如何用OpenSSL在Linux上实现双向认证

在Linux上使用OpenSSL实现双向认证（也称为客户端证书认证）涉及几个步骤，包括生成证书颁发机构（CA）、生成服务器证书和密钥、生成客户端证书和密钥，以及配置服务器和客户端以使用这些证书进行双向认证。以下是一个详细的步骤指南：

1. 生成CA证书和密钥

首先，你需要创建一个CA（证书颁发机构），用于签发服务器和客户端的证书。

# 创建CA目录 mkdir -p ca/newcerts echo 1000 > ca/serial # 创建CA配置文件 cat < ca/openssl.cnf [ ca ] default_ca = CA_default [ CA_default ] dir = /etc/ssl/ssl-ca certs = \$dir/certs crl_dir = \$dir/crl new_certs_dir = \$dir/newcerts database = \$dir/index.txt serial = \$dir/serial RANDFILE = \$dir/private/.rand [ req ] default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name organizationName = Organization Name commonName = Common Name [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign EOF # 创建CA私钥 openssl genpkey -algorithm RSA -out ca/private/ca-key.pem -aes256 # 创建CA证书 openssl req -config ca/openssl.cnf -key ca/private/ca-key.pem -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/cacert.pem # 创建CA目录权限 chmod 700 ca/private chmod 644 ca/*.pem 

2. 生成服务器证书和密钥

接下来，生成服务器的证书和密钥。

# 创建服务器目录 mkdir -p server/newcerts echo 1000 > server/serial # 创建服务器配置文件 cat < server/openssl.cnf [ ca ] default_ca = CA_default [ CA_default ] dir = /etc/ssl/ssl-ca certs = \$dir/certs crl_dir = \$dir/crl new_certs_dir = \$dir/newcerts database = \$dir/index.txt serial = \$dir/serial RANDFILE = \$dir/private/.rand [ req ] default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name organizationName = Organization Name commonName = Common Name [ v3_req ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ v3_server ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth EOF # 创建服务器私钥 openssl genpkey -algorithm RSA -out server/private/server-key.pem -aes256 # 创建服务器证书签名请求（CSR） openssl req -config server/openssl.cnf -key server/private/server-key.pem -new -out server/csr/server-csr.pem # 使用CA签发服务器证书 openssl x509 -req -in server/csr/server-csr.pem -CA ca/cacert.pem -CAkey ca/private/ca-key.pem -CAcreateserial -out server/cert/server-cert.pem -days 365 -sha256 

3. 生成客户端证书和密钥

同样地，生成客户端的证书和密钥。

# 创建客户端目录 mkdir -p client/newcerts echo 1000 > client/serial # 创建客户端配置文件 cat < client/openssl.cnf [ ca ] default_ca = CA_default [ CA_default ] dir = /etc/ssl/ssl-ca certs = \$dir/certs crl_dir = \$dir/crl new_certs_dir = \$dir/newcerts database = \$dir/index.txt serial = \$dir/serial RANDFILE = \$dir/private/.rand [ req ] default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name organizationName = Organization Name commonName = Common Name [ v3_req ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth [ v3_client ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth EOF # 创建客户端私钥 openssl genpkey -algorithm RSA -out client/private/client-key.pem -aes256 # 创建客户端证书签名请求（CSR） openssl req -config client/openssl.cnf -key client/private/client-key.pem -new -out client/csr/client-csr.pem # 使用CA签发客户端证书 openssl x509 -req -in client/csr/client-csr.pem -CA ca/cacert.pem -CAkey ca/private/ca-key.pem -CAcreateserial -out client/cert/client-cert.pem -days 365 -sha256 

4. 配置服务器以使用客户端证书

编辑服务器配置文件（例如/etc/ssl/ssl-ca/server/openssl.cnf），添加以下内容以启用客户端证书验证：

[ server ] ... SSLVerifyClient require SSLCACertificateFile /etc/ssl/ssl-ca/cacert.pem 

然后重启服务器以应用更改。

5. 配置客户端以使用服务器证书

编辑客户端配置文件（例如/etc/ssl/ssl-ca/client/openssl.cnf），添加以下内容以信任服务器证书：

[ ca ] ... trusted_first = no 

然后重启客户端以应用更改。

6. 测试双向认证

使用openssl s_client命令测试双向认证：

# 在服务器上运行 openssl s_client -connect localhost:443 -cert client/cert/client-cert.pem -key client/private/client-key.pem -CAfile ca/cacert.pem # 在客户端上运行 openssl s_client -connect localhost:443 -cert server/cert/server-cert.pem -key server/private/server-key.pem -CAfile ca/cacert.pem 

通过这些步骤，你应该能够在Linux上使用OpenSSL实现双向认证。