当你向certificate authority (CA) 申请 证书的时候,你需要提供 Certificate Signing Requests (CSRs) 文件,CSR文件可以通过Openssl 生成。CSR 文件中保存着公钥(非对称加密的一对钥匙)和一些其他的信息,这些信息都将写入到签发的证书中。
生成CSR文件时,需要你输入一些信息 这些信息被称为 Distinguised Name (DN)。这些信息中最重要的信息是 Common Name (CN),是你要使用这个证书的服务器的域名(如果你用ip 访问,写ip)。其他的一些信息 看下边:
如何你是提供给CA 获得 CA-signed SSL certificate,需要把信息写完整。如何你是self-signed SSL certificate,许多的信息可用不填。中文好像不支持(不确定)
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:Brooklyn Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Brooklyn Company Organizational Unit Name (eg, section) []:Technology Division Common Name (e.g. server FQDN or YOUR name) []:examplebrooklyn.com Email Address []:
What is contained in a CSR?
Name | Explanation | Examples |
---|---|---|
Common Name | The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error. |
*.google.com |
Organization | The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. | Google Inc. |
Organizational Unit | The division of your organization handling the certificate. | Information Technology IT Department |
City/Locality | The city where your organization is located. | Mountain View |
State/County/Region | The state/region where your organization is located. This shouldn't be abbreviated. | California |
Country | The two-letter ISO code for the country where your organization is location. | US GB |
Email address | An email address used to contact your organization. | webmaster@google.com |
Public Key | The public key that will go into the certificate. | The public key is created automatically |
信息中包含的公钥是自动生成的。
生成自签发服务器端证书
1. 生成服务器端密钥
openssl genrsa -des3 -out server.key 4096
2. 有1.中生成服务器端密钥 server.key 生成csr证书签发请求文件
openssl req -new -key server.key -out server.csr
可以通过文本形式查看内容:
openssl req -in server.csr -noout -text
3. 生成证书
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
SSL 工作工程大致如下:
1. Client connects to web server and gives a list of available ciphers.
2. Server picks the strongest cipher that both it and the client support, and sends back a certificate with its name and public encryption key, signed by a trusted Certificate Authority (such as Verisign).
3.The client checks the certificate with the CA. In practice, clients tend to have a collection of CAs locally, so this can be done without having to contact the CA in realtime, and therefore more quickly.
4.The client sends back a random number encrypted with the server's public key. Only the client knows the number, and only the server can decrypt it (using its private key); this is where the third-party security comes in.
5. Server and client use this random number to generate key material to use for the rest of the transaction.
How SSL Uses both Asymmetric and Symmetric Encryption
Public Key Infrastructure (PKI) is the set of hardware, software, people, policies, and procedures that are needed to create, manage, distribute, use, store, and revoke digital certificates. PKI is also what binds keys with user identities by means of a Certificate Authority (CA). PKI uses a hybrid cryptosystem and benefits from using both types of encryption. For example, in SSL communications, the server’s SSL Certificate contains an asymmetric public and private key pair. The session key that the server and the browser create during the SSL Handshake is symmetric. This is explained further in the diagram below.
Browser Server Communication
Server sends a copy of its asymmetric public key.
Browser creates a symmetric session key and encrypts it with the server's asymmetric public key. Then sends it to the server.
Server decrypts the encrypted session key using its asymmetric private key to get the symmetric session key.
Server and Browser now encrypt and decrypt all transmitted data with the symmetric session key. This allows for a secure channel because only the browser and the server know the symmetric session key, and the session key is only used for that session. If the browser was to connect to the same server the next day, a new session key would be created.
在客户端的浏览器中预装了许多的CAs,这样的话能更快的完成身份认证。
生成CA,通过CA 签发其他的证书,这样还可用CA 签发一些二级域名的证书,客户端只要按照有CA就可以完成认证。
参考:
Creating Certificate Authorities and self-signed SSL certificates