SSL/TLS基本概念
- SSL 安全套接字协议(Secure Socket Layer)是web浏览器与web服务器之间安全交换信息的协议,提供两个基本的安全服务:信息加密与身份鉴别。
- TLS 传输层安全协议 (Transport Layer Security). 是SSL的升级版.
HTTPS 协议是"HTTP协议"和"SSL/TLS协议"的组合, HTTPS 可以理解为 "HTTP over SSL"或者"HTTP over TLS". - SSL证书: SSL安全协议主要用来提供对用户和服务器的认证; 对传送的数据进行加密和隐藏, 确保数据在传送过程中不被改变, 即数据的完整性. SSL证书在客户端浏览器和web服务器之间建立了一条SSL安全通道.
证书相关文件
- 私钥
私钥是一个算法名称加上密码串, 用来加解密用的文件或者字符串. - 公钥
公钥也是一个算法名称加上密码串, 一般不会单独给别人,而是嵌在证书一起给. - 密钥
用来加解密的文件或者字符串. 在非对称加密的领域里, 指的是私钥和公钥,他它们总是成对出现,主要作用是加密和解密. 常用的加密强度是2048bit. - CA
certificate authority, 认证证书的第三方机构, 专门用自己的私钥给别人进行签名的单位或者机构. - 证书(签名)申请文件
在公钥的基础上加一些申请人的属性信息, 比如: 域名, 名称, 国家,地区等, 然后带上签名,发给CA. - 证书文件
证书由公钥加上描述信息, 然后经过私钥签名之后得到. 一般都是一个人的私钥给另一个人的公钥签名,如果是自己的私钥给自己的公钥签名, 叫自签名. - 数字签名:只要对信息进行更改,就不能验证通过,过程:CA机构也有两个密钥,CA将服务端的公钥作为输入参数进行Hash计算,CA私钥进行进行加密并与公钥绑定一起,生成数字签名. 服务端将含有数字签名和公钥发送给客户端,客户端会有CA的公钥,然后进行验证,在传输过程中是否对其进行更改,如果更改就是无效.
证书文件格式
- .key
私钥 - .csr
certificate signing request, 证书签名申请文件, 含有公钥信息 - .crt
certificate 缩写, 证书文件 - . crl
证书吊销列表 - .pem
用于导入,导出证书时候的证书格式
SSL/TLS证书
CA根证书
在多数情况下,网站的证书需要通过CA机构申请得到。根证书实际上是自签名证书,是CA机构颁发给自己的证书,是信任链的起始点。
当申请人向CA机构申请数字证书时,由证书认证机构(CA)对证书申请者真实身份验证之后,用CA的根证书对申请人的一些基本信息以及申请人的公钥进行签名(相当于加盖发证书机构的公章)后形成的一个数字文件。数字证书包含证书中所标识的实体的公钥(就是说你的证书里有你的公钥),由于证书将公钥与特定的个人匹配,并且该证书的真实性由颁发机构保证(就是说可以让大家相信你的证书是真的)。因此,数字证书为如何找到用户的公钥并知道它是否有效这一问题提供了解决方案。
浏览器在判定证书的合法性时,需要知道网站的证书是由哪个CA的根证书签名的,所以通常情况下浏览器会将公认的受信任的CA机构的根证书内置在浏览器内,以便比对。同时,当CA机构由SSL/TLSz 于某些原因,不再被信任时,浏览器将移除其根证书。
生成SSL/TLS证书
使用openssl工具生成证书
本文使用生成 根证书和使用根证书的服务端证书的例子, 来演示常用的证书/根证书制作流程.
- 生成根证书
步骤: 生成CA私钥(.key)-->生成CA证书请求(.csr)-->自签名得到根证书(.crt)
- 生成根证书私钥
$ openssl genrsa -out root.key 2048
- 生成根证书签名申请文件
$ openssl req -new -key root.key -out root.csr
Can't load /root/.rnd into RNG
140423347425728:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:reduxsolutions
Organizational Unit Name (eg, section) []:reduxsolutions
Common Name (e.g. server FQDN or YOUR name) []:redux
Email Address []:redux@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:redux110
An optional company name []:
- 生成根证书文件
$ openssl x509 -req -days 730 -in root.csr -signkey root.key -out root.crt
Signature ok
subject=C = CN, ST = Shanghai, L = Shanghai, O = reduxsolutions, OU = reduxsolutions, CN = redux, emailAddress = redux@126.com
Getting Private key
- 生成服务器证书
步骤: 生成私钥(.key)-->生成证书请求(.csr)-->用CA根证书签名得到证书(.crt)
- 生成服务器私钥
$ openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................................................................................+++++
...................................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
- 生成服务端证书签名申请文件
$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
Can't load /root/.rnd into RNG
139698436477376:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:reduxsolutions
Organizational Unit Name (eg, section) []:reduxsolutions
Common Name (e.g. server FQDN or YOUR name) []:redux
Email Address []:redux@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:redux110
An optional company name []:
- 生成服务端证书
使用根证书root.crt以及对应的私钥root.key来进行签名,而不是服务器端的私钥server.key
$ openssl ca -in server.csr -out server.crt -cert root.crt -keyfile root.key
Using configuration from /usr/lib/ssl/openssl.cnf
Can't load /root/.rnd into RNG
140437933367744:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
ca: ./demoCA/newcerts is not a directory
./demoCA/newcerts: No such file or directory
创建demoCA/newcerts文件夹
$ mkdir -p demoCA/newcerts
$ ls
demoCA root.crt root.csr root.key server.csr server.key
$ openssl ca -in server.csr -out server.crt -cert root.crt -keyfile root.key
Using configuration from /usr/lib/ssl/openssl.cnf
Can't load /root/.rnd into RNG
140005288329664:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
140005288329664:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('./demoCA/index.txt','r')
140005288329664:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
创建demoCA/index.txt文件
$ touch demoCA/index.txt
$ openssl ca -in server.csr -out server.crt -cert root.crt -keyfile root.key
Using configuration from /usr/lib/ssl/openssl.cnf
Can't load /root/.rnd into RNG
139853514875328:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
Can't open ./demoCA/index.txt.attr for reading, No such file or directory
139853514875328:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('./demoCA/index.txt.attr','r')
139853514875328:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
./demoCA/serial: No such file or directory
error while loading serial number
139853514875328:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('./demoCA/serial','r')
139853514875328:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
创建 demoCA/serial文件
$ touch demoCA/serial
$ openssl ca -in server.csr -out server.crt -cert root.crt -keyfile root.key
Using configuration from /usr/lib/ssl/openssl.cnf
Can't load /root/.rnd into RNG
140570973553088:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
Can't open ./demoCA/index.txt.attr for reading, No such file or directory
140570973553088:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('./demoCA/index.txt.attr','r')
140570973553088:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load number from ./demoCA/serial
error while loading serial number
140570973553088:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:../crypto/asn1/f_int.c:140:
$ echo 01 > demoCA/index.txt
$ openssl ca -in server.csr -out server.crt -cert root.crt -keyfile root.key
Using configuration from /usr/lib/ssl/openssl.cnf
Can't load /root/.rnd into RNG
140389142421952:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
$ cd /root
$ openssl rand -writerand .rnd
$ cd -
$ openssl ca -in server.csr -out server.crt -cert root.crt -keyfile root.key
Using configuration from /usr/lib/ssl/openssl.cnf
$ ls
demoCA root.crt root.csr root.key server.csr server.key
生成.pem文件
有时需要用到pem格式的证书,可以用以下方式合并证书文件(crt)和私钥文件(key)来生成
cat server.crt server.key > server.pem
使用服务端的证书文件作为nginx 证书
server {
listen 8090 ssl;
server_name localhost;
ssl_certificate cert/server.pem; #需要将cert-file-name.pem替换成已上传的证书文件的名称。
ssl_certificate_key cert/server.key; #需要将cert-file-name.key替换成已上传的证书私钥文件的名称。
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
#表示使用的加密套件的类型。
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; #表示使用的TLS协议的类型。
ssl_prefer_server_ciphers on;
location / {
root /home/redux/renspace/magic-web/dist;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
location /apis/{
proxy_pass http://212.64.49.204:8027/;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
