加密算法

  • 对称加密
    • 密钥只有一个, 加密解密为同一个密码, 加解密速度快
    • 典型的对称加密算法有DES, AES 等
  • 非对称加密
    • 非对称加密需要两个密钥: 公钥PublicKey 和私钥PrivateKey
    • 公钥与私钥配对使用. 使用公钥加密的数据, 只有对应的私钥可以解密; 使用私钥加密的数据, 只有对应公钥可以解密
    • 例如githu就使用非对称加密, 本机生成公约和私钥, 公钥上传到github, 私钥添加到本机; github 下发的数据就是我们上传的公钥加密, 我们在获取到数据后使用本地私钥解密

SSL/TLS

  • TLS
    • Transport Layer Security 传输层安全协议
  • SSL
    • sECURE Sockets Layer 安全Sockets 协议层

通信过程

  1. Client 向Server 发送请求, Server 返回

证书生成脚本

# Generate the certificates and keys for testing.

#PROJECT_NAME="XIONGMAITECH"
COUNTRY_NAME="CN"
STATE_OR_PROVINCE_NAME="ZHEJIANG"
LOCALITY_NAME="HANGZHOU"
ORIGANIZATION_NAME="XIONGMAITECH"
ORIGANIZATIONAL_UNIT_NAME="YUNPINGTAI"
SERVER_COMMON_NAME="10.10.88.220"
CLIENT_COMMON_NAME="10.2.5.51"

# Generate the openssl configuration files.
cat > ca_cert.conf << EOF  
[ req ]
distinguished_name     = req_distinguished_name     # 可识别字段名DN, 引用req_distinguished_name 段设置
prompt                 = no     # 设置为no, 不提示输入DN, 而是从配置文件中读取, 此是需要同时设置DN默认值

[ req_distinguished_name ]
C                       = $COUNTRY_NAME
ST                      = $STATE_OR_PROVINCE_NAME
L                       = $LOCALITY_NAME
O                       = $ORIGANIZATION_NAME root Certificate Authority
OU                      = $ORIGANIZATIONAL_UNIT_NAME
EOF

cat > server_cert.conf << EOF  
[ req ]
distinguished_name     = req_distinguished_name
prompt                 = no

[ req_distinguished_name ]
C                       = $COUNTRY_NAME
ST                      = $STATE_OR_PROVINCE_NAME
L                       = $LOCALITY_NAME
O                       = $ORIGANIZATION_NAME Server Certificate
OU                      = $ORIGANIZATIONAL_UNIT_NAME
CN                      = $SERVER_COMMON_NAME   # 必须和网站本身一致
EOF

cat > client_cert.conf << EOF  
[ req ]
distinguished_name     = req_distinguished_name
prompt                 = no

[ req_distinguished_name ]
C                       = $COUNTRY_NAME
ST                      = $STATE_OR_PROVINCE_NAME
L                       = $LOCALITY_NAME
O                       = $ORIGANIZATION_NAME Client Certificate
OU                      = $ORIGANIZATIONAL_UNIT_NAME
CN                      = $SERVER_COMMON_NAME   # 必须和客户端本身一致
EOF

#############################################################################
if [ ! -d "./ca" ];then
    mkdir -p ./ca
else
    rm -f ./ca/*
fi

if [ ! -d "./server" ];then
    mkdir -p ./server
else
    rm -f ./server/*
fi

if [ ! -d "./client" ];then
    mkdir -p ./client
else
    rm -f ./client/*
fi

if [ ! -d "./certDER" ];then
    mkdir -p ./certDER
else
    rm -f ./certDER/*
fi

#############################################################################
# private key generation
openssl genrsa -out ca.key 1024
openssl genrsa -out server.key 1024
openssl genrsa -out client.key 1024

# cert requests
openssl req -out ./ca/ca.req -key ./ca/ca.key -new -config ./ca_cert.conf
openssl req -out ./server/server.req -key ./server/server.key -new -config ./server_cert.conf 
openssl req -out ./client/client.req -key ./client/client.key -new  -config ./client_cert.conf 

# generate the actual certs.
openssl x509 -req -in ./ca/ca.req -out ./ca/ca.crt -sha1 -days 3650 -signkey ./ca/ca.key
openssl x509 -req -in ./server/server.req -out ./server/server.crt -sha1 -CAcreateserial -days 365 -CA ./ca/ca.crt -CAkey ./ca/ca.key
openssl x509 -req -in ./client/client.req -out ./client/client.crt -sha1 -CAcreateserial -days 30 -CA ./ca/ca.crt -CAkey ./ca/ca.key

openssl x509 -in ./ca/ca.crt -outform DER -out ./certDER/ca.der
openssl x509 -in ./server/server.crt -outform DER -out ./certDER/server.der
openssl x509 -in ./client/client.crt -outform DER -out ./certDER/client.der