导语:
==================
SSL/TLS :
SSL:Secure Sockets Layer,安全套接字层;<版本:ssl 1.0 , ssl 2.0 , ssl 3.0>
TLS:Transport Layer Security,传输层安全;<版本:tls 1.0 , tls 1.1 , tls 1.2 , tls 1.3>
SSL会话过程:
1> 客户端向服务端索要并验证证书;
2> 双方协商生成”会话密钥”;<第1、2步称为SSL建立会话前的握手阶段>
3> 双方采用”会话密钥”进行加密通信;
第一阶段:客户端向服务器端发送”clienthello”信息,信息内容包括如下;
支持的协议版本,比如TLS的版本;
客户端生成一个随机数,稍后用于生成”会话密钥”;
支持的加密算法,比如AES,RSA等;
支持的压缩算法等;
第二阶段:服务器端向客户端回应”serverhello”信息;
确认使用的加密通信协议版本;
服务器段生成一个随机数,稍后用于生成”会话密钥”;
确认使用的加密方法;
服务器端证书;
第三阶段:客户端;
验证服务器端证书(发证机构、证书完整性、证书的持有者、证书有效期、证书是否被吊销等),确认无误后,取出服务器端的公钥;
发送以下信息给服务器端:
一个随机数,用服务器端的公钥加密此随机数;
编码变更通知;
客户端握手结束通知;
第四阶段:服务器端;
收到客户端发来的第二个随机数pre-master-key后,再加上第一个随机数、服务器端的自己产生的随机数,总共3个随机数,计算生成本次会话 所用到的”会话密钥”;
向客户端发送如下信息:
编码变更通知,表示随后的信息都将采用双方商定的加密方法和会话密钥进行发送;
服务器端握手结束通知;
加密算法和协议:
1> 对称加密:3DES,AES;
2> 公钥加密:不常用,比对称加密要慢3个数量级,RSA,DSA;
3> 单向加密:MD5,SHA1…;
4> 密钥交换:RSA,DH(Deffie-Hellman),ECDH(椭圆曲线DH),ECDHE(临时椭圆曲线DH);
概述:
==================
OpenSSL(v2):
OpenSSL的组成部分:
1>libcrypto:用于实现加密解密的库;
2>libssl:用于实现SSL安全通信的库;
3>openssl:命令行工具;
查看当前系统的OpenSSL版本:
[root@KOU ~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 [root@KOU ~]#
查看OpenSSL支持的命令:
[root@KOU ~]# openssl ? openssl:Error: '?' is an invalid command. Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam ec ecparam enc engine errstr gendh gendsa genpkey genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac ts verify version x509 Message Digest commands (see the `dgst' command for more details) md2 md4 md5 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb seed seed-cbc seed-cfb seed-ecb seed-ofb zlib [root@KOU ~]#
正文:
==============
1、OpenSSL命令的子命令:
标准命令;
消息摘要命令(由’dgst’子命令控制);
加密命令(由’enc’子命令控制);
常用的标准命令:enc,ca,req,genrsa,
1> 对称加密:
命令工具:openssl {enc|gpg}
支持的算法:3des,aes,blowfish,twofish,…
查看enc命令的使用帮助:”man enc”
加密:~]# openssl enc -e -des3 -a -salt -in /PATH/FROM/SRC_FILENAME -out /PATH/TO/ENCRY_FILENAME
解密:~]# openssl enc -d -des3 -a -salt -out /PATH/FROM/NEW_FILENAME -in /PATH/FROM/ENCRY_FILENAME
2> 单向加密: 生成文件的特征码;
命令工具:openssl dgst ;或者单独使用命令”md5sum”,”sha1sum”,”sha224sum”,”sha256sum”,”sha384sum”,”sha512sum”;
支持的常用的算法:sha1,md5
~]# openssl dgst -md5 /PATH/FROM/SRC_FILENAME
3> 对用户进行密码赋值:
命令工具:openssl passwd 或者单独使用 passwd;
~]# openssl passwd -1 -salt 12345678956
“-1” : 数字1,表示采用MD5加密;
“-salt” : 表示后面要跟一个随机数;
如果随机数不手动指定,也可通过命令替换,让系统产生随机数即可,具体命令格式为:
~]# openssl passwd -1 -salt $(openssl rand -hex 4)
~]# openssl passwd -1 -salt $(openssl rand -base64 5)
4> 生成随机数:
命令行工具:
~]# openssl rand {-base64|-hex} number
-base64 : 表示采用base64编码格式显示随机数;
-hex : 表示采用十六进制编码格式显示随机数;
number : 表示要输出的随机数的字节长度;
[root@KOU kou]# openssl rand -base64 10
5y3nMS3BchmNvw==
[root@KOU kou]#
上面生成的随机数”5y3nMS3BchmNvw==”中,”==”是固定格式,其前面的才是生成的随机数;
Linux系统上的随机数生成器:
/dev/random: 仅从熵池返回随机数;随机数用尽,则阻塞后来的进程;
/dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞;伪随机数不安全;
熵池中的随机数来源:
硬盘IO中断的时间间隔;
键盘IO中断的时间间隔;
5> 公钥加密:
加密解密的算法:RSA,ELGamal;
加密解密的命令工具:openssl {rsautl|gpg}
数字签名的算法:RSA,DSA,ELGamal;
数字签名的命令工具:openssl {rsautl|gpg}
密钥交换的算法:DH,
密钥交换的命令工具:openssl {rsautl|gpg}
密钥位长:512 、 768 、 1024 、 2048 、 4096;
生成私钥:
——————-
~]# (umask 077;openssl genrsa -out /PATH/TO/PRIVATE_KEY_FILE NUM_BITS)
举例:
~]# openssl genrsa 1024 生成1024位的密钥,默认生成私钥;
~]# openssl genrsa 1024 > k1.file 生成1024位的密钥,输出重定向保存至指定文件;
~]# openssl genrsa -out k2.file 1024 生成1024位的密钥,输出重定向保存至指定文件;
备注:上面2个保存私钥的文件权限为”-rw-r–r–“,因为是私钥,其他人能读取,此种文件权限格式不安全;可以用umask命令指定文件的权限;
~]# (umask 077; openssl genrsa -out k3.file 1024) 指定保存私钥的文件权限,只有属主能读写;
公钥是从私钥中提取出来的;
提取出公钥,并保存至指定文件:
—————————-
~]# openssl rsa -in /PATH/FROM/PRIVATE_KEY_FILE -pubout -out /PATH/TO/PUBLIC_KEY_FILE
2、CA
可以建立私有CA的工具:openssl、openca;
2.1 openssl 配置文件:/etc/pki/tls/openssl.cnf;
2.2 构建私有CA:在确定配置为CA的服务器上生成一个自签证书,并为CA提供所需要的目录及文件;
具体步骤:
1> 生成私钥:
~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
说明:私钥必须要保存在目录’/etc/pki/CA/private/’中,且私钥文件名必须为’cakey.pem’;
2> 生成自签证书:
~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 730
‘-new’ : 表示生成新证书的签署请求;
‘-x509’ : 表示生成自签格式的证书,专用于创建私有CA时使用;
‘-key’ : 指定生成请求时用到的私钥文件(文件的完整路径);
‘-out’ : 生成请求的输出文件路径;如果是自签操作,将直接生成签署过的证书;
‘-days’ : 选项,后面跟数字,单位是”天”,表示证书有效期;默认值为’365’,即一年;
3> 为CA提供所需的目录及文件;
确保在目录’/etc/pki/CA’下面需有如下子目录及文件,如果不存在,则手动创建:
目录:certs、crl、newcerts;
文件:serial、index.txt;
~]# mkdir /etc/pki/CA/{certs,crl,newcerts}
~]# touch /etc/pki/CA/{serial,index.txt}
~]# echo 09 > /etc/pki/CA/serial
2.3 要用到证书进行安全通信的服务器,需要向CA请求签署证书;
1> 申请者主机上:以httpd为例,在httpd的安装目录下创建目录,比如’ssl’,并在此目录下生成私钥:
~]# cd /etc/httpd
~]# mkdir ssl
~]# cd ssl
~]# (umask 077; openssl genrsa -out httpd.key 2048)
2> 申请者主机上:生成证书签署请求文件:
~]# openssl req -new -key httpd.key -out httpd.csr -days 365
3> 申请者主机上:把生成的证书签署请求文件发给CA服务器;
4> CA服务器上:做签署操作;
~]# openssl ca -in httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
5> CA服务器上:把签署好的证书发给申请者;
查看已经签署的证书(可查看指定信息,比如serial、subject等):也可用’cat’之类的文本查看工具查看整个文件的信息;
~]# openssl x509 -in httpd.crt -noout -serial -subject
2.4 吊销证书操作:在CA服务器上操作;
1> 证书使用者:证书使用者先查看证书的serial号,并把序列号发给CA服务器;
~]# openssl x509 -in httpd.crt -noout -serial -subject
2> CA服务器:吊销证书;
首先根据证书使用者提供的证书序列号对比CA服务器本机数据库’index.txt’中存储的数据是否一致,如果一致,则执行下面的吊销操作;
~]# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
SERIAL : 换成实际的序列号;
3> 生成吊销证书的吊销编号
注意:在CA服务器上首次执行吊销操作时需要执行此步骤,第二次吊销其他所有证书时无需操作;
~]# echo 01 > /etc/pki/CA/crlnumber
4> 更新证书吊销列表
~]# openssl ca -gencrl -out NAME.crl
查看上面crl文件的信息:
~]# openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
F.E.
1>对文件进行对称加密:
[root@KOU kou]# openssl enc -e -des3 -a -salt -in fstab -out fstab.encry enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password: [root@KOU kou]# [root@KOU kou]# more fstab.encry U2FsdGVkX1+cU795/br27B5g5ShgBigs5m4Ywpzr2rjQMZkCj5MDw7QBO8Oa3lXu d0QF22zKTiZCp09XH/TEQzznXXO9VOATM3uT1xPg+2xD7XGhzGBW0huJUceN6EJQ qex2s0NbCSPjoB8jbhzR51DvK+vs/Kl8cc2S+ttYdojcSs4exY4WX+J1iMdl1h5k SpderfDP87bEMl88mMw5P/4uMho1sx+IfbQbJRoPUk1r4PE82N1r+nsM5ztG7sEj 3nSmqb1BuMKztA3vj9GVeRN0nbCN7XGzXXC8eg1LZwE8pPd8nOzulpsn0VDINNM9 T9dHlPg/bSaz4FqChHAN4STdktAJq9SEee6bzrhD/GntTSJUmbq0059YNE8CnEck FdYA+JW9JEP4zuslRSQL12YameKq+Cg7eIM63og3PlgU6HP/Un8cWvmeSgRC+82A ObUNyQRtK4deuk7qqv7XOI8QzdbB/4P4ojAc+6P7bbRQIhlPshmz2wBtw0Nl8umS fK8Sn6ba/ulnfeI6kv0Xqk48UaDrI8Ik0+9AGdqJgD5aXm0QNIkkGcim+u8nRo8I QxR5YzcSQc+JcRhfhfESDSwPkOws3hNhtpgBve1IxocFmmwtQBSikJdQek7FaHrQ OS6xEA00/OTprZyZQ3ZlFvrAHje5p9yva7k5lc9a9FcsuqZCxb7wMaGx3K7ZlPHA TVwdhUVYedzt7ZfStLzmFZIpK9AfdUq4aFycXX10wpAOqG34LgyU4GkhLYX0aL6S lI4hnfeT7WEXUrJaeNLfHywDvFvXfKieJzh1aOYSijJ8sMX2ufDYB4vmW3f77Sot UEnS6DO9UlMMWwJN9p1lL/7aoSd7pwJ0ZaVKqHoPYwBD2eu96fntJnJMLo+1QKwR KD3EsAwDIPmBOTZOdeTWFQ== [root@KOU kou]#
2>对对称加密的文件进行解密:
[root@KOU kou]# openssl enc -d -des3 -a -salt -out fstab.11 -in fstab.encry enter des-ede3-cbc decryption password: [root@KOU kou]#
3>单向加密举例:
[root@KOU kou]# md5sum fstab 9051c1f4f8babd1d14c732f0b7f74409 fstab [root@KOU kou]# [root@KOU kou]# openssl dgst -md5 fstab MD5(fstab)= 9051c1f4f8babd1d14c732f0b7f74409 [root@KOU kou]# [root@KOU kou]# openssl dgst -sha fstab SHA(fstab)= 30544b5292c86f75dd0f4f70b739a0059fdedc3d [root@KOU kou]# [root@KOU kou]# openssl dgst -sha1 fstab SHA1(fstab)= 139f492871a65e5cc0370455170cbf59c71e83c8 [root@KOU kou]# [root@KOU kou]# sha sha1sum sha224sum sha256sum sha384sum sha512sum sharesec [root@KOU kou]# sha1sum fstab 139f492871a65e5cc0370455170cbf59c71e83c8 fstab [root@KOU kou]# [root@KOU kou]# sha224sum fstab ffaded9bc1a994f70edc3523e4c28984409eea04d95077f68bd123b7 fstab [root@KOU kou]#
3>对用户进行密码赋值
[root@KOU kou]# openssl passwd -1 -salt 333333 Password: $1$333333$.f.oA2kyPFDLrKUa7Xbfg/ [root@KOU kou]#
4>生成随机数:
[root@KOU kou]# openssl rand -base64 10 5y3nMS3BchmNvw== [root@KOU kou]# [root@KOU kou]# openssl rand -base64 10 4EHPT6JuwRZ8Vw== [root@KOU kou]# openssl rand -base64 10 pWuAuuuxd40cBQ==
5>生成1024位的密钥:
[root@KOU kou]# openssl genrsa 1024 Generating RSA private key, 1024 bit long modulus ...........................++++++ ..................................................++++++ e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQC9K90F8PJI2HbfXIGAOPi6HkUlbk3tJkN4ok7z6S/u3prO9FwU AmFP+GUiRDPzhRMRewqPE7zcKYe8p9QBcBoM9TmS7cR0Xy9jC2GgnL9BxT5Ru9YW xfb0XjaKMCdOMjdEvm4fKVL7dQeVgKKXXDdS/Yc659O/cnv4YwxBp4bEHQIDAQAB AoGAN/jFgd+D4JfjvD0DuCujNHaGYQfdGMEMj6H+mF6zpwrIZVmZ8PWvU1kcm2Hw uSnztWVhf2oIpF/JYMGLkg1YN2EDu8WEEG3OevPJh9Ntj8KBOru6A8KppZ38Csi0 6W2tCnfP72Oe23CJqWPt7wbBIpMnnfBUEQDYAYwpDTSgowUCQQDifzk5+QVQqZB1 f9KH21yw2AD0EHettezXnkUJrY3nVVEbqf6vxajbHnjTmuASp3OD3Ks3gSFzKrQL Jf/UToJPAkEA1c/6ZM8rs6rzJrpgME4/aCqgS+1khY+rhqAuYVIoFDGY9ATkqZPi HW12iLvKtiw4S2QFkfVC7l2vVIZn4KKT0wJAE6hnFxj91RpiZ1BIvXHUgaS9sHEd cf4wKCacZ1Kg1ksZVwVSDX9iQGJMqlDu0a+m3vLwCUkz1gMGzVDm+041EQJAOf2J rTPfZ4CTKErecduXKPp+tXkyjWMVI5NoYO72fduh33VAS5oXduHMh3NfnJ9LuW7s b9T0jVANkMBPhkayDwJAcc8KUDIHB1CFf8jo7e/3aP4GF634q03zQh2GF3F7acPK WSgStt0HZqpK7jcmvc4CrxZAb+RkS0JHZwwCZ1e8qg== -----END RSA PRIVATE KEY----- [root@KOU kou]#
[root@KOU kou]# (umask 077;openssl genrsa -out k3.file 1024) 指定文件的权限; Generating RSA private key, 1024 bit long modulus ...................................................................++++++ ......................................................................++++++ e is 65537 (0x10001) [root@KOU kou]# [root@KOU kou]# ll total 20 -rw-r--r--. 1 root root 671 May 31 06:17 fstab -rw-r--r--. 1 root root 935 May 31 06:19 fstab.encry -rw-r--r--. 1 root root 887 May 31 08:43 k1.file -rw-r--r--. 1 root root 887 May 31 08:45 k2.file -rw-------. 1 root root 887 May 31 08:49 k3.file 只有属主能读写; [root@KOU kou]#
从私钥中提取出公钥,并保存至指定文件中:
[root@KOU kou]# openssl rsa -in k3.file -pubout -out k3.public1 writing RSA key [root@KOU kou]# [root@KOU kou]# ll total 28 -rw-r--r--. 1 root root 671 May 31 06:17 fstab -rw-r--r--. 1 root root 935 May 31 06:19 fstab.encry -rw-r--r--. 1 root root 887 May 31 08:43 k1.file -rw-r--r--. 1 root root 887 May 31 08:45 k2.file -rw-------. 1 root root 887 May 31 08:49 k3.file -rw-r--r--. 1 root root 887 May 31 08:59 k3.public -rw-r--r--. 1 root root 272 May 31 09:01 k3.public1 [root@KOU kou]# more k3.public1 -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxTPtWXq/bmLIuOtR/V79Q7ub7 MjZp70oz7zltwiF8h0MrUGsH2+5g2MsqWV/V+I6FYB+1bQH8Z8p1isleK+FhOt0X e2YJRG81e93njEGNjTScd1u4XhYcG3TAMmsPTfre4gXCaUiJTK+L7+VdXXpR4hur DMriXXzAfbvZQVYbjwIDAQAB -----END PUBLIC KEY----- [root@KOU kou]#
6>构建私有CA步骤:
生成私钥;生成自签证书;为CA提供所需的目录及文件;
6.1> 生成私钥,用固定名称保存至固定目录中:
------------------------------------------------
[root@KOU kou]#
[root@KOU kou]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
............................................+++
.....+++
e is 65537 (0x10001)
[root@KOU kou]#
6.2> 生成自签证书,自签证书的名称、保存路径都是固定的:
-------------------------------------------------------------
[root@KOU kou]#
[root@KOU kou]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 730
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZHou
Organization Name (eg, company) [Default Company Ltd]:D.S.Ltd
Organizational Unit Name (eg, section) []:^C
[root@KOU kou]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 730
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZHou
Organization Name (eg, company) [Default Company Ltd]:DStec
Organizational Unit Name (eg, section) []:OPs
Common Name (eg, your name or your server's hostname) []:ca.kouyuushinn.cn
Email Address []:lucifer@kouyuushinn.cn
[root@KOU kou]#
6.3> 如果如下目录及文件不存在,则需创建:目录"/etc/pki/CA{certs,crl,newcerts}"、文件"/etc/pki/CA/{serial,index.txt}";
[root@KOU kou]# ll /etc/pki/CA
total 4
-rw-r--r--. 1 root root 1448 Jun 1 00:22 cacert.pem
drwxr-xr-x. 2 root root 6 Apr 11 12:58 certs
drwxr-xr-x. 2 root root 6 Apr 11 12:58 crl
drwxr-xr-x. 2 root root 6 Apr 11 12:58 newcerts
drwx------. 2 root root 23 Jun 1 00:17 private
[root@KOU kou]#
[root@KOU kou]#
[root@KOU kou]# touch /etc/pki/CA/{serial,index.txt}
[root@KOU kou]#
[root@KOU kou]# echo 08 > /etc/pki/CA/serial
[root@KOU kou]#
[root@KOU kou]#
7> 为其他主机签署证书:
7.1> 在需要申请证书的主机上创建私钥、生成证书申请文件:
[root@localhost ~]# cd /etc/httpd
[root@localhost httpd]#
[root@localhost httpd]# mkdir 66ssl
[root@localhost httpd]#
[root@localhost httpd]# ls
66ssl conf conf.d conf.modules.d logs modules run
[root@localhost httpd]#
[root@localhost httpd]# cd 66ssl/
[root@localhost 66ssl]#
[root@localhost 66ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..............+++
..................................................................................................+++
e is 65537 (0x10001)
[root@localhost 66ssl]#
[root@localhost 66ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZHou
Organization Name (eg, company) [Default Company Ltd]:DStec
Organizational Unit Name (eg, section) []:OPs
Common Name (eg, your name or your server's hostname) []:192.168.206.66
Email Address []:aa@kk.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost 66ssl]#
7.2> 把生成的证书申请文件发送给CA服务器;
7.3> CA服务器上操作签署动作:
[root@KOU kou]# openssl ca -in httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 8 (0x8)
Validity
Not Before: May 31 17:16:12 2018 GMT
Not After : May 31 17:16:12 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangDong
organizationName = DStec
organizationalUnitName = OPs
commonName = 192.168.206.66
emailAddress = aa@kk.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F3:88:B9:61:1C:E1:57:3C:54:0A:97:97:08:03:F6:E6:EE:1E:5C:07
X509v3 Authority Key Identifier:
keyid:19:63:66:F9:1E:E3:B5:95:32:64:23:0F:96:DD:B5:5D:A7:F3:1F:E6
Certificate is to be certified until May 31 17:16:12 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@KOU kou]#
---------------------
[root@KOU kou]# cd /etc/pki/CA
[root@KOU CA]# ls
cacert.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial serial.old
[root@KOU CA]# more serial
09
[root@KOU CA]#
[root@KOU CA]# more certs/httpd.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=GuangZHou, O=DStec, OU=OPs, CN=ca.kouyuushinn.cn/emailAddress=lucifer@kouyuushinn.cn
Validity
Not Before: May 31 17:16:12 2018 GMT
Not After : May 31 17:16:12 2019 GMT
Subject: C=CN, ST=GuangDong, O=DStec, OU=OPs, CN=192.168.206.66/emailAddress=aa@kk.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:30:54:9f:32:ee:d9:41:da:07:a6:93:58:f0:
c5:e3:9c:d6:bb:33:d1:a4:b9:a7:aa:dd:e6:d0:ed:
f8:1a:54:55:29:9c:a3:45:79:a0:6f:e6:32:b2:82:
1d:1d:63:0f:58:74:a9:6c:38:fc:77:f4:f1:4b:cc:
50:93:2f:d5:ec:36:87:97:60:5a:61:d0:8d:65:d6:
53:dc:4a:5d:70:54:4d:ec:5a:b1:4f:be:a8:19:ec:
ba:70:45:11:93:3a:7e:b9:4e:5e:07:9b:05:0d:ca:
58:d2:8a:3d:d7:6e:e1:60:9e:3f:47:9f:ff:34:5a:
b6:1d:e1:dd:65:9e:cd:52:74:b0:85:bc:78:2e:ac:
42:75:93:8a:f6:d2:bf:35:f8:4c:4e:d6:11:81:d8:
43:15:96:eb:d4:b8:d8:7a:19:d7:0e:88:d4:4e:a7:
4b:c5:33:58:a8:48:10:1b:f5:00:fb:e1:be:82:ee:
35:7f:ed:81:33:e3:0c:bc:8c:8f:7b:ef:d8:bd:99:
29:bd:64:df:56:8b:c1:e9:3b:9e:47:58:8e:fa:8c:
ed:67:48:1c:95:70:b1:a3:17:ee:26:7a:94:ba:00:
de:c7:77:d1:38:9e:51:67:40:fb:4c:30:ad:1e:f4:
45:8e:58:77:1c:aa:65:0f:a2:9e:f5:57:b3:c6:f8:
51:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F3:88:B9:61:1C:E1:57:3C:54:0A:97:97:08:03:F6:E6:EE:1E:5C:07
X509v3 Authority Key Identifier:
keyid:19:63:66:F9:1E:E3:B5:95:32:64:23:0F:96:DD:B5:5D:A7:F3:1F:E6
Signature Algorithm: sha256WithRSAEncryption
8e:92:cc:aa:36:12:ea:0c:bc:f8:4b:7b:19:2b:4e:9a:6f:7f:
a3:a9:75:0b:95:d7:8f:05:76:e9:9c:9a:59:23:c6:38:74:cf:
33:54:9b:13:f5:3d:cb:f1:3c:ff:09:ad:b7:4d:f6:88:7e:fb:
00:41:23:42:b2:a2:ed:c7:31:4f:14:d1:83:91:83:af:42:26:
71:e3:f0:64:4b:16:f1:ad:59:48:55:f4:ca:75:36:7d:70:2f:
24:0d:6a:2c:66:6a:76:e0:c1:02:98:32:39:a0:4f:44:1a:88:
c6:97:97:2c:4f:1a:32:be:72:d9:a7:e2:81:aa:e5:91:e6:42:
ba:f0:57:34:85:77:14:f6:3f:16:5c:98:50:a6:b6:a4:d6:1b:
2f:eb:4a:de:f0:74:ca:a6:e5:a5:f5:83:66:79:31:e0:d7:7c:
d6:8e:25:5a:bb:c2:51:d4:fa:0e:2f:b5:17:b4:9b:fe:27:06:
e5:d8:5c:3d:6d:b9:5a:84:1e:d7:e8:7d:d1:a9:41:12:54:12:
5d:0f:15:5e:3b:25:f1:18:bb:62:cc:66:93:87:65:cc:64:2d:
9c:a3:9c:64:7e:c3:7d:72:65:47:da:79:3a:97:9b:97:21:62:
9c:78:04:ef:db:97:17:25:92:57:6a:10:45:6b:30:ee:e9:a5:
f5:84:5f:10
-----BEGIN CERTIFICATE-----
MIID/jCCAuagAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMCQ04x
EjAQBgNVBAgMCUd1YW5nRG9uZzESMBAGA1UEBwwJR3VhbmdaSG91MQ4wDAYDVQQK
DAVEU3RlYzEMMAoGA1UECwwDT1BzMRowGAYDVQQDDBFjYS5rb3V5dXVzaGlubi5j
bjElMCMGCSqGSIb3DQEJARYWbHVjaWZlckBrb3V5dXVzaGlubi5jbjAeFw0xODA1
MzExNzE2MTJaFw0xOTA1MzExNzE2MTJaMHExCzAJBgNVBAYTAkNOMRIwEAYDVQQI
DAlHdWFuZ0RvbmcxDjAMBgNVBAoMBURTdGVjMQwwCgYDVQQLDANPUHMxFzAVBgNV
BAMMDjE5Mi4xNjguMjA2LjY2MRcwFQYJKoZIhvcNAQkBFghhYUBray5jbjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOgwVJ8y7tlB2gemk1jwxeOc1rsz
0aS5p6rd5tDt+BpUVSmco0V5oG/mMrKCHR1jD1h0qWw4/Hf08UvMUJMv1ew2h5dg
WmHQjWXWU9xKXXBUTexasU++qBnsunBFEZM6frlOXgebBQ3KWNKKPddu4WCeP0ef
/zRath3h3WWezVJ0sIW8eC6sQnWTivbSvzX4TE7WEYHYQxWW69S42HoZ1w6I1E6n
S8UzWKhIEBv1APvhvoLuNX/tgTPjDLyMj3vv2L2ZKb1k31aLwek7nkdYjvqM7WdI
HJVwsaMX7iZ6lLoA3sd30TieUWdA+0wwrR70RY5YdxyqZQ+invVXs8b4UW8CAwEA
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPOIuWEc4Vc8VAqXlwgD9ubuHlwHMB8G
A1UdIwQYMBaAFBljZvke47WVMmQjD5bdtV2n8x/mMA0GCSqGSIb3DQEBCwUAA4IB
AQCOksyqNhLqDLz4S3sZK06ab3+jqXULldePBXbpnJpZI8Y4dM8zVJsT9T3L8Tz/
Ca23TfaIfvsAQSNCsqLtxzFPFNGDkYOvQiZx4/BkSxbxrVlIVfTKdTZ9cC8kDWos
Zmp24MECmDI5oE9EGojGl5csTxoyvnLZp+KBquWR5kK68Fc0hXcU9j8WXJhQprak
1hsv60re8HTKpuWl9YNmeTHg13zWjiVau8JR1PoOL7UXtJv+Jwbl2Fw9bblahB7X
6H3RqUESVBJdDxVeOyXxGLtizGaTh2XMZC2co5xkfsN9cmVH2nk6l5uXIWKceATv
25cXJZJXahBFazDu6aX1hF8Q
-----END CERTIFICATE-----
[root@KOU CA]#
[root@KOU CA]#
[root@KOU CA]#
[root@KOU CA]#
[root@KOU CA]#
[root@KOU CA]# scp certs/httpd.crt root@192.168.206.66:/etc/httpd
The authenticity of host '192.168.206.66 (192.168.206.66)' can't be established.
ECDSA key fingerprint is SHA256:PSFFIGtRXOF5EPmovLwLoYuuHFqYRAIgmus0XJHa3mY.
ECDSA key fingerprint is MD5:a4:1b:d2:cf:fd:c7:81:aa:3d:57:00:7a:7e:56:ea:40.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.206.66' (ECDSA) to the list of known hosts.
root@192.168.206.66's password:
httpd.crt 100% 4622 1.9MB/s 00:00
[root@KOU CA]#
[root@KOU CA]# more index.txt
V 190531171612Z 08 unknown /C=CN/ST=GuangDong/O=DStec/OU=OPs/CN=192.168.206.66/emailAddress=aa@kk.cn
[root@KOU CA]#
7.4> CA服务器把签署好的证书发给申请者;