安全不仅在现实生活十分重要,在网络中也是特别重要的。

HTTPS (HTTP Secure)

首先说HTTP,做为OSI 七层模型的Application layer一个协议,同信的双方首先要通过三次握手建立链接,那么问题就来了。
中间路过那么多的设备,怎么能保证数据不背篡改?于是,HTTPS就诞生了,
Transport Layer Security (TLS) 以及Secure Sockets Layer (SSL)就是为了解决这个问题的.
https://en.wikipedia.org/wiki/Transport_Layer_Security

什么是PKI 它是一个标准,在这个标准之下发展出的为了实现安全基础服务目的的技术统称为PKI

CA 认证中心

1
2
3
4
5
6
7
8
9
1. 接收验证最终用户数字证书的申请
2. 确定是否接受最终用户数字证书的申请-证书的审批
3. 向申请者颁发、拒绝颁发数字证书-证书的发放
4. 接收、处理最终用户的数字证书更新请求-证书的更新
5. 接收最终用户数字证书的查询、撤销
6. 产生和发布证书废止列表(CRL)
7. 数字证书的归档
8. 密钥归档
9. 历史数据归档

在Linux上面,我们可以用openssl命令来实现自建CA,签发证书。
主要配置文件在/etc/pki/tls/openssl.cnf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /root/ca/demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)

SSL证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# 建立CA目录结构
mkdir -p demoCA/{private,newcerts}
touch demoCA/index.txt
echo 01 > demoCA/serial
cp /etc/pki/tls/openssl.cnf .
├── demoCA
│   ├── index.txt
│   ├── newcerts
│   ├── private
│   └── serial
└── openssl.cnf
#生成CA
openssl genrsa -out ./demoCA/private/cakey.pem 2048
#生成 CA请求
openssl req -new -x509 -days 365 -key private/cakey.pem -out cacert.pem
openssl genrsa -out rsa_private_key.pem 1024
openssl rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem
openssl req -new -key rsa_private_key.pem -out zongbao.csr

openssl x509 -noout -text -in
cfssl-certinfo -cert

实例生成nginx证书

第一步,生成csr文件和key文件
第二步,提交csr文件到CA机构
第三步,拿到crt文件
第四步,maketea_loc.csr maketea_loc.key maketea_loc.crt 三个文件放到/etc/ssl/private目录下
第五步,修改nginx文件

openssl genrsa -out nginx.key 2048
里面的内容是这样的

1
2
3
-----BEGIN RSA PRIVATE KEY-----
省略
-----END RSA PRIVATE KEY-----

openssl req -new -key nginx.key -out nginx.csr
会让你输出一些相关的信息

里面的内容是这样的

1
2
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----

openssl ca -in nginx.csr -out nginx.crt -config openssl.cnf
生产nginx.crt文件

安装certbot

certbot是Let’s官方推荐使用的证书制作工具

1
2
3
4
5
wget https://dl.eff.org/certbot-auto#下载
chmod a+x ./certbot-auto#加权限
./certbot-auto -n#安装依赖
./certbot-auto certonly --standalone --email test@example.com -d www.test.site #单域名单证书
./certbot-auto certonly --standalone --email test@example.com -d www.test.site -d blog.test.site#多域名单证书

需要注意的是,验证的时候保证80/443端口对外开放,且不被占用,如果这些端口实现被nginx占用,先停掉nginx

查看证书

ls /etc/letsencrypt/live/
如果需要备份到本地可以使用scp命令
scp -r root@ip:/etc/letsencrypt /Users/test

配置nginx

1
2
3
ssl_certificate /etc/letsencrypt/live/www.test.site/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.test.site/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

自动续签

证书的默认有效期是三个月,所有三个月后需要重新签署证书
可以在crontab加入如下规则0 3 */5 * * /root/certbot-auto renew这样每五天就会执行一次续期操作。当然时间也可以自行进行调整,建议别太频繁,因为他们都有请求次数的限制。

参考
http://blog.just4fun.site/https-note.html
http://www.cnblogs.com/LittleHann/p/3738141.html
http://seanlook.com/2015/01/18/openssl-self-sign-ca/
https://www.zfl9.com/openssl.html