溫馨提示×

登 錄 注冊有禮
云服務器 香港服務器 高防服務器
最新更新 網站標簽 地圖導航
產品

Linux OpenSSL如何實現雙向認證

小樊
83
2025-02-21 21:58:15
欄目: 云計算

在Linux系統中,使用OpenSSL實現雙向認證(也稱為客戶端證書認證)涉及以下幾個步驟:

1. 生成CA證書和密鑰

首先,你需要創建一個證書頒發機構(CA),并生成CA證書和密鑰。

# 創建CA目錄
mkdir ca
cd ca

# 創建CA配置文件
cat > openssl.cnf <<EOF
[ ca ]
default_ca = CA_default

[ CA_default ]
dir               = ./certs
certs             = \$dir/certs
new_certs_dir     = \$dir/newcerts
database          = \$dir/index.txt
serial            = \$dir/serial
RANDFILE          = \$dir/private/.rand

private_key       = \$dir/private/ca.key
certificate       = \$dir/cacert.pem

crlnumber         = \$dir/crlnumber
crl               = \$dir/crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 3650
preserve          = no
policy            = policy_strict

[ policy_strict ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits        = 4096
distinguished_name  = req_distinguished_name
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName               = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF

# 生成CA私鑰
openssl genpkey -algorithm RSA -out ca/private/ca.key -aes256

# 生成CA證書
openssl req -config openssl.cnf -key ca/private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/cacert.pem

# 初始化數據庫和序列號文件
echo 1000 > index.txt
openssl rand -out serial 0

2. 生成服務器證書和密鑰

接下來,生成服務器證書和密鑰,并使用CA簽名。

# 創建服務器目錄
mkdir server
cd server

# 創建服務器配置文件
cat > openssl.cnf <<EOF
[ req ]
default_bits        = 4096
prompt              = no
default_md          = sha256
distinguished_name  = req_distinguished_name
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName               = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = example.com

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com

[ v3_server ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF

# 生成服務器私鑰
openssl genpkey -algorithm RSA -out server.key -aes256

# 生成服務器證書簽名請求(CSR)
openssl req -new -key server.key -out server.csr -config openssl.cnf

# 使用CA簽名服務器CSR
openssl x509 -req -in server.csr -CA ca/cacert.pem -CAkey ca/private/ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_server

3. 生成客戶端證書和密鑰

同樣地,生成客戶端證書和密鑰,并使用CA簽名。

# 創建客戶端目錄
mkdir client
cd client

# 創建客戶端配置文件
cat > openssl.cnf <<EOF
[ req ]
default_bits        = 4096
prompt              = no
default_md          = sha256
distinguished_name  = req_distinguished_name
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName               = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = client.example.com

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = client.example.com

[ v3_client ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
EOF

# 生成客戶端私鑰
openssl genpkey -algorithm RSA -out client.key -aes256

# 生成客戶端證書簽名請求(CSR)
openssl req -new -key client.key -out client.csr -config openssl.cnf

# 使用CA簽名客戶端CSR
openssl x509 -req -in client.csr -CA ca/cacert.pem -CAkey ca/private/ca.key -CAcreateserial -out client.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_client

4. 配置服務器以使用客戶端證書認證

編輯服務器的SSL配置文件(例如/etc/ssl/openssl.cnf/etc/httpd/conf.d/ssl.conf),添加以下內容:

[ SSL ] 
SSLCACertificateFile /path/to/ca/cacert.pem 
SSLCertificateFile /path/to/server.crt 
SSLCertificateKeyFile /path/to/server.key 
SSLVerifyClient require 
SSLVerifyDepth 10 
SSLOptions +StdEnvVars

5. 配置客戶端以使用其證書

在客戶端上,確??蛻舳俗C書和私鑰可用,并在需要時配置應用程序使用這些證書。

6. 測試雙向認證

啟動服務器并嘗試連接到它。服務器應該要求客戶端提供證書,并驗證該證書是否由受信任的CA簽發。

通過這些步驟,你可以在Linux系統中使用OpenSSL實現雙向認證。

0

最新問答

相關問答

相關標簽

Windows7 linux服務器 ping spring框架 input值 spring mvc win7系統 win10 win8 springboot sprintf函數 selinux insert int findOne() input zIndex linux云服務器 Linux系統 LINUX主機
產品服務
地區劃分
專題活動
幫助支持
關于我們
售后咨詢
7*24小時在線電話:400-100-2938
7*24小時在線 QQ:800811969
關注億速云

億速云公眾號

手機網站二維碼

Copyright ? Yisu Cloud Ltd. All Rights Reserved. 2018 版權所有

廣州億速云計算有限公司粵ICP備17096448號-1 粵公網安備 44010402001142號增值電信業務經營許可證編號:B1-20181529

亚洲午夜精品一区二区_中文无码日韩欧免_久久香蕉精品视频_欧美主播一区二区三区美女