如何用OpenSSL在Linux上實現雙向認證

在Linux上使用OpenSSL實現雙向認證（也稱為客戶端證書認證）涉及幾個步驟，包括生成證書頒發機構（CA）、生成服務器證書和密鑰、生成客戶端證書和密鑰，以及配置服務器和客戶端以使用這些證書進行雙向認證。以下是一個詳細的步驟指南：

1. 生成CA證書和密鑰

首先，你需要創建一個CA（證書頒發機構），用于簽發服務器和客戶端的證書。

# 創建CA目錄
mkdir -p ca/newcerts
echo 1000 > ca/serial

# 創建CA配置文件
cat <<EOF > ca/openssl.cnf
[ ca ]
default_ca = CA_default

[ CA_default ]
dir               = /etc/ssl/ssl-ca
certs             = \$dir/certs
crl_dir           = \$dir/crl
new_certs_dir     = \$dir/newcerts
database          = \$dir/index.txt
serial            = \$dir/serial
RANDFILE          = \$dir/private/.rand

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
organizationName                = Organization Name
commonName                      = Common Name

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF

# 創建CA私鑰
openssl genpkey -algorithm RSA -out ca/private/ca-key.pem -aes256

# 創建CA證書
openssl req -config ca/openssl.cnf -key ca/private/ca-key.pem -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/cacert.pem

# 創建CA目錄權限
chmod 700 ca/private
chmod 644 ca/*.pem

2. 生成服務器證書和密鑰

接下來，生成服務器的證書和密鑰。

# 創建服務器目錄
mkdir -p server/newcerts
echo 1000 > server/serial

# 創建服務器配置文件
cat <<EOF > server/openssl.cnf
[ ca ]
default_ca = CA_default

[ CA_default ]
dir               = /etc/ssl/ssl-ca
certs             = \$dir/certs
crl_dir           = \$dir/crl
new_certs_dir     = \$dir/newcerts
database          = \$dir/index.txt
serial            = \$dir/serial
RANDFILE          = \$dir/private/.rand

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
organizationName                = Organization Name
commonName                      = Common Name

[ v3_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ v3_server ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF

# 創建服務器私鑰
openssl genpkey -algorithm RSA -out server/private/server-key.pem -aes256

# 創建服務器證書簽名請求（CSR）
openssl req -config server/openssl.cnf -key server/private/server-key.pem -new -out server/csr/server-csr.pem

# 使用CA簽發服務器證書
openssl x509 -req -in server/csr/server-csr.pem -CA ca/cacert.pem -CAkey ca/private/ca-key.pem -CAcreateserial -out server/cert/server-cert.pem -days 365 -sha256

3. 生成客戶端證書和密鑰

同樣地，生成客戶端的證書和密鑰。

# 創建客戶端目錄
mkdir -p client/newcerts
echo 1000 > client/serial

# 創建客戶端配置文件
cat <<EOF > client/openssl.cnf
[ ca ]
default_ca = CA_default

[ CA_default ]
dir               = /etc/ssl/ssl-ca
certs             = \$dir/certs
crl_dir           = \$dir/crl
new_certs_dir     = \$dir/newcerts
database          = \$dir/index.txt
serial            = \$dir/serial
RANDFILE          = \$dir/private/.rand

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
organizationName                = Organization Name
commonName                      = Common Name

[ v3_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

[ v3_client ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
EOF

# 創建客戶端私鑰
openssl genpkey -algorithm RSA -out client/private/client-key.pem -aes256

# 創建客戶端證書簽名請求（CSR）
openssl req -config client/openssl.cnf -key client/private/client-key.pem -new -out client/csr/client-csr.pem

# 使用CA簽發客戶端證書
openssl x509 -req -in client/csr/client-csr.pem -CA ca/cacert.pem -CAkey ca/private/ca-key.pem -CAcreateserial -out client/cert/client-cert.pem -days 365 -sha256

4. 配置服務器以使用客戶端證書

編輯服務器配置文件（例如/etc/ssl/ssl-ca/server/openssl.cnf），添加以下內容以啟用客戶端證書驗證：

[ server ]
...
SSLVerifyClient require
SSLCACertificateFile /etc/ssl/ssl-ca/cacert.pem

然后重啟服務器以應用更改。

5. 配置客戶端以使用服務器證書

編輯客戶端配置文件（例如/etc/ssl/ssl-ca/client/openssl.cnf），添加以下內容以信任服務器證書：

[ ca ]
...
trusted_first = no

然后重啟客戶端以應用更改。

6. 測試雙向認證

使用openssl s_client命令測試雙向認證：

# 在服務器上運行
openssl s_client -connect localhost:443 -cert client/cert/client-cert.pem -key client/private/client-key.pem -CAfile ca/cacert.pem

# 在客戶端上運行
openssl s_client -connect localhost:443 -cert server/cert/server-cert.pem -key server/private/server-key.pem -CAfile ca/cacert.pem

通過這些步驟，你應該能夠在Linux上使用OpenSSL實現雙向認證。