Ssl

ssl证书

Posted by zhangshun on May 16, 2019

证书制作和申请流程

DER是二进制编码的证书,PEM是ASCII编码证书,CRT是证书,可能是二进制也可能是ASCII

keystore可以看成一个放key的库,key就是公钥,私钥,数字签名等组成的一个信息。 truststore里存放的是只包含公钥的数字证书,代表了可以信任的证书,而keystore是包含私钥的

1
2
3
4
5
6
a.  自颁发证书签发过程
	生成私钥--->用私钥生成证书请求---->机构用自己的私钥来签发
	private.key--> certificate.req---->(req+private.key)---> certificate.crt****

b. 向CA申请颁发证书过程
	private.key---> certificate.req------>(my.req+ca.key+ca.crt)--> certificate.crt

证书制作

  • 证书制作相关命令
    • 生成私钥:openssl genrsa -out caprivate.key 1024
    • 生成证书请求:openssl req -key caprivate.key -new -out cacertificate.req
    • 生成证书,可设定有效期:openssl x509 -days 1 -req -in cacertificate.req -signkey caprivate.key -out cacertificate.crt
  • 证书申请和颁发过程实例
    1. 制作私钥,openssl genrsa -out ops.key 1024
    2. 生成证书申请,openssl req -key ops.key -new -out ops.req
    3. 颁发证书openssl x509 -req -in ops.req -CA ca_ops.pem -CAkey ca_ops.key -out ops.pem -CAcreateserial
    4. 查看证书,openssl x509 -in ops.pem -noout -text

客户端测试

1.客户端导入证书

keytool -genkey -keystore "/root/ops.keystore" -alias ops -keyalg RSA -validity 365 ,创建密钥库

keytool -list -keystore ops ,查看密钥库中的证书

keytool -import -keystore ops -file ops.crt -alias inteliOld,向密钥库中导入证书

keytool -delete -alias ops -keystore ops,从密钥库中删除证书

2.客户端访问代码

vim FoxClient.java javac FoxClient.java javac编译 java FoxClient 测试https

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import java.io.*;
import java.net.Socket;
import java.security.KeyStore;
import javax.net.ssl.*;

public class FoxClient {
    public static void main(String[] args) throws Exception {
        String clientTrustKeyStoreFile = "ops";
        String clientTrustKeyStorePwd = "123456";
        KeyStore clientTrustKeyStore = KeyStore.getInstance("JKS");
        clientTrustKeyStore.load(new FileInputStream(clientTrustKeyStoreFile), clientTrustKeyStorePwd.toCharArray());
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(clientTrustKeyStore);

        SSLContext sslContext = SSLContext.getInstance("TLSv1");
        sslContext.init(null, tmf.getTrustManagers(), null);
        
        SSLSocketFactory socketFactory = sslContext.getSocketFactory();
        Socket socket = socketFactory.createSocket("1.1.1.1",443);
        
        PrintWriter out = new PrintWriter(socket.getOutputStream(), true);
        BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
        
        send("GET / HTTP/1.1", out);
        send("Host: ops.intellicredit.cn", out);
	send("\n\n",out);
        receive(in);
        socket.close();
    }
    
    public static void send(String s, PrintWriter out) throws IOException {
        System.out.println("Sending: " + s);     
        out.println(s);
    }

    public static void receive(BufferedReader in) throws IOException {
        String s;
        while ((s = in.readLine()) != null) {
            System.out.println("Reveived: " + s);
        }
    }
}

自签发CA证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
vim /etc/pki/tls/openssl.conf

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Beijing

localityName                    = Locality Name (eg, city)
localityName_default            = Beijing

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = zzc

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = ops_test.intellicredit.cn

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = zhangshun@intellicredit.cn
# SET-ex3                       = SET extension number 3
____________________________________________________________________________________________________________

### CA自签发证书
[root@k8s-node02 CA]# pwd
/etc/pki/CA
## 生成必要文件
[root@k8s-node02 CA]# touch index.txt serial crlnumber
[root@k8s-node02 CA]# echo 01 > serial
## 生成ca证书私钥,注意权限
[root@k8s-node02 CA]# {umask 077; openssl genrsa -out private/cakey.pem 2048}
## 生成ca证书
[root@k8s-node02 CA]# openssl  req -new -x509 -key private/cakey.pem -out cacert.pem
[root@k8s-node02 CA]# cd /tmp
## 生成 服务端私钥,注意权限
[root@k8s-node02 CA]# {(umask 077;openssl genrsa -out server.key 2048); }
## 生成 服务端证书申请,注意:主机名要设置成对应的域名
[root@k8s-node02 CA]# openssl req -new -key server.key -out server.csr
## 生成 CA签发的服务端证书
[root@k8s-node02 CA]# openssl ca -in server.csr -out server.crt -days 365
[root@k8s-node02 CA]# cat /etc/pki/CA/index.txt
V	200520070531Z		01	unknown	/C=CN/ST=Beijing/O=zzc/OU=IT/CN=ops_test.intellicredit.cn/emailAddress=zhangshun@intellicredit.cn

ca签发证书时,同一个域名只能签发一个,如果想要一个域名签发多个证书,需要改ca的配置,/etc/pki/CA/index.txt.attr
_____________________________________________________________________________________________________
在windows下测试,导入签发后的证书访问提示不安全,导入CA证书后部分浏览器访问ok(谷歌、360都不行,firefox跟IE可以)

ssl证书