• 公私钥、CA证书生成


    公私钥、证书生成

    本文以Linux系统为例模拟CA生成http服务器的认证证书

    http服务器操作

    1.生成私钥

    使用OpenSSL工具生成服务器私钥key文件

    [nginx@nginx-node01 ~]$ openssl genrsa 1024 >> $HOSTNAME.key  
    Generating RSA private key, 1024 bit long modulus
    .................++++++
    ...........................++++++
    e is 65537 (0x10001)
    [nginx@nginx-node01 ~]$ ls
    nginx-node01.key
    

    2.生成证书预签csr文件

    [nginx@nginx-node01 ~]$ openssl req -new -key $HOSTNAME.key -out $HOSTNAME.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:henan
    Locality Name (eg, city) [Default City]:zhengzhou
    Organization Name (eg, company) [Default Company Ltd]:kov
    Organizational Unit Name (eg, section) []:Dev
    Common Name (eg, your name or your server's hostname) []:www.kov.com
    Email Address []:sys@kov.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    [nginx@nginx-node01 ~]$ ls
    nginx-node01.csr  nginx-node01.key
    

    CA服务器操作

    1.创建所需要的文件

    touch /etc/pki/CA/index.txt 生成证书索引数据库文件
    echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号  
    

    2.生成CA私钥

    [root@ca ~]# hostname
    ca
    [root@ca ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
    

    3. CA生成自签证书

    [root@ca private]# openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem -days 7300
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:henan
    Locality Name (eg, city) [Default City]:zhengzhou
    Organization Name (eg, company) [Default Company Ltd]:kov
    Organizational Unit Name (eg, section) []:Dev
    Common Name (eg, your name or your server's hostname) []:xx.kov.com
    Email Address []:xx@kov.com
    

    4.CA签署证书

    将http服务器证书预签csr文件发给CA,由CA对服务器的预签文件csr进行签署,最后得到最终证书文件crt。(默认国家,省,公司名称三项必须和CA一致)

    [root@ca private]# openssl ca -in /root/nginx-node01.csr -out /etc/pki/CA/certs/nginx-node01.crt -days 365    
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Jul 13 15:31:40 2020 GMT
                Not After : Jul 13 15:31:40 2021 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = henan
                organizationName          = kov
                organizationalUnitName    = Dev
                commonName                = www.kov.com
                emailAddress              = sys@kov.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    81:DB:3C:4E:6D:0E:BD:5A:78:2D:F2:86:62:CD:B3:03:45:F1:AB:F3
                X509v3 Authority Key Identifier: 
                    keyid:DF:B4:69:95:C5:71:44:EE:0B:9C:2E:CB:1C:CD:37:E3:0E:FD:AC:E8
    
    Certificate is to be certified until Jul 13 15:31:40 2021 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    
    

    5.验证私钥、证书是否匹配

    验证ca签署的http服务器证书文件nginx-node01.crt和http服务器私钥nginx-node01.key是否匹配

    openssl rsa  -noout -modulus -in nginx-node01.key |openssl md5
    openssl x509 -noout -modulus -in nginx-node01.crt |openssl md5
    

    配置Nginx验证https

    参考《Nginx配置4 Https配置》

    补充

    CA签署指定域名证书

    生成证书签署扩展文件

    [root@ca CA]# cat kov.ext 
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName=@SubjectAlternativeName
    
    [ SubjectAlternativeName ]
    DNS.1=kov.com
    DNS.2=www.kov.com
    
    

    重新签署证书

    [root@ca ~]# openssl x509 -req -in /root/nginx-node01.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out nginx-node01.crt -days 3650 -sha256 -extfile  kov.ext
    
  • 相关阅读:
    阿里云服务器常见问题记录
    npm 常见错误记录
    C程序设计(第四版)课后习题完整版 谭浩强编著
    博客如何快速让百度谷歌等各大引擎收录
    python itertools 用法
    python中dict的fromkeys用法
    python解析XML
    flask+uwsgi+nginx+docker-compose部署
    python的构建工具setup.py
    python判断字符串类型
  • 原文地址:https://www.cnblogs.com/elfcafe/p/13298462.html
Copyright © 2020-2023  润新知