ssl

f3b012fc · felix · f3b012fc · f3b012fc · f3b012fc · f3b012fc
Commit f3b012fc authored Nov 21, 2019 by felix
Show whitespace changes
Inline Side-by-side

Showing with 354 additions and 0 deletions

.DS_Store
+0 -0

ssl/nginx/.DS_Store
+0 -0

ssl/nginx/conf.d/default.conf
+28 -0

ssl/openssl.cnf
+133 -0

ssl/readme.md
+193 -0

No files found.
--- a/.DS_Store
+++ b/.DS_Store
--- a/ssl/nginx/.DS_Store
+++ b/ssl/nginx/.DS_Store
--- a/ssl/nginx/conf.d/default.conf
+++ b/ssl/nginx/conf.d/default.conf
+server {
+    listen       80;
+    listen       443 ssl;
+    server_name  felix.test.net;
+    ssl_certificate          /etc/nginx/conf.d/ssl/server.crt;
+    ssl_certificate_key      /etc/nginx/conf.d/ssl/server.key;
+    ssl_session_timeout 5m;
+    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    # 开启客户端认证
+    # ssl_crl                 /etc/nginx/conf.d/ssl/crl.pem;
+    # ssl_client_certificate /etc/nginx/conf.d/ssl/cacert.pem;
+    # ssl_verify_client on;
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}
--- a/ssl/openssl.cnf
+++ b/ssl/openssl.cnf
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+####################################################################
+[ CA_default ]
+dir		= .		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several certs with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+# Extension copying option: use with caution.
+# copy_extensions = copy
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+policy		= policy_anything
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+####################################################################
+[ req ]
+default_bits		= 2048
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+string_mask = utf8only
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= CN
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Shanghai
+localityName			= Locality Name (eg, city)
+localityName_default = Shanghai
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Ugen
+organizationalUnitName		= Organizational Unit Name (eg, section)
+organizationalUnitName_default	= Ugen
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName_max			= 64
+emailAddress			= Email Address
+emailAddress_max		= 64
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+unstructuredName		= An optional company name
--- a/ssl/readme.md
+++ b/ssl/readme.md
+# 证书签发、吊销
+## 参考资料
+- [1] <https://www.cnblogs.com/f-ck-need-u/p/6091027.html>
+- [2] <https://blog.csdn.net/u014721096/article/details/78571287>
+- [3] <https://www.ruanyifeng.com/blog/2018/02/nginx-docker.html>
+- [4] <https://www.jianshu.com/p/e5aef185f0c6>
+## openssl.cnf
+- openssl 可以看成是一个小型服务器，通过文件来管理证书的签发和吊销等操作
+- openssl.cnf 可以理解成服务器的配置,可以查看`参考资料[1][2]`
+## 创建自签证书
+- 创建根证书密钥（以下操作前请先确保目录存在，否则会报错。`windows 建议在 git bash 下执行，否则某些指令会无法使用`）
+```cmd
+openssl genrsa -out ./private/cakey.pem 2048
+```
+- 生成自签署证书，之后用此证书来签发
+```cmd
+openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem -days 3650
+```
+- 创建openssl.cnf中的记录用文件，类似文件形式的数据库
+```cmd
+touch index.txt
+echo "00" > serial
+```
+### 生成服务端证书申请文件
+- 创建服务端密钥
+```cmd
+openssl genrsa 2048 > ./server/server.key
+```
+- 创建证书申请文件(`Common Name` 需要填你服务器的域名)
+```cmd
+openssl req -new -key ./server/server.key -out ./server/server.crq
+```
+- 签发证书(注意 `-config ./openssl.cnf` 这个一定要加上)
+```cmd
+mkdir newcerts
+openssl ca -in ./server/server.crq -out ./server/server.crt -days 3650 -config ./openssl.cnf
+```
+- server目录中的server.crt与server.key可以提供给nginx使用了
+### 验证
+- 准备工作
+  - 配置nginx（直接使用nginx目录即可，配置在default.conf中）
+    ```cmd
+    {
+        ...
+        listen       80;
+        listen       443 ssl;
+        #注意这里要与证书的Common Name相同
+        server_name  felix.test.net;
+        #证书地址
+        ssl_certificate          /etc/nginx/conf.d/ssl/server.crt;
+        ssl_certificate_key      /etc/nginx/conf.d/ssl/server.key;
+        ...
+    }
+    ```
+  - 复制证书到特定目录
+    ```cmd
+    cp ./server/server.crt ./nginx/conf.d/ssl
+    cp ./server/server.key ./nginx/conf.d/ssl
+    ```
+  - 启动nginx（这里使用的docker启动）
+    ```cmd
+    docker run -d -p 127.0.0.1:8080:80 -p 127.0.0.1:8081:443 --rm --name mynginx --volume "$PWD/nginx/conf.d/":/etc/nginx/conf.d/ nginx
+    ```
+  - 修改host
+    ```cmd
+    127.0.0.1       felix.test.net
+    ```
+- 打开浏览器访问 <https://felix.test.net:8081/> 会弹出 `您的连接不是私密连接` 的提示，点击`高级`->`继续前往`,在地址栏这里就能看到我们自签名的证书信息了
+### 吊销证书
+- 吊销证书之前，我们先要开启nginx的ssl双向验证功能。之前只是客户端验证服务端的证书是否有效。现在两端都要验证，使用同一ca签发的证书。这样当ca吊销了其中某一个证书的时候就能体现出来。
+- 创建客户端证书（和服务端基本相同，注意`Common Name`不能和服务端相同）
+    ```cmd
+    openssl genrsa 2048 > ./client/client.key
+    openssl req -new -key ./client/client.key -out ./client/client.crq
+    openssl ca -in ./client/client.crq -out ./client/client.crt -days 3650 -config ./openssl.cnf
+    #生成浏览器能导入的文件
+    openssl pkcs12 -export -clcerts -in ./client/client.crt -inkey ./client/client.key -out ./client/client.p12
+    ```
+- 复制cacert.pem到nginx配置目录下
+    ```cmd
+    cp ./cacert.pem ./nginx/conf.d/ssl
+    ```
+- 配置nginx，取消这两行的注释
+    ```cmd
+    ssl_client_certificate /etc/nginx/conf.d/ssl/cacert.pem;
+    ssl_verify_client on;
+    ```
+- 重新部署nginx
+    ```cmd
+    docker stop mynginx
+    docker run -d -p 127.0.0.1:8080:80 -p 127.0.0.1:8081:443 --rm --name mynginx --volume "$PWD/nginx/conf.d/":/etc/nginx/conf.d/ nginx
+    ```
+- 打开浏览器访问 <https://felix.test.net:8081/> `会提示nginx错误`
+    ```cmd
+    400 Bad Request The SSL certificate error
+    ```
+- 浏览器导入客户端证书 chrome 地址栏输入 `chrome://settings/privacy`->`证书管理`。导入p12文件
+- 再次访问就没问题了,如果还是报错，多试几次。或者关闭浏览器重试。
+- 吊销证书
+  - 拿到需要吊销的证书(./client/client.crt)
+  - 验证证书一致性,检查编号信息与index.txt中是否一致
+    ```cmd
+    openssl x509 -in ./client/client.crt -noout -serial -subject
+    cat index.txt
+    ```
+  - 吊销证书,01.pem就是上面的编号
+    ```cmd
+    openssl ca -revoke ./newcerts/01.pem -config ./openssl.cnf
+    ```
+  - 再次查看index.txt,会出现R开头的数据,代表失效
+    ```cmd
+    R	291118032909Z	191121040110Z	01	unknown	/CN=client.felix.net
+    ```
+  - 生成吊销证书
+    ```cmd
+    echo  01  > ./crlnumber #第一次吊销时使用
+    openssl ca -gencrl -out ./crl.pem -config ./openssl.cnf
+    ```
+  - 部署到nginx
+    ```cmd
+    ssl_crl                 /etc/nginx/conf.d/ssl/crl.pem;
+    ```
+  - 复制ca.crl到nginx目录
+    ```cmd
+    cp ./crl.pem ./nginx/conf.d/ssl
+    ```
+  - 重新部署nginx
+    ```cmd
+    docker stop mynginx
+    docker run -d -p 127.0.0.1:8080:80 -p 127.0.0.1:8081:443 --rm --name mynginx --volume "$PWD/nginx/conf.d/":/etc/nginx/conf.d/ nginx
+    ```
+  - 再次访问，之前的证书已经无法使用
\ No newline at end of file