官网:https://www.openssl.org/
OpenSSL计划在1998年开始,其目标是发明一套自由的加密工具,在互联网上使用。OpenSSL以EricYoung以及Tim Hudson两人开发的SSLeay为基础,随着两人前往RSA公司任职,SSLeay在1998年12月停止开发。因此在1998年12月,社群另外分支出OpenSSL,继续开发下去OpenSSL管理委员会当前由7人组成有13个开发人员[3]具有提交权限(其中许多人也是OpenSSL管理委员会的一部分)。只有两名全职员工(研究员),其余的是志愿者该项目每年的预算不到100万美元,主要依靠捐款。 TLS 1.3的开发由 Akamai 赞助OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,同时确认另一端连线者的身份。这个包广泛被应用在互联网的网页服务器上其主要库是以C语言所写成,实现了基本的加密功能,实现了SSL与TLS协议。OpenSSL可以运行OpenVMS、 Microsoft Windows以及绝大多数类Unix操作系统上(包括Solaris,Linux,Mac OS X与各种版本的开放源代码BSD操作系统)
心脏出血漏洞:OpenSSL 1.0.1版本(不含1.0.1g)含有一个严重漏洞,可允许***者读取服务器的内存信息。该漏洞于2014年4月被公诸于世,影响三分之二的活跃网站
包括三个组件:
libcrypto:用于实现加密和解密的库
libssl:用于实现ssl通信协议的安全库
openssl:多用途命令行工具
1.2 在centos8上实现私有CA和证书申请
1.2.1 创建CA相关目录和文件
[root@CentOS8 pki]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@CentOS8 pki]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
#生成证书索引数据库文件
[root@CentOS8 pki]#touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列号
[root@CentOS8 pki]#echo 01 > /etc/pki/CA/serial
index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140040142845760:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')
140040142845760:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140240559408960:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')
140240559408960:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
[root@CentOS8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JiangXi
Locality Name (eg, city) [Default City]:NanChang
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:admin@magedu.org
[root@CentOS8 CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@CentOS8 CA]#cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIUVBlKcy1c7uBtYCfgMnh0KcpZGzQwDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdKaWFuZ1hpMREwDwYDVQQHDAhO
YW5DaGFuZzEPMA0GA1UECgwGbWFnZWR1MQ8wDQYDVQQLDAZkZXZvcHMxFjAUBgNV
BAMMDWNhLm1hZ2VkdS5vcmcxHzAdBgkqhkiG9w0BCQEWEGFkbWluQG1hZ2VkdS5v
cmcwHhcNMjEwNjE0MTIyNjM2WhcNMzEwNjEyMTIyNjM2WjCBjTELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB0ppYW5nWGkxETAPBgNVBAcMCE5hbkNoYW5nMQ8wDQYDVQQK
DAZtYWdlZHUxDzANBgNVBAsMBmRldm9wczEWMBQGA1UEAwwNY2EubWFnZWR1Lm9y
ZzEfMB0GCSqGSIb3DQEJARYQYWRtaW5AbWFnZWR1Lm9yZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAOAMheWfLrQxzpMEU0lDeqX0Uqy+Zbgyz//kZBBa
kFzcsALKjlkvYvKrEi8O+vEpmxj4k70Xs6wA5JOKLmYXyrH+Z2Y3N3P8V4tCYdfR
Q9dHJZSdkxXxnAVd9mv07KbmGj5zHmyzZ3WE1XrGPVbFjsbM3HIwjA4W9rraCLcE
V66tP80t76i8uYgWbuZFVMb2BboP+f29l+vtWcG0D0cHEv+k+R50Udc85RI3zSR/
y9/JFdg3SHA7Mj+OUGbgK8O53IVf01wxErWA/qT8xUEMlbjmdGcRrp8twJKDHDd3
XQvUghiWzSe8A7cmY1lb/NXVrAjkmsc3BJ56JCy0IClLFqcCAwEAAaNTMFEwHQYD
VR0OBBYEFOWNke0V96+yX3EOmltGd3hnQLWpMB8GA1UdIwQYMBaAFOWNke0V96+y
X3EOmltGd3hnQLWpMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AHYARZNPnhdtUGjE7MhBgPD2dfctSev9fWXa2u3YRSTH3HvpPS4obVoxAe37cuD5
dsQlGZCJ8ydqwSg1RcKu9b/TnSe8Q3TDJsbp8rQfjoRL/x8W47H0AyyBJRYU3JnG
No4toSOgMcYZzAGewffKL9mWLkL1F8pnksTPJnLtiFNqyTL3nBF9qSUl7fUev52h
U2c2/79YPedziKb098qSdzCn0TdfCixq718Iq+lYfaVREjPgC3XXuup1ZWJJEPRi
LFydiQxgvV2PklVPY1Yg0pZnlvWqgKQRaNNef6I3iifI8r93kcUwTwwBKR4+eVri
ChFdOU0zFgji9SNOiZsCwwE=
-----END CERTIFICATE-----
#查看证书内容
[root@CentOS8 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
54:19:4a:73:2d:5c:ee:e0:6d:60:27:e0:32:78:74:29:ca:59:1b:34
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = JiangXi, L = NanChang, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org
Validity
Not Before: Jun 14 12:26:36 2021 GMT
Not After : Jun 12 12:26:36 2031 GMT
Subject: C = CN, ST = JiangXi, L = NanChang, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e0:0c:85:e5:9f:2e:b4:31:ce:93:04:53:49:43:
7a:a5:f4:52:ac:be:65:b8:32:cf:ff:e4:64:10:5a:
90:5c:dc:b0:02:ca:8e:59:2f:62:f2:ab:12:2f:0e:
fa:f1:29:9b:18:f8:93:bd:17:b3:ac:00:e4:93:8a:
2e:66:17:ca:b1:fe:67:66:37:37:73:fc:57:8b:42:
61:d7:d1:43:d7:47:25:94:9d:93:15:f1:9c:05:5d:
f6:6b:f4:ec:a6:e6:1a:3e:73:1e:6c:b3:67:75:84:
d5:7a:c6:3d:56:c5:8e:c6:cc:dc:72:30:8c:0e:16:
f6:ba:da:08:b7:04:57:ae:ad:3f:cd:2d:ef:a8:bc:
b9:88:16:6e:e6:45:54:c6:f6:05:ba:0f:f9:fd:bd:
97:eb:ed:59:c1:b4:0f:47:07:12:ff:a4:f9:1e:74:
51:d7:3c:e5:12:37:cd:24:7f:cb:df:c9:15:d8:37:
48:70:3b:32:3f:8e:50:66:e0:2b:c3:b9:dc:85:5f:
d3:5c:31:12:b5:80:fe:a4:fc:c5:41:0c:95:b8:e6:
74:67:11:ae:9f:2d:c0:92:83:1c:37:77:5d:0b:d4:
82:18:96:cd:27:bc:03:b7:26:63:59:5b:fc:d5:d5:
ac:08:e4:9a:c7:37:04:9e:7a:24:2c:b4:20:29:4b:
16:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9
X509v3 Authority Key Identifier:
keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
76:00:45:93:4f:9e:17:6d:50:68:c4:ec:c8:41:80:f0:f6:75:
f7:2d:49:eb:fd:7d:65:da:da:ed:d8:45:24:c7:dc:7b:e9:3d:
2e:28:6d:5a:31:01:ed:fb:72:e0:f9:76:c4:25:19:90:89:f3:
27:6a:c1:28:35:45:c2:ae:f5:bf:d3:9d:27:bc:43:74:c3:26:
c6:e9:f2:b4:1f:8e:84:4b:ff:1f:16:e3:b1:f4:03:2c:81:25:
16:14:dc:99:c6:36:8e:2d:a1:23:a0:31:c6:19:cc:01:9e:c1:
f7:ca:2f:d9:96:2e:42:f5:17:ca:67:92:c4:cf:26:72:ed:88:
53:6a:c9:32:f7:9c:11:7d:a9:25:25:ed:f5:1e:bf:9d:a1:53:
67:36:ff:bf:58:3d:e7:73:88:a6:f4:f7:ca:92:77:30:a7:d1:
37:5f:0a:2c:6a:ef:5f:08:ab:e9:58:7d:a5:51:12:33:e0:0b:
75:d7:ba:ea:75:65:62:49:10:f4:62:2c:5c:9d:89:0c:60:bd:
5d:8f:92:55:4f:63:56:20:d2:96:67:96:f5:aa:80:a4:11:68:
d3:5e:7f:a2:37:8a:27:c8:f2:bf:77:91:c5:30:4f:0c:01:29:
1e:3e:79:5a:e2:0a:11:5d:39:4d:33:16:08:e2:f5:23:4e:89:
9b:02:c3:01
[root@CentOS8 CA]#mkdir /data/app1
[root@CentOS8 CA]#(umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
...............................................................................................................................................+++++
e is 65537 (0x010001)
[root@CentOS8 CA]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JiangXi
Locality Name (eg, city) [Default City]:NanChang
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:grain@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS8 CA]#ll /data/app1/
total 8
-rw-r--r-- 1 root root 1054 Jun 14 21:01 app1.csr
-rw------- 1 root root 1679 Jun 14 20:56 app1.key
默认三项内容必须和CA一致:国家,省份,组织,如果不同,会出现以下提示
[root@centos8 ~]#openssl ca -in /data/app2/app2.csr -out
/etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field is different between
CA certificate (beijing) and the request (hubei)
1.2.5 CA颁发证书
[root@CentOS8 CA]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 14 14:18:05 2021 GMT
Not After : Mar 10 14:18:05 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = JiangXi
organizationName = magedu
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = grain@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
93:6C:B7:BD:A1:7A:F5:10:1C:FD:78:FC:99:A1:D3:E0:26:06:B9:50
X509v3 Authority Key Identifier:
keyid:E5:8D:91:ED:15:F7:AF:B2:5F:71:0E:9A:5B:46:77:78:67:40:B5:A9
Certificate is to be certified until Mar 10 14:18:05 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CentOS8 CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
[root@CentOS8 CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ ├── app1.crt
│ └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 01.pem
│ └── 02.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 12 files
[root@CentOS8 CA]#openssl ca -status 02
Using configuration from /etc/pki/tls/openssl.cnf
02=Valid (V)
[root@CentOS8 CA]#openssl ca -revoke /etc/pki/CA/newcerts/02.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 02.
Data Base Updated
[root@CentOS8 CA]#openssl ca -status 02
Using configuration from /etc/pki/tls/openssl.cnf
02=Revoked (R)
1.2.9 生成证书吊销列表文件
[root@CentOS8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140431109904192:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
140431109904192:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[root@CentOS8 CA]#echo 01 > /etc/pki/CA/crlnumber
[root@CentOS8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@CentOS8 CA]#cat /etc/pki/CA/crlnumber
02