菜鸟学Linux 第044篇笔记 算法和私有CA

证书吊销列表CRL(Certificate Revocation List )

如何解决私钥丢失

PKI: Public Key Infrastructure

CA: Cretificate Authority

证书存储格式 x509, pkcs12

x509

公钥及其有效期限

证书的合法拥有者

证书该如何被使用

CA的信息

CA签名的校验码

PKI的实现架构

PKI: TLS/SSL：x509

PKI: OpenGPG

SSL (Secure Socket Layer)公司开发的

SSLv2, SSLv3

TLS (Transport Layer Security) v1=SSLv3 国际标准化组织ISO

对称加密算法

DES: Data Encryption Standard, 56bit

3DES: 上边的3次加密

AES：Advanced Encryption Standard

AES192, AES256, AES512 越长加密性越高，速度也越慢

Blowfish

实现对称加密的工具openssl gpg

单向加密

MD4

MD5 128bit

SHA1 160bit

SHA192, SHA256, SHA384

CRC-32不是加密算法，是一种校验码的计算机制，所以不提供任何安全性

非对称加密（公钥加密）：

功能：

身份认证（数字签名）

数据加密

密钥交换

加密算法

RSA 加密、签名

DSA 只可签名

ElGamal

OpenSSL: SSL的开源实现（软件） www.openssl.org

libcrypto 通用加密库

libssl TLS/SSL的实现

基于会话、实现了身份认证、数据机密性和会话完整性的TLS/SSL库

openssl 多用途命令行工具

实现私有证书颁发机构

/etc/pki/tls/openssl.cnf 该配置文件是用来让openssl工作为私有CA的时候使用

子命令：（简单讲解）注意前边都得加父命令openssl

speed des3 用户测试加密数据所需要用的时间

(注意后边最好写一个具体的算法，不然每一种算法都会测试一次)、

enc

-ciphername

-in filename

the input filename, standard input by default.

-out filename

the output filename, standard output by default.

-salt

use a salt in the key derivation routines. This option should ALWAYS be

used unless compatibility with previous versions of OpenSSL or SSLeay is

required. This option is only present on OpenSSL versions 0.9.5 or above.

-e  encrypt the input data: this is the default.

-d  decrypt the input data.

e.g. 加密文件 openssl enc -des3 -in inittab -out inittab.enc -a -e

加密文件 openssl enc -des3 -in inittab.enc -out inittab.d -d -a

(注意如果加了salt解密时也需要加上salt)

dgst

(dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests)

format : openssl dgst -algorithm

e.g. openssl dgst -shal inittab

openssl dgst -md5 inittab

passwd

-crypt

Use the crypt algorithm (default).

-1  Use the MD5 based BSD password algorithm 1.

-salt string

Use the specified salt.  When reading a password from the terminal, this

implies -noverify.

e.g.  openssl passwd -1  输入一个密码即可制作出该密码的md5特征码

rand (random number generator)

openssl子命令帮助获取

首先先用whatis查询一下子命令，然后看提示再使用man

md5sum filename 计算文件的md5特征码

sha1sum filename 计算文件的sha1特征码

openssl实现私有CA：

1、先生成一对密钥

genrsa (generate an RSA private key)

numbits

the size of the private key to generate in bits. This must be the last

option specified. The default is 512.

rsa (RSA key processing tool)

-in filename

This specifies the input filename to read a key from or standard input if

this option is not specified. If the key is encrypted a pass phrase will

be prompted for.

-pubout

by default a private key is output: with this option a public key will be

output instead. This option is automatically set if the input is a public

key.

-out the same like before.

e.g. openssl genrsa 生成私钥

openssl genrsa 512 生成512位私钥

openssl genrsa > server.key  注意密钥的权限

(umask 077; openssl genrsa -out server1024.key 1024)修改密钥权限

openssl rsa -in server.key -pubout

2、生成自签署证书

req (PKCS#10 certificate request and certificate generating utility.)

-new

this option generates a new certificate request. It will prompt the

user for the relevant field values. The actual fields prompted for and

their maximum and minimum sizes are specified in the configuration

file and any requested extensions.

-x509

this option outputs a self signed certificate instead of a certificate

request. This is typically used to generate a test certificate or a

self signed root CA. The extensions added to the certificate (if any)

are specified in the configuration file. Unless specified using the

set_serial option 0 will be used for the serial number.

-key filename

This specifies the file to read the private key from. It also accepts

PKCS#8 format private keys for PEM format files.

-out filename

This specifies the output filename to write to or standard output by

default.

-days n

when the -x509 option is being used this specifies the number of days

to certify the certificate for. The default is 30 days.

生成自签署证书

openssl req -new -x509 -key server.key -out server.crt -days 365

x509 (Certificate display and signing utility)

-text

prints out the certificate in text form. Full details are output

including the public key, signature algorithms, issuer and subject

names, serial number any extensions present and any trust settings.

-in filename

This specifies the input filename to read a certificate from or stan-

dard input if this option is not specified.

查看自签署证书

openssl x509 -text -in server.crt

1.在/etc/pki/CA/private/目录下生成CA私钥命名为cakey.pem

在/etc/pki/CA/目录下生成CA的证书命名为cacert.pem

在/etc/pki/CA/创建目录certs  crl  newcerts

在/etc/pki/CA/创建文件index.txt serial并在serial输入序号01

2.模拟申请证书颁发请求

mkdir /etc/http

cd /etc/http

mkdir ssl

cd ssl

(umask 077; openssl genrsa -out httpd.key 1024) 生成私钥

openssl req -new -key httpd.key -out httpd.csr 生成证书请求

openssl ca -in httpd.csr -out httpd.crt  签署该证书请求，生成证书

脚本完成CA的建立，并生成自签证书(高手的话可以练习一下，目前我没做以后我会试试呵呵 )