• Openssl


       当你向certificate authority (CA) 申请 证书的时候,你需要提供 Certificate Signing Requests (CSRs) 文件,CSR文件可以通过Openssl 生成。CSR 文件中保存着公钥(非对称加密的一对钥匙)和一些其他的信息,这些信息都将写入到签发的证书中。

            生成CSR文件时,需要你输入一些信息 这些信息被称为 Distinguised Name (DN)。这些信息中最重要的信息是 Common Name (CN),是你要使用这个证书的服务器的域名(如果你用ip 访问,写ip)。其他的一些信息 看下边:

        如何你是提供给CA  获得 CA-signed SSL certificate,需要把信息写完整。如何你是self-signed SSL certificate,许多的信息可用不填。中文好像不支持(不确定)

    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:New York
    Locality Name (eg, city) []:Brooklyn
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Brooklyn Company
    Organizational Unit Name (eg, section) []:Technology Division
    Common Name (e.g. server FQDN or YOUR name) []:examplebrooklyn.com
    Email Address []:
    

    What is contained in a CSR?

    NameExplanationExamples
    Common Name The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.

    *.google.com
    mail.google.com

    Organization The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Google Inc.
    Organizational Unit The division of your organization handling the certificate. Information Technology
    IT Department
    City/Locality The city where your organization is located. Mountain View
    State/County/Region The state/region where your organization is located. This shouldn't be abbreviated. California
    Country The two-letter ISO code for the country where your organization is location. US
    GB
    Email address An email address used to contact your organization. webmaster@google.com
    Public Key The public key that will go into the certificate. The public key is created automatically

    信息中包含的公钥是自动生成的。

    生成自签发服务器端证书

    1.  生成服务器端密钥

    openssl genrsa -des3 -out server.key 4096

    2. 有1.中生成服务器端密钥 server.key 生成csr证书签发请求文件

     openssl req -new -key server.key -out server.csr

     可以通过文本形式查看内容:

      openssl req -in server.csr -noout -text
    3. 生成证书

    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

    SSL 工作工程大致如下:
       1. Client connects to web server and gives a list of available ciphers.
       2. Server picks the strongest cipher that both it and the client support, and sends back a certificate with its name and public encryption key, signed by a trusted Certificate Authority (such as Verisign).
       3.The client checks the certificate with the CA. In practice, clients tend to have a collection of CAs locally, so this can be done without having to contact the CA in realtime, and therefore more quickly.
       4.The client sends back a random number encrypted with the server's public key. Only the client knows the number, and only the server can decrypt it (using its private key); this is where the third-party security comes in.
       5. Server and client use this random number to generate key material to use for the rest of the transaction.

    How SSL Uses both Asymmetric and Symmetric Encryption

    Public Key Infrastructure (PKI) is the set of hardware, software, people, policies, and procedures that are needed to create, manage, distribute, use, store, and revoke digital certificates. PKI is also what binds keys with user identities by means of a Certificate Authority (CA). PKI uses a hybrid cryptosystem and benefits from using both types of encryption. For example, in SSL communications, the server’s SSL Certificate contains an asymmetric public and private key pair. The session key that the server and the browser create during the SSL Handshake is symmetric. This is explained further in the diagram below.
    Browser Server Communication
        Server sends a copy of its asymmetric public key.
        Browser creates a symmetric session key and encrypts it with the server's asymmetric public key. Then sends it to the server.
        Server decrypts the encrypted session key using its asymmetric private key to get the symmetric session key.
        Server and Browser now encrypt and decrypt all transmitted data with the symmetric session key. This allows for a secure channel because only the browser and the server know the symmetric session key, and the session key is only used for that session. If the browser was to connect to the same server the next day, a new session key would be created.

     在客户端的浏览器中预装了许多的CAs,这样的话能更快的完成身份认证。

     生成CA,通过CA 签发其他的证书,这样还可用CA 签发一些二级域名的证书,客户端只要按照有CA就可以完成认证。

    参考:

    Creating Certificate Authorities and self-signed SSL certificates

  • 相关阅读:
    搞笑的菜名
    sad news
    转载:比尔盖茨给adobe CEO的五点意见(歪版)/ 很搞笑 ;)
    [ZZ]TDSCDMA试商用网已经建成 开始向用户放号
    关于Java IDE
    候捷要来南京了吗?
    读书笔记:《Java2 教程》(二)
    [ZZ]当今世界十大定律
    久违了,博客园
    解决小型局域网中xp系统的机器不能共享资源的问题
  • 原文地址:https://www.cnblogs.com/igoogleyou/p/openssl.html
Copyright © 2020-2023  润新知