pki | 易学教程

基于nginx结合openssl实现https

阅读更多关于基于nginx结合openssl实现https

实验环境： 1.首先确保机器已安装nginx服务 rpm -q nginx 2.关闭防火墙及Linux安全机制 systemctl stop firewalld.service iptables -F setenforce 0 3.使用nginx -V命令查看nginx是否支持ssl 查看 configure arguments 信息中是否包含 -with-http_ssl_module 字样，如果没有则需要重新编译安装。 1）创建证书索引数据库文件 touch /etc/pki/CA/index.txt 2）指定第一个颁发证书的序列号 echo 01 > /etc/pki/CA/serial 1）生成CA私钥 cd /etc/pki/CA umask 066 openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 2）生成CA自签名证书 openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem （回到根目录下） -new: 生成新证书签署请求 -x509: 专用于 CA 生成自签证书 -key: 生成请求时用到的私钥文件 -days n：证书的有效期限 -out: 证书的保存路径

Digital certificates: What is the difference between encrypting and signing

阅读更多关于 Digital certificates: What is the difference between encrypting and signing

I am relatively new to PKI, certificates and all related stuff. As far as I understand in public-key cryptography one encrypt with a public key and decrypt with a private key. Only one private key can correspond to any public key but the opposite is not true. Is it correct? Or is it one to one mapping? So, the way digital signature works is that the content of a certificate is hashed and then "signed" with a private key. The signature is verified then with the corresponding public key. So, here is where I get confused. What is the difference between encrypting a message with a public key and

基于nginx结合openssl实现https

阅读更多关于基于nginx结合openssl实现https

[root@localhost ~]#systemctl stop firewalld [root@localhost ~]#setenforce 0 [root@localhost ~]#iptables -F [root@localhost ~]#yum -y install pcre zlib openssl openssl-devel pcre-devel zlib-devel [root@localhost ~]#cd /usr/local/nginx-1.16.0 [root@localhost nginx-1.16.0]#./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module [root@localhost ~]#make && make install [root@localhost ~]#useradd -M -s /sbin/nologin nginx [root@localhost ~]#ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin [root@localhost ~]#nginx [root@localhost ~]#

基于nginx结合openssl实现https

阅读更多关于基于nginx结合openssl实现https

实验环境：系统版本：centos7x3.10.0-514.el7.x86_64 Nginx版本：nginx1.14.0 关闭防火墙并禁止开机自启 systemctl stop firewalld.service systemctl disable firewalld 关闭selinux sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux 修改主机名 vi /etc/hostname nginx.wangfeiyu.com 域名绑定IP vi /etc/hosts 重启 reboot 安装nginx服务升级nginx为https条件 1、查看nginx是否支持ssl /usr/local/nginx/sbin/nginx -V 注：查看 configure arguments 信息中是否包含 -with-http_ssl_module 字样，如果没有则需要重新编译。找到之前安装 Nginx 时的编译目录，配置ssl模块，因为这次是升级nginx，所以不需要执行 make install，执行命令如下： . /configure --with-http_ssl_module make 2、查看openssl配置文件 vi /etc/pki/tls/openssl.cnf 注

kubeadm搭建高可用kubernetes 1.15.1

阅读更多关于 kubeadm搭建高可用kubernetes 1.15.1

角色 IP 角色操作系统备注 192.168.10.210 master CentOS 7 haproxy,keepalived主 192.168.10.211 master CentOS 7 haproxy,keepalived备 192.168.10.212 master CentOS 7 haproxy,keepalived备 192.168.10.213 node CentOS 7 只做节点主机准备: 1.安装必要软件以及升级所有软件 yum -y install vim-enhanced wget curl net-tools conntrack-tools bind-utils socat ipvsadm ipset yum -y update 2.关闭selinux sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config 3.关闭不必要服务 systemctl disable auditd systemctl disable postfix systemctl disable irqbalance systemctl disable

PKI multiple public keys

阅读更多关于 PKI multiple public keys

问题 I'm wondering if I can have multiple public keys for a private key. Can this be done? If so, what are the security issues!? If I generate multiple key pairs based on the same initial values (with no initial vector), shouldn't the keys be "compatible"? 回答1: In all asymmetric crypto-systems I can think off, there is a 1-1 correspondence between the public key and the private key: given the private key you can uniquely determine the public key and given the public key you can uniquely determine

Use python to access a site with PKI security

阅读更多关于 Use python to access a site with PKI security

问题 I have a site that has PKI security enabled. Each client used either a card reader to load their certificate, or the certificate is installed in the IE certificate storage on their box. So my question are: How can I use either the card reader certificate or the certificate stored on the system to verify the system? How do I pass the credentials onto the site to say, hey I'm me and I can access the service? They example can be using soft certificates. I can figure out the card reader part

How do you present a different PKI client certificate to a server once you have already presented one, in Firefox?

阅读更多关于 How do you present a different PKI client certificate to a server once you have already presented one, in Firefox?

问题 When I visit a website that requires PKI client certificates Firefox will allow the user to select which certificate to present. How do you present a different PKI client certificate to a server once you have already presented one, in Firefox? 回答1: This blogpost describes what you are looking for: To clear your SSL session state in Firefox choose History -> Clear Recent History... and then select "Active Logins" and click "Clear Now". Then the next time you connect to your SSL server Firefox

Linux基础：Day06

阅读更多关于 Linux基础：Day06

网路安全介绍背景：早起的互联网 -- 1980年代，我们需要共享数据，传输数据；所传输或者共享的数据均为明文；随着互连网发展，安全称为了国家的一种战略资源；我们做的，比如编程，运维 -- 手工业；安全属于一种科学研究 -- 安全的算法都是需要，以数学难题为基础来进行研究；每个国家都疯狂去研究自己的加密算法，以及去破译别人的加密算法；美国--禁止出口长于256位的加密算法；为了保证数据安全，我们必须满足一下四点：1、数据必须被加密； 2、完整性校验（哈希、单向加密、指纹）； 3、源认证； 4、证书体系（openssl就是用来实现这个PKI证书体系架构的，它包含了前三点；） 1、数据加密数据必须被加密 1、对称秘钥加密同一个秘钥进行加密，用一个秘钥进行解密；优点：效率高缺点：秘钥维护非常困难；秘钥交换非常困难； 2、非对称秘钥加密秘钥对（公钥，私钥） A -- B A私钥 A公钥 B可以同过使用A的公钥对数据进行加密，再传输给A；有点：维护秘钥方便；数据比较安全；缺点：效率低下（非常低下），和对称加密相比，差距为1000倍左右；两种加密形式 1、流加密 01010100100101011100100101001010 Cisco 0101 01010101010101010101010101010101 异或 ----------------------

openssl ca(签署和自建CA)

阅读更多关于 openssl ca(签署和自建CA)

openssl ca(签署和自建CA) 自建CA总结： #建立数据库索引文件和序列文件 [root@linux5 ~]# touch /etc/pki/CA/index.txt [root@linux5 ~]# echo "01" > /etc/pki/CA/serial #生成私钥 [root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem #创建CA请求文件 [root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr #自签署 [root@linux5 ~]# openssl ca -selfsign -in rootCA.csr #把自签的证书放到/etc/pki/CA/下 [root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem 然后使用该CA给老王颁发证书总结 #老王生成私钥 [wang@linux5 ~]$ openssl genrsa -out wangkey.pem #老王生成请求文件 [wang@linux5 ~]$ openssl req -new -key wangkey.pem -out

订阅 pki