]#tree /etc/pki/tls/
/etc/pki/tls/
├── cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
├── certs  # 該服務(wù)器上的證書存放目錄，可以放置自己的證書和內(nèi)置證書
                   ca-bundle.crt    內(nèi)置信任的證書
│   ├── ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
│   ├── ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
│   ├── make-dummy-cert
│   ├── Makefile
│   └── renew-dummy-cert
├── misc
│   ├── CA
│   ├── c_hash
│   ├── c_info
│   ├── c_issuer
│   └── c_name
├── openssl.cnf  #openssl的CA主配置文件
└── private  #證書密鑰存放目錄

2.2 分析openssl.cnf部分配置文件

vim /etc/pki/tls/openssl.cnf

39 ####################################################################
 40 [ CA_default ]
 41 
 42 dir     = /etc/pki/CA       # Where everything is kept
 43 certs       = $dir/certs        # Where the issued certs are kept
 44 crl_dir     = $dir/crl      # Where the issued crl are kept
 45 database    = $dir/index.txt    # database index file.
 46 #unique_subject = no            # Set to 'no' to allow creation of
 47                     # several ctificates with same subject.
 48 new_certs_dir   = $dir/newcerts     # default place for new certs.
 49 
 50 certificate = $dir/cacert.pem   # The CA certificate
 51 serial      = $dir/serial       # The current serial number
 52 crlnumber   = $dir/crlnumber    # the current crl number
 53                     # must be commented out to leave a V1 CRL
 54 crl     = $dir/crl.pem      # The current CRL
 55 private_key = $dir/private/cakey.pem# The private key
 56 RANDFILE    = $dir/private/.rand    # private random number file
 57 
 58 x509_extensions = usr_cert      # The extentions to add to the cert
 59 

78 # A few difference way of specifying how similar the request should look
 79 # For type CA, the listed attributes must be the same, and the optional
 80 # and supplied fields are just that :-)
 81 policy      = policy_anything  

修改為policy_anything 后countryName,stateOrProvinceName可以不做強(qiáng)制匹配

2.3 創(chuàng)建所需文件的文件

[root@CentOS7 ~]#touch /etc/pki/CA/index.txt #生成證書索引數(shù)據(jù)庫文件
[root@CentOS7 ~]#echo 01 > /etc/pki/CA/serial  #指定第一個(gè)頒發(fā)證書的序列號

2.4 CA自簽證書生成私鑰

[root@CentOS7 /etc/pki/CA]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............................................+++
...............................................................................+++
e is 65537 (0x10001)

為了安全起見，修改cakey.pem私鑰文件權(quán)限為600或400，使用子shell生成

2.5 生成自簽名證書

[root@CentOS7 /etc/pki/CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
-new:  生成新證書簽署請求
-x509:  專用于CA 生成自簽證書
-key:  生成請求時(shí)用到的私鑰文件
-days n ：證書的有效期限
-out / PATH/TO/SOMECERTFILE :  證書的保存路徑
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:huizhou
Organization Name (eg, company) [Default Company Ltd]:cnnavy.cn     
Organizational Unit Name (eg, section) []:it 
Common Name (eg, your name or your server's hostname) []:cnnavy.cn
Email Address []:cnnavy.cn

此時(shí)即創(chuàng)建了自建CA，可以開始給別人簽證了。

2.6 頒發(fā)證書，在需要使用的證書的主機(jī)生成證書請求

為web服務(wù)器生成私鑰

[root@CentOS6 ~]#(umask 066;openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
..............................+++
........................................+++
e is 65537 (0x10001)

生成證書申請文件

[root@CentOS6 ~]#openssl req -new -key /etc/pki/tls/private/test.key  -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:huizhou
Organization Name (eg, company) [Default Company Ltd]:cnnavy.cn
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:cnnavy.cn
Email Address []:cnnavy.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

將證書請求文件傳輸給CA
[root@CentOS6 /etc/pki/tls]#scp test.csr 172.18.254.65:/etc/pki/CA/

[root@CentOS7 /etc/pki/CA]#openssl ca -in /etc/pki/CA/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 10 05:43:12 2017 GMT
            Not After : Sep 10 05:43:12 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = guangdong
            localityName              = huizhou
            organizationName          = cnnavy.cn
            organizationalUnitName    = it
            commonName                = cnnavy.cn
            emailAddress              = cnnavy.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                C8:C4:D0:46:94:43:B2:C3:3E:02:B0:D4:84:2A:F8:D3:B5:2B:B1:F3
            X509v3 Authority Key Identifier: 
                keyid:65:CD:A0:4C:9B:50:7A:99:B5:66:25:9A:BD:CC:F5:CB:97:1D:07:DA

Certificate is to be certified until Sep 10 05:43:12 2018 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

注意：默認(rèn)國家，省，公司名稱三項(xiàng)必須和CA保持一致，也可通過修改openssl.cnf文件policy = policy_anything 項(xiàng)可不做強(qiáng)制匹配

查看請求申請后的證書

[root@CentOS7 /etc/pki/CA]#openssl x509 -in /etc/pki/CA/certs/test.crt  -noout -serial -subject
serial=01
subject= /C=CN/ST=guangdong/L=huizhou/O=cnnavy.cn/OU=it/CN=cnnavy.cn/emailAddress=cnnavy.cn

自此CA簽署之后即生成證書文件，只需將證書發(fā)回給申請所在主機(jī)就可使用了。