OpenSSL是套开放源代码的软件库包,实现了SSL与TLS协议。其主要库是以C语言所写成,实现了基本的加密功能。
OpenSSL可以运行在绝大多数类Unix操作系统上(包括Solaris,Linux,Mac OS X与各种版本的开放源代码BSD操作系统),OpenVMS与 Microsoft Windows。它也提供了一个移植版本,可以在IBM i(OS/400)上运作。
此软件是以Eric Young以及Tim Hudson两人所写的SSLeay为基础所发展的,SSLeay随着两人前往RSA公司任职而停止开发。
虽然此软件是开放源代码的,但其授权书条款与GPL有冲突之处,故GPL软件使用OpenSSL时(如Wget)必须对OpenSSL给予例外。
在Linux环境下,我们能够利用它来搭建一个CA来实现证书的发放,可以用于企业内部使用的加密工具
1安装openssl
[root@localhost ~]# yum install openssl Loaded plugins: fastestmirror, langpacks base | 3.6 kB 00:00:00 extras | 3.3 kB 00:00:00 updates | 3.4 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 157 kB 00:00:05 (2/4): extras/7/x86_64/primary_db | 15 kB 00:00:07 (3/4): base/7/x86_64/primary_db | 4.9 MB 00:00:23 (4/4): updates/7/x86_64/primary_db | 2.1 MB 00:00:42 Determining fastest mirrors * base: mirror.bit.edu.cn * extras: mirror.bit.edu.cn * updates: mirror.bit.edu.cn Resolving Dependencies --> Running transaction check ---> Package openssl.x86_64 1:1.0.1e-34.el7 will be updated ---> Package openssl.x86_64 1:1.0.1e-34.el7_0.3 will be an update --> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-34.el7_0.3 for package: 1:openssl-1.0.1e-34.el7_0.3.x86_64 --> Running transaction check ---> Package openssl-libs.x86_64 1:1.0.1e-34.el7 will be updated ---> Package openssl-libs.x86_64 1:1.0.1e-34.el7_0.3 will be an update --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================================================== Package Arch Version Repository Size ========================================================================================================================================================== Updating: openssl x86_64 1:1.0.1e-34.el7_0.3 updates 705 k Updating for dependencies: openssl-libs x86_64 1:1.0.1e-34.el7_0.3 updates 939 k Transaction Summary ========================================================================================================================================================== Upgrade 1 Package (+1 Dependent package) Total download size: 1.6 M Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. warning: /var/cache/yum/x86_64/7/updates/packages/openssl-1.0.1e-34.el7_0.3.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY0:00:00 ETA Public key for openssl-1.0.1e-34.el7_0.3.x86_64.rpm is not installed (1/2): openssl-1.0.1e-34.el7_0.3.x86_64.rpm | 705 kB 00:00:09 (2/2): openssl-libs-1.0.1e-34.el7_0.3.x86_64.rpm | 939 kB 00:00:09 ---------------------------------------------------------------------------------------------------------------------------------------------------------- Total 163 kB/s | 1.6 MB 00:00:10 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Importing GPG key 0xF4A80EB5: Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>" Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5 Package : centos-release-7-0.1406.el7.centos.2.3.x86_64 (@anaconda) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Is this ok [y/N]: y Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : 1:openssl-libs-1.0.1e-34.el7_0.3.x86_64 1/4 Updating : 1:openssl-1.0.1e-34.el7_0.3.x86_64 2/4 Cleanup : 1:openssl-1.0.1e-34.el7.x86_64 3/4 Cleanup : 1:openssl-libs-1.0.1e-34.el7.x86_64 4/4 Verifying : 1:openssl-libs-1.0.1e-34.el7_0.3.x86_64 1/4 Verifying : 1:openssl-1.0.1e-34.el7_0.3.x86_64 2/4 Verifying : 1:openssl-libs-1.0.1e-34.el7.x86_64 3/4 Verifying : 1:openssl-1.0.1e-34.el7.x86_64 4/4 Updated: openssl.x86_64 1:1.0.1e-34.el7_0.3 Dependency Updated: openssl-libs.x86_64 1:1.0.1e-34.el7_0.3 Complete!
2创建CA自签证书
[root@localhost ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ................................+++ .+++ e is 65537 (0x10001) #命令解释: 在Linux 中使用()可以让()创建一个子shell让()内命令执行完毕会关闭这个子shell, 由于我们需要对生成CAKEY.pem文件做权限设置,这时候我们直接用umask改变默认权限就Ok了,再在()内执行就可以达到新建文件默认的权限设置不影响当前系统环境配置。 使用 openssl创建一个2048位证书 genrsa :生成私钥 存放路径为 :/etc/pki/CA/private/ 文件名为 :cakey.pem #注意:这地方的路径和文件名不能随便修改哦
2生成自签证书
[root@localhost ~]# openssl req -new -x509 -days 1000 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem &> /dev/null << EOF CN BeiJing BeiJing 51CTOblog FangKe mondeolove.blog.51cto.com taoxiaoyuzy@vip.qq.com EOF
命令解释
3、创建3个必要的文件
touch /etc/pki/CA/{serial,index.txt,crlnumber} echo 01 | tee /etc/pki/CA/{serial,crlnumber} #echo 01 >> /etc/pki/CA/{serial,crlnumber} 这样做是不行的,所以借助tee命令做多文件的重定向 #命令解释: 在/etc/pki/CA/目录下创建 serial index.txt crlnumber这3个文件 然后在serial crlnumber 追加01内容进去 /etc/pki/CA/serial #生成证书的序列号 /etc/pki/CA/crlnumber #生成吊销证书的开始序列号
4、证书生成签署请求(这个是在客户端生成)
[root@localhost ~]# mkdir -p /etc/ssl/CA/ [root@localhost ~]# (umask 077; openssl genrsa -out /etc/ssl/CA/httpd.key 2048) Generating RSA private key, 2048 bit long modulus .............................................................................+++ ...+++ e is 65537 (0x10001) [root@localhost ~]# openssl req -new -key /etc/ssl/CA/httpd.key -out /etc/ssl/CA/httpd.csr &> /dev/null << EOF CN BeiJing BeiJing 51CTOblog FangKe mondeolove.blog.51cto.com admin@mondeolove.blog.51cto.com EOF
5、给客户端颁发证书(由于是测试环境所以这里CA和客户端都是一台电脑)
[root@localhost ~]# openssl ca -in /etc/ssl/CA/httpd.csr -out /etc/ssl/CA/httpd.crt -days 1000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 2 13:27:17 2014 GMT Not After : Apr 28 13:27:17 2017 GMT Subject: countryName = CN stateOrProvinceName = BeiJing organizationName = 51CTOblog organizationalUnitName = FangKe commonName = mondeolove.blog.51cto.com emailAddress = admin@mondeolove.blog.51cto.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EB:A6:79:60:DF:56:E8:B7:56:81:BD:D6:D9:A1:9D:BD:8E:F2:13:0E X509v3 Authority Key Identifier: keyid:B6:6B:52:5F:D5:B2:6B:87:9D:F0:E3:A0:67:9D:7D:B0:D8:77:70:80 Certificate is to be certified until Apr 28 13:27:17 2017 GMT (1000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost ~]# ls /etc/ssl/CA/ httpd.crt httpd.csr httpd.key
到了这里就实现了自建CA 并且能给客户颁发证书了,客户的证书就是
/etc/ssl/CA/httpd.crt
这个文件,由于这里是测试环境,在实际环境中,我们还需要把这个证书返还给客户端的
umask解释参见:http://blog.csdn.net/lmh12506/article/details/7281910
使用OpenSSL 自建CA 以及颁发证书,布布扣,bubuko.com
原文:http://mondeolove.blog.51cto.com/8823973/1534288