分类: 系统运维
2005-05-23 21:20:16
海龙讲PKI时,以算法和体系讲得很细,可是没讲怎么搭建。在一次讲座后去问另一个人,好象也没问出个结果。郝大说他自己搭了个认证服务器,很得意,又见他在研究应用密码学,便猜这东东一定不会容易。想向他打听吧,又怕需要的背景知识太多,只好作罢。
有文说用OpenSSL可以做,过几天试试去。根据文章指点,step by step,:)
目录
----------------------------
一些假定:我叫aliali,我有一朋友叫boxbox,当前目录是$home/candel。
用户申请证书
1、生成私钥
$openssl genrsa -des3 -out aliali.key 1024
显示
Generating RSA private key, 1024 bit long modulus
.......++++++
.++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
生成名为aliali.key的一个文件,内容如下:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,BB03146A74BE076E
HwsUT6Slujin4b7p7X3KLCxUSRMgK0WVHU1zRJwV+LeQQYOvW4YOvl1w1TJVuwtx
............
I5GbgPGfP7tb0dHKx6SMv/EOQitkx98SpPQlKwGvhimcUqg0QM+UJw==
-----END RSA PRIVATE KEY-----
可以用下面的指令查看私钥内容
$openssl rsa -noout -text -in aliali.key
显示:
read RSA key
Enter PEM pass phrase:
Private-Key: (1024 bit)
modulus:
00:d1:bd:28:78:e7:bb:17:c0:44:97:ec:43:b0:48:
.........
6c:02:6c:35:fc:c0:97:16:eb
publicExponent: 65537 (0x10001)
privateExponent:
22:c1:61:af:87:56:ed:7c:a2:e1:39:f9:8d:80:a9:
..........
06:bd:e4:da:81:39:61:c1
prime1:
00:f9:e4:ca:a5:3a:b2:da:27:69:e0:47:d3:80:e4:
..........
08:ab:3c:fc:33
prime2:
00:d6:dd:2d:a6:99:b6:11:2b:84:76:e1:af:eb:c0:
...........
80:e7:b7:c2:69
exponent1:
00:ef:6a:61:30:5e:85:9e:76:e6:7c:47:b4:7e:a8:
...........
e6:b1:50:d3:7b
exponent2:
00:a5:26:0a:01:a4:e2:09:5e:7e:89:75:bc:e7:23:
...........
63:c7:37:3a:09
coefficient:
00:c7:e0:04:e3:83:d7:9d:aa:55:d4:b2:ae:da:2b:
............
4e:4f:64:f0:d4
用下列命令可生成不需要口令访问的私钥
$openssl rsa -in tom.key -out tom.key.unsecure
显示,不知道,没试。
2、用如上的私钥生成一个证书签名申请(CSR):
$openssl req -new -key aliali.key -out aliali.csr
显示:
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:aliali.com
Organizational Unit Name (eg, section) []:management center of network
Common Name (eg, your name or your server's hostname) []:aliali
Email Address []:hitonyang@yahoo.com.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:alia
An optional company name []:istic
生成文件aliali.csr,内容如下:
-----BEGIN CERTIFICATE REQUEST-----
MIIB/zCCAWgCAQAwgZMxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRMw
...........
r6djmppuuS5beTZNASdzpC8FSEokg66a9Xgfz4K2joX/gK0=
-----END CERTIFICATE REQUEST-----
用$openssl req -noout -text -in aliali.csr看请求内容,显示如下:
Using configuration from /usr/share/ssl/openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CN, ST=Beijing, O=aliali.com, OU=management center of network, CN=aliali/Email=hitonyang@yahoo.com.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d1:bd:28:78:e7:bb:17:c0:44:97:ec:43:b0:48:
................
6c:02:6c:35:fc:c0:97:16:eb
Exponent: 65537 (0x10001)
Attributes:
challengePassword :alia
unstructuredName :istic
Signature Algorithm: md5WithRSAEncryption
a0:af:9f:9a:6e:48:a9:12:b5:ed:db:3a:8a:ec:ae:8f:cb:48:
.............
80:ad
服务方在发证书需要有自己的key和crt,如果没有则要生成
生成服务方的私钥
$ openssl genrsa -des3 -out ca.key 1024
显示
Generating RSA private key, 1024 bit long modulus
.............................................++++++
...++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
生成CA的x509自签名
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
显示
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ISTIC
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
服务方颁发证书
$sign.sh aliali.csr
显示
CA signing: aliali.csr -> aliali.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Beijing'
organizationName :PRINTABLE:'aliali.com'
organizationalUnitName:PRINTABLE:'management center of network'
commonName :PRINTABLE:'aliali'
emailAddress :IA5STRING:'hitonyang@yahoo.com.cn'
Certificate is to be certified until Jan 2 10:22:08 2009 GMT (2002 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: aliali.crt <-> CA cert
aliali.crt: OK
所用的sign.sh可以。
OK!aliali的证书aliali.crt终于生成了,内容如下:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CN, ST=Beijing, O=ISTIC
Validity
Not Before: Jul 11 10:22:08 2003 GMT
Not After : Jan 2 10:22:08 2009 GMT
Subject: C=CN, ST=Beijing, O=aliali.com, OU=management center of network, CN=aliali/Email=hitonyang@yahoo.com.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d1:bd:28:78:e7:bb:17:c0:44:97:ec:43:b0:48:
.............
6c:02:6c:35:fc:c0:97:16:eb
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
2a:2f:80:22:24:94:94:c5:c8:ec:f8:b4:5f:1c:89:e3:d9:5e:
....................
91:7b
-----BEGIN CERTIFICATE-----
MIICMjCCAZsCAQEwDQYJKoZIhvcNAQEEBQAwLzELMAkGA1UEBhMCQ04xEDAOBgNV
.............................
tCMO03/DkL1dBTnwJdS5U7FONj3OW4cW0I1Sn84IbHMCL8u5kXs=
-----END CERTIFICATE-----
不要修改"-----BEGIN CERTIFICATE-----"和"-----END CERTIFICATE-----"及两者中间的内容,其它内容可以去掉。
对于那些不能识别PEM格式证书的程序,可以用下面的指令生成DER格式的证书:
$openssl x509 -in aliali.crt -out aliali.der -outform DER
用户使用证书
前期准备:按aliali的历程生成boxbox.crt,然后:
$mkdir usage
$cd usage
$mkdir ali
$mkdir box
$cd ali
$cp ../../*.crt .
$cp ../../aliali.key .
$echo "Hello World" >original.txt
$cd ../box
$cp ../../*.crt .
$cp ../../boxbox.key .
1、数字签名
$cd ../ali
$ln -s original.txt txt_need_sign.txt
$openssl smime -sign -in txt_need_sign.txt -out txt_need_sign.2box.fromali.sign -inkey aliali.key -signer aliali.crt
$cp txt_need_sign.2box.fromali.sign ../box/txt_need_verify_sign.fromali.sign
2、验证签名
$cd ../box
$openssl smime -verify -out org.txt2 -in txt_need_verify_sign.fromali.sign -certfile aliali.crt -CAfile ca.crt
显示:
Verification Successful
3、数字信封(加密)
$cd ../ali
$ln -s original.txt txt_need_enc.txt
$openssl smime -encrypt -in txt_need_enc.txt -out txt_need_enc.4box.fromali.enc boxbox.crt
$cp txt_need_enc.4box.fromali.enc ../box/txt_need_dec.fromali.enc
4、数字信封(解密)
$cd ../box
$openssl smime -decrypt -in txt_need_dec.fromali.enc -out org.txt3 -inkey boxbox.key -recip boxbox.crt
5、签名后加密
$cd ../ali
$ln -s original.txt txt_need_sign_enc.txt
$openssl smime -sign -in txt_need_sign_enc.txt -out txt_signedbyali_need_enc.sign -inkey aliali.key -signer aliali.crt
$openssl smime -encrypt -in txt_signedbyali_need_enc.sign -out txt_signbyali_need_dec.4box.fromali.sign.enc boxbox.crt
$cp txt_signbyali_need_dec.4box.fromali.sign.enc ../box/txt_singed_need_dec.fromali.sign.enc
6、生成一个包含私钥的数字证书
包含私角的数字证书用于证书导入、导出和保存,这样的证书标准为pcks12.
$openssl pkcs12 -export -in aliali.crt -out aliali.p12 -inkey aliali.key -name "ali's key and certificate"
显示:
Enter PEM pass phrase:
Enter Export Password:
Verifying password - Enter Export Password:
