在Linux上使用OpenSSL实现双向认证(也称为客户端证书认证)涉及几个步骤,包括生成证书颁发机构(CA)、生成服务器证书和密钥、生成客户端证书和密钥,以及配置服务器和客户端以使用这些证书进行双向认证。以下是一个详细的步骤指南:
首先,你需要创建一个CA(证书颁发机构),用于签发服务器和客户端的证书。
# 创建CA目录
mkdir -p ca/newcerts
echo 1000 > ca/serial
# 创建CA配置文件
cat <<EOF > ca/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/ssl/ssl-ca
certs = \$dir/certs
crl_dir = \$dir/crl
new_certs_dir = \$dir/newcerts
database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/private/.rand
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
organizationName = Organization Name
commonName = Common Name
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
# 创建CA私钥
openssl genpkey -algorithm RSA -out ca/private/ca-key.pem -aes256
# 创建CA证书
openssl req -config ca/openssl.cnf -key ca/private/ca-key.pem -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/cacert.pem
# 创建CA目录权限
chmod 700 ca/private
chmod 644 ca/*.pem
接下来,生成服务器的证书和密钥。
# 创建服务器目录
mkdir -p server/newcerts
echo 1000 > server/serial
# 创建服务器配置文件
cat <<EOF > server/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/ssl/ssl-ca
certs = \$dir/certs
crl_dir = \$dir/crl
new_certs_dir = \$dir/newcerts
database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/private/.rand
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
organizationName = Organization Name
commonName = Common Name
[ v3_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ v3_server ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF
# 创建服务器私钥
openssl genpkey -algorithm RSA -out server/private/server-key.pem -aes256
# 创建服务器证书签名请求(CSR)
openssl req -config server/openssl.cnf -key server/private/server-key.pem -new -out server/csr/server-csr.pem
# 使用CA签发服务器证书
openssl x509 -req -in server/csr/server-csr.pem -CA ca/cacert.pem -CAkey ca/private/ca-key.pem -CAcreateserial -out server/cert/server-cert.pem -days 365 -sha256
同样地,生成客户端的证书和密钥。
# 创建客户端目录
mkdir -p client/newcerts
echo 1000 > client/serial
# 创建客户端配置文件
cat <<EOF > client/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/ssl/ssl-ca
certs = \$dir/certs
crl_dir = \$dir/crl
new_certs_dir = \$dir/newcerts
database = \$dir/index.txt
serial = \$dir/serial
RANDFILE = \$dir/private/.rand
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
organizationName = Organization Name
commonName = Common Name
[ v3_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[ v3_client ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
EOF
# 创建客户端私钥
openssl genpkey -algorithm RSA -out client/private/client-key.pem -aes256
# 创建客户端证书签名请求(CSR)
openssl req -config client/openssl.cnf -key client/private/client-key.pem -new -out client/csr/client-csr.pem
# 使用CA签发客户端证书
openssl x509 -req -in client/csr/client-csr.pem -CA ca/cacert.pem -CAkey ca/private/ca-key.pem -CAcreateserial -out client/cert/client-cert.pem -days 365 -sha256
编辑服务器配置文件(例如/etc/ssl/ssl-ca/server/openssl.cnf),添加以下内容以启用客户端证书验证:
[ server ]
...
SSLVerifyClient require
SSLCACertificateFile /etc/ssl/ssl-ca/cacert.pem
然后重启服务器以应用更改。
编辑客户端配置文件(例如/etc/ssl/ssl-ca/client/openssl.cnf),添加以下内容以信任服务器证书:
[ ca ]
...
trusted_first = no
然后重启客户端以应用更改。
使用openssl s_client命令测试双向认证:
# 在服务器上运行
openssl s_client -connect localhost:443 -cert client/cert/client-cert.pem -key client/private/client-key.pem -CAfile ca/cacert.pem
# 在客户端上运行
openssl s_client -connect localhost:443 -cert server/cert/server-cert.pem -key server/private/server-key.pem -CAfile ca/cacert.pem
通过这些步骤,你应该能够在Linux上使用OpenSSL实现双向认证。