


  • 对称加密
  • 公钥加密
  • 单向加密
  • 认证协议


  • 分为三部分
    • 加密解密库 libencrypt
    • 安全通信库 libssl
    • 命令行工具 openssl


  • DES Data Encryption Standard 64位,已经破解
  • 3DES
  • AES Advanced Encryption Standard 128 192 256 384位
  • 其他:blowfish twofish idea rc6 casts
  • 特点:
    • 加密和解密使用同一个密钥
    • 分割块大小,逐个加密
  • 缺陷:
    • 密钥太多
    • 密钥分发困难

  • 公钥:从私钥中提取
  • 私钥:使用者留存
  • 特点:用公钥加密,配对私钥解密
  • 用途:数字签名,身份确认,密钥交换,数据加密
  • 过程:
    • 1.加密方利用单向加密提取数据特征码
    • 2.加密方使用自己的私钥加密附在后面
    • 3.加密方生成临时的对称密钥,加密整段数据
    • 4.加密方获取解密方的公钥并加密后附在后面
    • 5.发送给解密方
    • 6.解密方用自己的私钥解密
    • 7.解密方使用对称密钥解密
    • 8.解密方获取加密方的公钥解密,完成身份认证
    • 9.解密方单向加密提取数据特征码比对,查看完整性
  • 缺陷:中间人攻击
  • 解决:双方通过CA证书颁发机构获取对方的公钥,此CA可以吊销
  • 算法:RSA 可以签名和加解密,DSA只能签名

  • 只能加密,不能解密,用来提取数据特征码进行完整性认证
  • 定长输出,雪崩效应
  • 算法:md5,sha160,sha224,sha256,sha384,sha512

  • IKE
  • 两种算法:公钥加密,DH算法协商生成密钥


+ 1.CA服务器生成私钥
[root@center ~]# cd /etc/pki/CA/
[root@center CA]# (umask 077; openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
[root@center CA]# ll private/
total 4
-rw------- 1 root root 891 Jul 29 22:54 cakey.pem
+ 2.CA服务器生成自签证书
[root@center CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365 You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:GUANGZHOU
Organization Name (eg, company) [Default Company Ltd]:xlc
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []
Email Address []:
[root@center CA]# ll
total 4
-rw-r--r-- 1 root root 973 Jul 29 22:57 cacert.pem
drwxr-xr-x. 2 root root 6 Apr 11 12:58 certs
drwxr-xr-x. 2 root root 6 Apr 11 12:58 crl
drwxr-xr-x. 2 root root 6 Apr 11 12:58 newcerts
drwx------. 2 root root 23 Jul 29 22:54 private
+ 3.CA服务器生成目录和文件
[root@center CA]# touch index.txt
[root@center CA]# ll
total 8
-rw-r--r-- 1 root root 973 Jul 29 22:57 cacert.pem
drwxr-xr-x. 2 root root 6 Apr 11 12:58 certs
drwxr-xr-x. 2 root root 6 Apr 11 12:58 crl
-rw-r--r-- 1 root root 0 Jul 29 23:00 index.txt
drwxr-xr-x. 2 root root 6 Apr 11 12:58 newcerts
drwx------. 2 root root 23 Jul 29 22:54 private
-rw-r--r-- 1 root root 3 Jul 29 23:00 serial
+ 4.httpd服务器创建私钥
[root@web1 httpd]# cd /etc/httpd/
[root@web1 httpd]# mkdir ssl
[root@web1 httpd]# ll
total 0
drwxr-xr-x 2 root root 37 Jul 29 22:16 conf
drwxr-xr-x 2 root root 255 Jul 29 22:46 conf.d
drwxr-xr-x 2 root root 165 Jul 29 22:43 conf.modules.d
lrwxrwxrwx 1 root root 19 Jul 28 11:49 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root 29 Jul 28 11:49 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root 10 Jul 28 11:49 run -> /run/httpd
drwxr-xr-x 2 root root 6 Jul 29 23:02 ssl
[root@web1 httpd]# (umask 077; openssl genrsa 1024 > /etc/httpd/ssl/httpd_key.pem)
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
[root@web1 httpd]# ll ssl
total 4
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
+ 5.httpd服务器生成请求证书
[root@web1 httpd]# openssl req -new -key /etc/httpd/ssl/httpd_key.pem -out /etc/httpd/ssl/httpd_csr.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:GUANGZHOU
Organization Name (eg, company) [Default Company Ltd]:xlc
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@web1 httpd]# ll ssl
total 8
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
+ 6.http服务器将csr请求发送给ca主机
[root@web1 httpd]# scp -P 37777 ssl/httpd_csr.pem [email protected]:~/
[email protected]'s password:
httpd_csr.pem 100% 655 275.9KB/s 00:00
[root@center CA]# mv /home/xlc/httpd_csr.pem /etc/pki/CA/certs/
[root@center CA]# ll /etc/pki/CA/certs/
total 4
-rw-r--r-- 1 xlc xlc 655 Jul 29 23:11 httpd_csr.pem
[root@center CA]# chown root:root /etc/pki/CA/certs/httpd_csr.pem
[root@center CA]# ll /etc/pki/CA/certs/
total 4
-rw-r--r-- 1 root root 655 Jul 29 23:11 httpd_csr.pem
+ 7.CA主机上将csr签证为crt
[root@center CA]# openssl ca -in /etc/pki/CA/certs/httpd_csr.pem -out /etc/pki/CA/certs/httpd_crt.pem -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
            Not Before: Jul 29 15:16:20 2018 GMT
            Not After : Jul 29 15:16:20 2019 GMT
            countryName = CN
            stateOrProvinceName = GUANGDONG
            organizationName = xlc
            organizationalUnitName = devops
            commonName =
        X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

Certificate is to be certified until Jul 29 15:16:20 2019 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@center CA]# ll certs/
total 8
-rw-r--r-- 1 root root 3078 Jul 29 23:16 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:11 httpd_csr.pem
+ 8.CA主机将crt签证颁发给httpd服务器
[root@center CA]# scp -P 37777 certs/httpd_crt.pem [email protected]:~/
The authenticity of host '[]:37777 ([]:37777)' can't be established.
ECDSA key fingerprint is SHA256:wzY0qfeE6RuadsJGxl4+808KAv7mKRR8sbdXEFIYZOc.
ECDSA key fingerprint is MD5:78:f2:b3:f9:e7:4c:1e:5e:06:46:c6:64:35:37:97:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[]:37777' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd_crt.pem 100% 3078 919.8KB/s 00:00
[root@web1 httpd]# mv /home/xlc/httpd_crt.pem ssl/
[root@web1 httpd]# ll ssl/
total 12
-rw-r--r-- 1 xlc xlc 3078 Jul 29 23:19 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
[root@web1 httpd]# chown root:root ssl/httpd_crt.pem
[root@web1 httpd]# ll ssl
total 12
-rw-r--r-- 1 root root 3078 Jul 29 23:19 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
+ 9.修改ssl.conf
DocumentRoot "/home/www"
DirectoryIndex index.html
    <Directory "/home/www">
        Options None
        AllowOverride None
        Require all granted
<location /server-status>
    SetHandler server-status
        Require ip
SSLCertificateFile /etc/httpd/ssl/httpd_crt.pem
SSLCertificateKeyFile /etc/httpd/ssl/httpd_key.pem
+ 10.重启服务
[root@web1 conf.d]# httpd -t
Syntax OK
[root@web1 conf.d]# !sys
systemctl restart httpd.service
[root@web1 conf.d]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:*
LISTEN 0 100 *:*
LISTEN 0 128 :::443 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 100 ::1:25 :::*
+ 11.浏览器从授权中心导入CA证书
    + 将cacert.pem导入受信任的根证书颁发机构


  • 客户机先查找本地的host文件
  • 客户机查找本地的dns缓存记录
  • 客户机根据指定的dns运营商地址,将解析请求发送给对方
  • dns运营商以递归的方式向上转发请求
  • dns运营商将请求发送给根服务器
  • 根将请求发送给一级域名服务器,以迭代的方式向下查询
  • 一级域名服务器发送给二级域名服务器
  • 最终的域名服务器找到结果发送给运营商dns
  • 运营商dns记录在自己的数据库中,并将结果返给客户端

  • 名称到ip是正向解析,为A记录
  • ip到名称是反向解析,为PTR记录

  • 万网
  • godaddy

  • 主dns可以随时改变
  • 副dns根据主dns随时同步
  • 主从可以负载
  • 序列号:数据库版本号 serial
  • 刷新时间间隔:refresh
  • 重试时间间隔:retry
  • 过期时长:expire
  • 主服务器也可以通知从服务器随时同步数据
  • 同步方式:全量,增量

  • 区域zone
  • 域名domain 有正向区域和反向区域

  • 资源记录:rr
  • A:address
  • AAAA:address ipv6
  • PTR:反向解析
  • SOA:起始授权
  • NS:name service 域名解析
  • CNAME:canonical name 别名
  • MX: mail exchange 邮件交换 0-99 数字越小优先级越小

  • name [ttl] IN RR_TYPE value
  • SOA必须要有,且放第一条
  • SOA的value 包括
    • 区域名称
    • 管理员邮箱地址,不能@,点代替
    • (serial;refresh;retry;expire;negtive answer ttl) HMWD
  • ttl 可以继承
  • 最后要加.
  • @表示区域
  • 相邻name,相同记录可以省略name


  • 从服务器:
    • 1.定义区域
    • 2.重载配置
[root@python ~]# tail -6 /etc/named.rfc1912.zones
zone "" IN {
        type slave;
        file "slaves/";
        masters {; };
  • 主服务器:
    • 确保从服务器有ns记录,并a记录
    • 修改后serial +1并重载配置
    • 手工传送:dig -t axfr 域名
    • 保证时间相同ntpdate
[root@center ~]# cat /var/named/
$TTL 3600
@ IN SOA (
        IN NS ns1
        IN NS ns2
        IN MX 10 mx1
        IN MX 10 mx2
ns1 IN A
ns2 IN A
www IN A
www IN A
web IN CNAME www
mx1 IN A
mx2 IN A


  • view视图里设置联通用户区域和电信用户区域
view "internal" {
    match-clients {; };
    zone "" {

