linux,SSL的实现过程-阿里云开发者社区

SSL 的实现过程

首先，客户端与服务器端进行三次握手。（因为http基于TCP/IP协议进行通信），然后他们建立SSL会话，协商要使用的加密算法，当协商完成之后。服务器端就会将自己的证书发送给客户端，客户端验证发现没有问题之后，就会生成一个对称密钥发送给服务器端，然后客户端就发送请求给服务器端，服务器端便会使用刚刚客户端发来的对称密钥加密将内容发送给客户端。这样ssl会话就建立起来了。

但是，客户端如何验证服务器的证书是否真实呢，那么便需要一个CA:第三方证书颁发机构给我们的服务器端颁发证书。所以客户端便可以到CA去验证服务器端的证书。

这时候的CA，应该自己有一份证书保存在客户端这边，并且这段证书是自签的。（用以客户端可以到CA去验证服务器端的证书。）

那么服务器端如何到CA让CA给自己搞一份证书呢：首先服务器端先生成一份密钥，将公钥交给CA，由CA对它签署并生成证书，保存一份并回送给服务器端。服务器对其进行配置使用，然后在通话过后就可以将证书发送给客户端，客户端询问CA在进行验证。

①前提：

要想使你的web服务器支持ssl功能，第一步得安装SSL模块

[root@Cyz ~]# yum install mod_ssl
//查看都安装了什么
[root@Cyz ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf //说明是配置文件，更改配置需要重启
/usr/lib/httpd/modules/mod_ssl.so
/var/cache/mod_ssl //缓存目录
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem

②提供CA

重新找台主机，用这台主机做我们的CA：这台主机的IP为111.9

要想做CA,首先得生成自签证书，：

[root@localhost ~]# cd /etc/pki/CA/
//生成私钥
[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
//umask为了生成时权限其他用户无权限访问 –out表示路径）
Generating RSA private key, 2048 bit long modulus
.......................................+++
........................+++
e is 65537 (0x10001)
//查看权限
[root@localhost CA]# ls -l private/
total 8
-rw------- 1 root root 1679 Apr 10 16:15 cakey.pem //600的权限
//然后去修改配置文件中的默认信息，将其改为我们通常使用的
[root@localhost CA]# vim ../tls/openssl.cnf

//为自己生成自签证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
//然后继续编辑openssl.cnf找到
[ CA_default ]
dir = /etc/pki/CA//改为这样子
//然后创建
[root@localhost CA]# mkdir certs crl newcerts
[root@localhost CA]# touch index.txt
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
//这个时候就已经准备好了CA就可以使用了

这个时候回到我们的客户端111.1

[root@Cyz ~]# cd /etc/httpd/ //保存在这里
[root@Cyz httpd]# mkdir ssl
[root@Cyz httpd]# ls
conf conf.d logs modules run ssl
[root@Cyz httpd]# cd ssl/
[root@Cyz ssl]# ls
[root@Cyz ssl]# (umask 077; openssl genrsa 1024 > httpd.key) //生成密钥
Generating RSA private key, 1024 bit long modulus
................................++++++
.....................................................++++++
e is 65537 (0x10001)
[root@Cyz ssl]# ll
total 8
-rw------- 1 root root 887 Apr 10 16:33 httpd.key
[root@Cyz ssl]# openssl req -new -key httpd.key -out httpd.csr //生成证书颁发请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Henan
Locality Name (eg, city) [Newbury]:Zhengzhou
Organization Name (eg, company) [My Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:hello.magedu.com
Email Address []:hello@magedu.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@Cyz ssl]# ls
httpd.csr httpd.key
[root@Cyz ssl]# scp httpd.csr 172.16.111.9:/tmp //将csr（证书签署请求）复制到CA
The authenticity of host '172.16.111.9 (172.16.111.9)' can't be established.
RSA key fingerprint is 44:0a:1f:77:7f:cb:df:09:a8:8d:ac:23:47:b3:a8:99.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.111.9' (RSA) to the list of known hosts.
root@172.16.111.9's password:
httpd.csr 100% 704 0.7KB/s 00:00

然后回到CA进行签署

[root@localhost CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 10 08:41:24 2013 GMT
Not After : Apr 8 08:41:24 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = MageEdu
organizationalUnitName = Tech
commonName = hello.magedu.com
emailAddress = hello@magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
10:B1:D2:C5:48:58:66:7B:35:71:BD:62:1D:77:85:12:EB:36:DF:63
X509v3 Authority Key Identifier:
keyid:30:86:2F:D5:DC:10:09:DA:38:19:E5:72:34:05:D5:5D:CE:83:B2:86
Certificate is to be certified until Apr 8 08:41:24 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated //颁发成功
//去查看生成的证书
[root@localhost CA]# cd /etc/pki/CA/
[root@localhost CA]# ls
cacert.pem crl index.txt.attr newcerts serial
certs index.txt index.txt.old private serial.old
[root@localhost CA]# cat index.txt //查看内容
V 230408084124Z 01 unknown /C=CN/ST=Henan/O=MageEdu/OU=Tech/CN=hello.magedu.com/emailAddress=hello@magedu.com
[root@localhost CA]# cat serial //已经自动排序
02
//然后把证书发送给请求者。这里我们到客户端去复制证书
[root@Cyz ssl]# scp 172.16.111.9:/tmp/httpd.crt ./
root@172.16.111.9's password:
httpd.crt 100% 3864 3.8KB/s 00:00
这个时候要记得返回CA中将tmp下的临时文件给删除掉以免别人获取
[root@localhost CA]# cd /tmp/
[root@localhost tmp]# ls
busybox grub-install.log.s11228 httpd.csr whatis.Fa3163
grub-install.img.o11227 httpd.crt initrd
[root@localhost tmp]# rm httpd.c*
rm: remove regular file `httpd.crt'? y
rm: remove regular file `httpd.csr'? y