Linux Admin 简明教程

Linux Admin - Create SSL Certificates

TLS and SSL Background

TLS 是套接字层安全性的新标准,它取代了 SSL。TLS 提供了更好的加密标准,以及其他安全性和协议包装特性来提升 SSL。常常会互换使用术语 TLS 和 SSL。但是,作为专业的 CentOS 管理员,区分每种技术之间的差异和历史非常重要。

TLS is the new standard for socket layer security, proceeding SSL. TLS offers better encryption standards with other security and protocol wrapper features advancing SSL. Often, the terms TLS and SSL are used interchangeably. However, as a professional CentOS Administrator, it is important to note the differences and history separating each.

SSL 最高版本为 3.0。SSL 由 Netscape 开发和推广为行业标准。在 Netscape 被 AOL(90 年代流行的 ISP,也被称为 America Online)收购后,AOL 从未真正推动 SSL 所需的安全改进。

SSL goes up to version 3.0. SSL was developed and promoted as an industry standard under Netscape. After Netscape was purchased by AOL (an ISP popular in the 90’s otherwise known as America Online) AOL never really promoted the change needed for security improvements to SSL.

在 3.1 版本时,SSL 技术已转移到开放系统标准,并被更改为 TLS。由于 SSL 的版权仍归 AOL 所有,因此创造了一个新术语: TLS - Transport Layer Security 。因此重要的是要知道 TLS 实际上与 SSL 不同。尤其,因为旧 SSL 技术存在已知安全问题,并且一些技术如今已被认为是过时的。

At version 3.1, SSL technology moved into the open systems standards and was changed to TLS. Since copyrights on SSL were still owned by AOL a new term was coined: TLS - Transport Layer Security. So it is important to acknowledge that TLS is in fact different from SSL. Especially, as older SSL technologies have known security issues and some are considered obsolete today.

Note - 本教程在谈论 3.1 及更高版本的技术时将使用术语 TLS。当具体评论 SSL 技术 3.0 及更低版本时,将使用 SSL。

Note − This tutorial will use the term TLS when speaking of technologies 3.1 and higher. Then SSL when commenting specific to SSL technologies 3.0 and lower.

SSL vs TLS Versioning

下表展示了 TLS 和 SSL 版本如何相互关联。我听说过一些人在谈论 SSL 3.2 版本,但是他们的术语可能是从博客中读来的。作为一名专业管理员,我们始终希望使用标准术语。因此,在讨论 SSL 时应该指的是过去的技术。一些简单的事情可以让 CentOS 求职者看起来像经验丰富的 CS 专业人士。

The following table shows how TLS and SSL versioning would relate to one another. I have heard a few people speak in terms of SSL version 3.2. However, they probably got the terminology from reading a blog. As a professional administrator, we always want to use the standard terminology. Hence, while speaking SSL should be a reference to past technologies. Simple things can make a CentOS job seeker look like a seasoned CS Major.

TLS

SSL

-

3.0

1.0

3.1

1.1

3.2

1.2

3.3

TLS 为当今互联网用户执行着两个主要功能:首先,它验证一方的身份,被称为 authentication 。其次,它在传输层为缺乏此原生功能的上层协议(ftp、http、电子邮件协议等)提供 end-to-end encryption

TLS performs two main functions important to the users of the Internet today: One, it verifies who a party is, known as authentication. Two, it offers end-to-end encryption at the transport layer for upper level protocols that lack this native feature (ftp, http, email protocols, and more).

首先,验证一方的身份对于端到端加密来说非常重要。如果消费者与一个未被授权收款的网站有着加密连接,那么财务数据仍然存在风险。所有网络钓鱼网站都会缺乏以下内容: a properly signed TLS certificate verifying website operators are who they claim to be from a trusted CA

The first, verifies who a party is and is important to security as end-to-end encryption. If a consumer has an encrypted connection to a website that is not authorized to take payment, financial data is still at risk. This is what every phishing site will fail to have: a properly signed TLS certificate verifying website operators are who they claim to be from a trusted CA.

只有两种方法可以解决没有正确签名证书的问题:引导用户允许信任已签名的证书的 Web 浏览器,或希望用户不懂技术,不知道受信任的证书颁发机构(CA)的重要作用。

There are only two methods to get around not having a properly signed certificate: trick the user into allowing trust of a web-browser for a self-signed certificate or hope the user is not tech savvy and will not know the importance of a trusted Certificate Authority (or a CA).

在本教程中,我们将使用自签名证书。这意味着,如果不明确授予该证书受信任状态来访问网站的每个 Web 浏览器,就会显示一个错误,阻止用户访问该网站。然后,它将强制用户在访问具有自签名证书的网站之前执行一些操作。请记住,为了安全这是件好事。

In this tutorial, we will be using what is known as a self-signed certificate. This means, without explicitly giving this certificate the status of trusted in every web browser visiting the web-site, an error will be displayed discouraging the users from visiting the site. Then, it will make the user jump though a few actions before accessing a site with a self-signed certificate. Remember for the sake of security this is a good thing.

Install and Configure openssl

openssl 是 TLS 开源实现的标准。openssl 用于 Linux、BSD 发行版、OS X 等系统,甚至支持 Windows。

openssl is the standard for open-source implementations of TLS. openssl is used on systems such as Linux, BSD distributions, OS X, and even supports Windows.

openssl 很重要,因为它提供传输层安全,并抽象出身份验证和端到端加密的详细编程,便于开发人员使用。这就是为什么几乎每个使用 TLS 的开源应用程序都会使用 openssl。它还默认安装在每个现代版本的 Linux 上。

openssl is important, as it provides transport layer security and abstracts the detailed programming of Authentication and end-to-end encryption for a developer. This is why openssl is used with almost every single open-source application using TLS. It is also installed by default on every modern version of Linux.

默认情况下,openssl 应该从至少版本 5 开始安装在 CentOS 上。要确保,我们尝试通过 YUM 安装 openssl。只需运行安装命令,因为 YUM 足够智能,它会让我们知道是否已安装某个软件包。如果出于兼容性原因,我们运行较老版本的 CentOS,则执行 yum -y install 确保 openssl 相对于近期 Heartbleed 漏洞已更新。

By default, openssl should be installed on CentOS from at least version 5 onwards. Just to assure, let’s try installing openssl via YUM. Just run install, as YUM is intelligent enough to let us know if a package is already installed. If we are running an older version of CentOS for compatibility reasons, doing a yum -y install will ensure openssl is updated against the semi-recent heart-bleed vulnerability.

在运行安装程序时,发现 openssl 实际上有一个更新。

When running the installer, it was found there was actually an update to openssl.

[root@centos]# yum -y install openssl
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-60.el7 will be updated
---> Package openssl.x86_64 1:1.0.1e-60.el7_3.1 will be an update
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-60.el7_3.1 for
package: 1:openssl-1.0.1e-60.el7_3.1.x86_64
--> Running transaction check
---> Package openssl-libs.x86_64 1:1.0.1e-60.el7 will be updated
---> Package openssl-libs.x86_64 1:1.0.1e-60.el7_3.1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved

===============================================================================
===============================================================================
 Package                               Arch
 Version                            Repository                        Size
===============================================================================
===============================================================================
Updating:
openssl                               x86_64
1:1.0.1e-60.el7_3.1                 updates                           713 k
Updating for dependencies:

Create Self-signed Certificate for OpenLDAP

这是为我们之前的 OpenLDAP 安装创建自签名证书的方法。

This is a method to create a self-signed for our previous OpenLDAP installation.

创建自签名 OpenLDAP 证书。

To create an self-signed OpenLDAP Certificate.

openssl req -new -x509 -nodes -out /etc/openldap/certs/myldaplocal.pem -keyout
/etc/openldap/certs/myldaplocal.pem -days 365

[root@centos]# openssl req -new -x509 -nodes -out /etc/openldap/certs/vmnet.pem
-keyout /etc/openldap/certs/vmnet.pem -days 365
Generating a 2048 bit RSA private key
.............................................+++
................................................+++
writing new private key to '/etc/openldap/certs/vmnet.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Califonia
Locality Name (eg, city) [Default City]:LA
Organization Name (eg, company) [Default Company Ltd]:vmnet
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos
Email Address []:bob@bobber.net
[root@centos]#

我们的 OpenLDAP 证书现在应该放在 /etc/openldap/certs/ 中。

Now our OpenLDAP certificates should be placed in /etc/openldap/certs/

[root@centos]# ls /etc/openldap/certs/*.pem
/etc/openldap/certs/vmnetcert.pem  /etc/openldap/certs/vmnetkey.pem
[root@centos]#

如您所见,我们已在 /etc/openldap/certs/ 目录中安装了证书和密钥。最后,我们需要更改每个证书和密钥的权限,因为它们当前归 root 用户所有。

As you can see, we have both the certificate and key installed in the /etc/openldap/certs/ directories. Finally, we need to change the permissions to each, since they are currently owned by the root user.

[root@centos]# chown -R  ldap:ldap /etc/openldap/certs/*.pem
[root@centos]# ls -ld /etc/openldap/certs/*.pem
-rw-r--r--. 1 ldap ldap 1395 Feb 20 10:00 /etc/openldap/certs/vmnetcert.pem
-rw-r--r--. 1 ldap ldap 1704 Feb 20 10:00 /etc/openldap/certs/vmnetkey.pem
[root@centos]#

Create Self-signed Certificate for Apache Web Server

在本教程中,我们将假定 Apache 已安装。我们在另一个教程(配置 CentOS 防火墙)中安装了 Apache,并将为未来的教程介绍 Apache 高级安装。因此,如果您尚未安装 Apache,请继续操作。

In this tutorial, we will assume Apache is already installed. We did install Apache in another tutorial (configuring CentOS Firewall) and will go into advanced installation of Apache for a future tutorial. So, if you have not already installed Apache, please follow along.

一旦可以使用以下步骤安装 Apache HTTPd −

Once Apache HTTPd can be installed using the following steps −

Step 1 − 为 Apache httpd 服务器安装 mod_ssl。

Step 1 − Install mod_ssl for Apache httpd server.

首先,我们需要使用 mod_ssl 配置 Apache。使用 YUM 软件包管理器非常简单 −

First we need to configure Apache with mod_ssl. Using the YUM package manager this is pretty simple −

[root@centos]# yum -y install mod_ssl

然后重新载入您的 Apache 守护进程,以确保 Apache 使用新配置。

Then reload your Apache daemon to ensure Apache uses the new configuration.

[root@centos]# systemctl reload httpd

此时,Apache 已配置为在 local host 上支持 TLS 连接。

At this point, Apache is configured to support TLS connections on the local host.

Step 2 − 创建自签名 ssl 证书。

Step 2 − Create the self-signed ssl certificate.

首先,让我们配置我们的私有 TLS 密钥目录。

First, let’s configure our private TLS key directory.

[root@centos]# mkdir /etc/ssl/private
[root@centos]# chmod 700 /etc/ssl/private/

Note − 确保只有 root 具有对此目录的读/写访问权限。如果世界拥有读/写访问权限,您的私钥可用于解密嗅探的流量。

Note − Be sure only the root has read/write access to this directory. With world read/write access, your private key can be used to decrypt sniffed traffic.

生成证书和密钥文件。

Generating the certificate and key files.

[root@centos]# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
/etc/ssl/private/self-gen-apache.key -out /etc/ssl/certs/self-sign-apache.crt
Generating a 2048 bit RSA private key
..........+++
....+++
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:xx
Locality Name (eg, city) [Default City]:xxxx
Organization Name (eg, company) [Default Company Ltd]:VMNET
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:centos.vmnet.local
Email Address []:

[root@centos]#

Note − 如果没有注册的域名,您可以使用服务器的公共 IP 地址。

Note − You can use public IP Address of the server if you don’t have a registered domain name.

让我们看看我们的证书 −

Let’s take a look at our certificate −

[root@centos]# openssl x509 -in self-sign-apache.crt -text -noout
Certificate:
   Data:
      Version: 3 (0x2)
      Serial Number: 17620849408802622302 (0xf489d52d94550b5e)
   Signature Algorithm: sha256WithRSAEncryption
   Issuer: C=US, ST=UT, L=xxxx, O=VMNET, CN=centos.vmnet.local
   Validity
      Not Before: Feb 24 07:07:55 2017 GMT
      Not After : Feb 24 07:07:55 2018 GMT
   Subject: C=US, ST=UT, L=xxxx, O=VMNET, CN=centos.vmnet.local
   Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
         Public-Key: (2048 bit)
            Modulus:
               00:c1:74:3e:fc:03:ca:06:95:8d:3a:0b:7e:1a:56:
               f3:8d:de:c4:7e:ee:f9:fa:79:82:bf:db:a9:6d:2a:
               57:e5:4c:31:83:cf:92:c4:e7:16:57:59:02:9e:38:
               47:00:cd:b8:31:b8:34:55:1c:a3:5d:cd:b4:8c:b0:
               66:0c:0c:81:8b:7e:65:26:50:9d:b7:ab:78:95:a5:
               31:5e:87:81:cd:43:fc:4d:00:47:5e:06:d0:cb:71:
               9b:2a:ab:f0:90:ce:81:45:0d:ae:a8:84:80:c5:0e:
               79:8a:c1:9b:f4:38:5d:9e:94:4e:3a:3f:bd:cc:89:
               e5:96:4a:44:f5:3d:13:20:3d:6a:c6:4d:91:be:aa:
               ef:2e:d5:81:ea:82:c6:09:4f:40:74:c1:b1:37:6c:
               ff:50:08:dc:c8:f0:67:75:12:ab:cd:8d:3e:7b:59:
               e0:83:64:5d:0c:ab:93:e2:1c:78:f0:f4:80:9e:42:
               7d:49:57:71:a2:96:c6:b8:44:16:93:6c:62:87:0f:
               5c:fe:df:29:89:03:6e:e5:6d:db:0a:65:b2:5e:1d:
               c8:07:3d:8a:f0:6c:7f:f3:b9:32:b4:97:f6:71:81:
               6b:97:e3:08:bd:d6:f8:19:40:f1:15:7e:f2:fd:a5:
               12:24:08:39:fa:b6:cc:69:4e:53:1d:7e:9a:be:4b:

以下是我们使用 openssl 命令的每个选项的解释 −

Here is an explanation for each option we used with the openssl command −

Command

Action

req -X509

Use X.509 CSR management PKI standard for key management.

-nodes

Do not secure our certificate with a passphrase. Apache must be able to use the certificate without interruption of a passphrase.

-days 2555

Tells the validity of the certificate to 7 years or 2555 days. Time period can be adjusted as needed.

-newkey rsa:2048

Specified to generate both key and certificate using RSA at 2048 bits in length.

接下来,我们要为与客户端协商 PFS 创建一个 Diffie-Heliman 组。

Next, we want to create a Diffie-Heliman group for negotiating PFS with clients.

[centos#] openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

这将需要 5 到 15 分钟的时间。

This will take from 5 to 15 minutes.

Perfect Forward Secrecy − 用于在私钥受损的情况下保护会话数据。这将在客户端和服务器之间生成一个密钥,该密钥对每个会话都是唯一的。

Perfect Forward Secrecy − Used to secure session data in case the private key has been compromised. This will generate a key used between the client and the server that is unique for each session.

现在,将完美前向保密配置添加到我们的证书。

Now, add the Perfect Forward Secrecy configuration to our certificate.

[root@centos]# cat /etc/ssl/certs/dhparam.pem | tee -a /etc/ssl/certs/self-sign-apache.crt

Configure Apache to Use Key and Certificate Files

我们将对 /etc/httpd/conf.d/ssl.conf − 进行更改

We will be making changes to /etc/httpd/conf.d/ssl.conf −

我们将对 ssl.conf 进行以下更改。不过,在进行更改之前,我们应该备份原始文件。在高级文本编辑器(如 vi 或 emcas)中对生产服务器进行更改时,在进行编辑之前始终备份配置文件是一种最佳实践。

We will make the following changes to ssl.conf. However, before we do that we should back the original file up. When making changes to a production server in an advanced text editor like vi or emcas, it is a best practice to always backup configuration files before making edits.

[root@centos]# cp /etc/httpd/conf.d/ssl.conf ~/

现在让我们继续编辑,方法是将 ssl.conf 的已知工作副本复制到我们主文件夹的根目录。

Now let’s continue our edits after copying a known-working copy of ssl.conf to the root of our home folder.

  1. Locate

  2. Edit both DocumentRoot and ServerName as follows.

\\# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName centos.vmnet.local:443

DocumentRoot 这是您的默认 Apache 目录的路径。该文件夹中应有一个默认页面,该页面将显示一个 HTTP 请求,要求获取 Web 服务器或网站的默认页面。

DocumentRoot this is the path to your default apache directory. In this folder should be a default page that will display a HTTP request asking for the default page of your web server or site.

ServerName 是服务器名称,它可以是服务器的 IP 地址或主机名。对于 TLS,最佳做法是使用主机名创建证书。从我们的 OpenLdap 教程中,我们在本地企业域上创建了名为 centos 的主机名:vmnet.local

ServerName is the server name that can be either an ip address or the host name of the server. For TLS, it is a best practice to create a certificate with a host name. From our OpenLdap tutorial, we created a hostname of centos on the local enterprise domain: vmnet.local

现在我们要对以下行进行注释。

Now we want to comment the following lines out.

SSLProtocol

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
 ~~~~> #SSLProtocol all -SSLv2

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
 ~~~~> #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

然后让 Apache 知道在哪里找到我们的证书和私有/公钥对。

Then let Apache know where to find our certificate and private/public key pair.

Specify path to our self-signed certificate file

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
~~~~> SSLCertificateFile /etc/ssl/certs/self-sign-apache.crt
specify path to our private key file
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
~~~~> SSLCertificateKeyFile /etc/ssl/private/self-gen-apache.key

最后,我们需要允许通过端口 443 的入站连接到 https。

Finally, we need to allow inbound connections to https over port 443.