Linux OpenSSL如何实现双向认证

在Linux系统中，使用OpenSSL实现双向认证（也称为客户端证书认证）涉及以下几个步骤：

1. 生成CA证书和密钥

首先，你需要创建一个证书颁发机构（CA），并生成CA证书和密钥。

# 创建CA目录
mkdir ca
cd ca

# 创建CA配置文件
cat > openssl.cnf <<EOF
[ ca ]
default_ca = CA_default

[ CA_default ]
dir               = ./certs
certs             = \$dir/certs
new_certs_dir     = \$dir/newcerts
database          = \$dir/index.txt
serial            = \$dir/serial
RANDFILE          = \$dir/private/.rand

private_key       = \$dir/private/ca.key
certificate       = \$dir/cacert.pem

crlnumber         = \$dir/crlnumber
crl               = \$dir/crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 3650
preserve          = no
policy            = policy_strict

[ policy_strict ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits        = 4096
distinguished_name  = req_distinguished_name
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName               = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF

# 生成CA私钥
openssl genpkey -algorithm RSA -out ca/private/ca.key -aes256

# 生成CA证书
openssl req -config openssl.cnf -key ca/private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/cacert.pem

# 初始化数据库和序列号文件
echo 1000 > index.txt
openssl rand -out serial 0

2. 生成服务器证书和密钥

接下来，生成服务器证书和密钥，并使用CA签名。

# 创建服务器目录
mkdir server
cd server

# 创建服务器配置文件
cat > openssl.cnf <<EOF
[ req ]
default_bits        = 4096
prompt              = no
default_md          = sha256
distinguished_name  = req_distinguished_name
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName               = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = example.com

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com

[ v3_server ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF

# 生成服务器私钥
openssl genpkey -algorithm RSA -out server.key -aes256

# 生成服务器证书签名请求（CSR）
openssl req -new -key server.key -out server.csr -config openssl.cnf

# 使用CA签名服务器CSR
openssl x509 -req -in server.csr -CA ca/cacert.pem -CAkey ca/private/ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_server

3. 生成客户端证书和密钥

同样地，生成客户端证书和密钥，并使用CA签名。

# 创建客户端目录
mkdir client
cd client

# 创建客户端配置文件
cat > openssl.cnf <<EOF
[ req ]
default_bits        = 4096
prompt              = no
default_md          = sha256
distinguished_name  = req_distinguished_name
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName               = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = client.example.com

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = client.example.com

[ v3_client ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
EOF

# 生成客户端私钥
openssl genpkey -algorithm RSA -out client.key -aes256

# 生成客户端证书签名请求（CSR）
openssl req -new -key client.key -out client.csr -config openssl.cnf

# 使用CA签名客户端CSR
openssl x509 -req -in client.csr -CA ca/cacert.pem -CAkey ca/private/ca.key -CAcreateserial -out client.crt -days 365 -sha256 -extfile openssl.cnf -extensions v3_client

4. 配置服务器以使用客户端证书认证

编辑服务器的SSL配置文件（例如/etc/ssl/openssl.cnf或/etc/httpd/conf.d/ssl.conf），添加以下内容：

[ SSL ] 
SSLCACertificateFile /path/to/ca/cacert.pem 
SSLCertificateFile /path/to/server.crt 
SSLCertificateKeyFile /path/to/server.key 
SSLVerifyClient require 
SSLVerifyDepth 10 
SSLOptions +StdEnvVars

5. 配置客户端以使用其证书

在客户端上，确保客户端证书和私钥可用，并在需要时配置应用程序使用这些证书。

6. 测试双向认证

启动服务器并尝试连接到它。服务器应该要求客户端提供证书，并验证该证书是否由受信任的CA签发。

通过这些步骤，你可以在Linux系统中使用OpenSSL实现双向认证。

亿速云提供多种品牌、不同类型SSL证书签发服务，包含：域名型、企业型、企业型专业版、增强型以及增强型专业版，单域名SSL证书300元/年起。点击查看>>