在Linux中,使用OpenSSL实现双向认证(也称为客户端证书认证)涉及以下几个步骤:
首先,你需要创建一个证书颁发机构(CA),并生成CA的证书和私钥。
# 创建CA目录
mkdir -p ca/newcerts
chmod 700 ca/newcerts
# 创建CA配置文件
cat <<EOF > ca/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/ssl/ssl-ca
certs = \$dir/certs
crl_dir = \$dir/crl
new_certs_dir = \$dir/newcerts
database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/private/.rand
private_key = \$dir/private/ca.key
certificate = \$dir/cacert.pem
crlnumber = \$dir/crlnumber
crl = \$dir/crl.pem
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
preserve = no
policy = policy_strict
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
# 创建CA目录结构
mkdir -p ca/{certs,crl,newcerts,private,index.txt,serial}
# 生成CA私钥
openssl genpkey -algorithm RSA -out ca/private/ca.key -aes256
# 生成CA证书
openssl req -config ca/openssl.cnf -key ca/private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/cacert.pem
# 初始化索引文件和序列号文件
echo 1000 > ca/serial
touch ca/index.txt
接下来,生成服务器的证书和私钥。
# 创建服务器目录结构
mkdir -p server/{cert,crl,private}
# 生成服务器私钥
openssl genpkey -algorithm RSA -out server/private/server.key -aes256
# 创建服务器证书签名请求(CSR)
openssl req -new -key server/private/server.key -out server/server.csr -config openssl.cnf -subj "/CN=localhost"
# 使用CA证书和私钥签署服务器证书
openssl x509 -req -in server/server.csr -CA ca/cacert.pem -CAkey ca/private/ca.key -CAcreateserial -out server/cert/server.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_req
然后,生成客户端的证书和私钥。
# 创建客户端目录结构
mkdir -p client/{cert,private}
# 生成客户端私钥
openssl genpkey -algorithm RSA -out client/private/client.key -aes256
# 创建客户端证书签名请求(CSR)
openssl req -new -key client/private/client.key -out client/client.csr -config openssl.cnf -subj "/CN=client"
# 使用CA证书和私钥签署客户端证书
openssl x509 -req -in client/client.csr -CA ca/cacert.pem -CAkey ca/private/ca.key -CAcreateserial -out client/cert/client.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_req
编辑服务器的SSL配置文件(例如/etc/ssl/openssl.cnf),添加以下内容:
[ server ]
...
ssl_version = TLSv1.2
ssl_cipher_list = HIGH:!aNULL:!MD5
...
client_certificate = /etc/ssl/certs/ca/cacert.pem
verify_depth = 2
verify_return_error = 1
require_client_certificate = yes
确保服务器配置文件中包含以下内容:
[ server ]
...
certificate = /etc/ssl/certs/server/cert/server.crt
private_key = /etc/ssl/private/server.key
启动服务器并监听SSL连接。例如,如果你使用的是Apache服务器,可以这样启动:
sudo systemctl start apache2
在客户端配置SSL连接时,需要指定客户端证书和私钥。例如,在使用curl时:
curl --cacert /etc/ssl/certs/ca/cacert.pem --cert /etc/ssl/certs/client/cert/client.crt --key /etc/ssl/private/client/client.key https://localhost
通过以上步骤,你就可以在Linux中使用OpenSSL实现双向认证。