在Linux系统中,使用OpenSSL实现双向认证(也称为客户端证书认证)涉及以下几个步骤:
首先,你需要创建一个证书颁发机构(CA),并生成CA证书和密钥。
# 创建CA目录 mkdir ca cd ca # 创建CA配置文件 cat > openssl.cnf <<EOF [ ca ] default_ca = CA_default [ CA_default ] dir = ./certs certs = \$dir/certs new_certs_dir = \$dir/newcerts database = \$dir/index.txt serial = \$dir/serial RANDFILE = \$dir/private/.rand private_key = \$dir/private/ca.key certificate = \$dir/cacert.pem crlnumber = \$dir/crlnumber crl = \$dir/crl.pem crl_extensions = crl_ext default_crl_days = 30 default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 3650 preserve = no policy = policy_strict [ policy_strict ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 4096 distinguished_name = req_distinguished_name string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign EOF # 生成CA私钥 openssl genpkey -algorithm RSA -out ca/private/ca.key -aes256 # 生成CA证书 openssl req -config openssl.cnf -key ca/private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/cacert.pem # 初始化数据库和序列号文件 echo 1000 > index.txt openssl rand -out serial 0 接下来,生成服务器证书和密钥,并使用CA签名。
# 创建服务器目录 mkdir server cd server # 创建服务器配置文件 cat > openssl.cnf <<EOF [ req ] default_bits = 4096 prompt = no default_md = sha256 distinguished_name = req_distinguished_name string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = example.com [ v3_req ] keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = example.com DNS.2 = www.example.com [ v3_server ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth EOF # 生成服务器私钥 openssl genpkey -algorithm RSA -out server.key -aes256 # 生成服务器证书签名请求(CSR) openssl req -new -key server.key -out server.csr -config openssl.cnf # 使用CA签名服务器CSR openssl x509 -req -in server.csr -CA ca/cacert.pem -CAkey ca/private/ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_server 同样地,生成客户端证书和密钥,并使用CA签名。
# 创建客户端目录 mkdir client cd client # 创建客户端配置文件 cat > openssl.cnf <<EOF [ req ] default_bits = 4096 prompt = no default_md = sha256 distinguished_name = req_distinguished_name string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = client.example.com [ v3_req ] keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = client.example.com [ v3_client ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth EOF # 生成客户端私钥 openssl genpkey -algorithm RSA -out client.key -aes256 # 生成客户端证书签名请求(CSR) openssl req -new -key client.key -out client.csr -config openssl.cnf # 使用CA签名客户端CSR openssl x509 -req -in client.csr -CA ca/cacert.pem -CAkey ca/private/ca.key -CAcreateserial -out client.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_client 编辑服务器的SSL配置文件(例如/etc/ssl/openssl.cnf或/etc/httpd/conf.d/ssl.conf),添加以下内容:
[ SSL ] SSLCACertificateFile /path/to/ca/cacert.pem SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StdEnvVars 在客户端上,确保客户端证书和私钥可用,并在需要时配置应用程序使用这些证书。
启动服务器并尝试连接到它。服务器应该要求客户端提供证书,并验证该证书是否由受信任的CA签发。
通过这些步骤,你可以在Linux系统中使用OpenSSL实现双向认证。
