先假设自己是一个CA,而且是一个root CA,Cliu8CA
生成一个CA的private key
openssl genrsa -out caprivate.key 1024
当然可以跟密码
openssl genrsa -out caprivatepass.key 1024 -des3 -passout hello:world 1024
CA有一个certificate,里面放着CA的public key,要生成这个certificate,则需要写一个certificate request
# openssl req -key caprivate.key -new -out cacertificate.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Cliu8CA
Locality Name (eg, city) []:Cliu8CA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cliu8CA
Organizational Unit Name (eg, section) []:Cliu8CA
Common Name (e.g. server FQDN or YOUR name) []:Cliu8CA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
查看证书请求
# openssl req -in cacertificate.req -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CN, ST=Cliu8CA, L=Cliu8CA, O=Cliu8CA, OU=Cliu8CA, CN=Cliu8CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c5:f1:aa:1e:01:04:1b:a5:dd:7a:ef:c3:7d:2a:
9c:73:b6:46:bb:f8:be:90:9d:3f:d8:d7:d6:d5:8b:
a5:17:e3:aa:e5:37:bd:cd:fb:da:84:ce:0b:38:56:
b4:19:6d:f6:11:32:bb:e5:77:2d:75:39:49:a0:2a:
6c:fd:ed:39:0d:b5:59:bc:60:09:c6:5f:06:a0:aa:
53:a5:3b:94:ad:08:a7:13:99:1b:c4:e4:38:79:07:
9e:fd:c1:2d:db:ab:f6:2e:d3:2c:51:24:56:e3:3f:
60:fd:e4:b5:6b:1b:ff:f2:8b:83:7d:11:a1:10:d6:
85:75:ed:0d:76:69:7a:ac:77
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
2b:c2:3d:f6:ff:a3:2a:c0:a3:f4:3c:81:6f:a6:bd:fd:17:58:
39:a5:de:07:f0:0a:19:3f:ad:4f:2a:5e:c8:60:da:41:5d:67:
82:cd:08:ef:36:72:b1:25:79:ed:ce:54:9c:12:f8:ba:5d:73:
cf:99:f1:a9:39:af:7a:d0:fa:fa:97:0d:1b:c1:2d:14:6c:d1:
bf:c4:b2:16:76:d8:99:cd:96:dd:99:1b:e1:90:64:e6:9a:51:
ac:ad:27:3a:b3:e0:df:7d:c5:28:89:7b:5f:f8:5a:4c:c1:0d:
ad:d6:b8:a0:9f:fa:68:1f:93:a7:dd:90:de:58:ee:87:23:8a:
b2:d8
-----BEGIN CERTIFICATE REQUEST-----
MIIBpzCCARACAQAwZzELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0NsaXU4Q0ExEDAO
BgNVBAcMB0NsaXU4Q0ExEDAOBgNVBAoMB0NsaXU4Q0ExEDAOBgNVBAsMB0NsaXU4
Q0ExEDAOBgNVBAMMB0NsaXU4Q0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AMXxqh4BBBul3Xrvw30qnHO2Rrv4vpCdP9jX1tWLpRfjquU3vc372oTOCzhWtBlt
9hEyu+V3LXU5SaAqbP3tOQ21WbxgCcZfBqCqU6U7lK0IpxOZG8TkOHkHnv3BLdur
9i7TLFEkVuM/YP3ktWsb//KLg30RoRDWhXXtDXZpeqx3AgMBAAGgADANBgkqhkiG
9w0BAQsFAAOBgQArwj32/6MqwKP0PIFvpr39F1g5pd4H8AoZP61PKl7IYNpBXWeC
zQjvNnKxJXntzlScEvi6XXPPmfGpOa960Pr6lw0bwS0UbNG/xLIWdtiZzZbdmRvh
kGTmmlGsrSc6s+DffcUoiXtf+FpMwQ2t1rign/poH5On3ZDeWO6HI4qy2A==
-----END CERTIFICATE REQUEST-----
这个证书请求需要更高级的CA用它的private key对这个证书请求进行签发,方才能被大家公认(如果大家相信的是更高级的CA,则可以用更高级的CA的certificate审核这个证书)
由于这里的CA是root CA,没有更高级的CA了,所以要进行自签发,用自己的private key对自己的certificate请求进行签发
# openssl x509 -req -in cacertificate.req -signkey caprivate.key -out cacertificate.pem
Signature ok
subject=/C=CN/ST=Cliu8CA/L=Cliu8CA/O=Cliu8CA/OU=Cliu8CA/CN=Cliu8CA
Getting Private key
查看证书内容
# openssl x509 -in cacertificate.pem -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13213819544855395531 (0xb760eaddc1383ccb)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Cliu8CA, L=Cliu8CA, O=Cliu8CA, OU=Cliu8CA, CN=Cliu8CA
Validity
Not Before: Jul 14 18:35:36 2014 GMT
Not After : Aug 13 18:35:36 2014 GMT
Subject: C=CN, ST=Cliu8CA, L=Cliu8CA, O=Cliu8CA, OU=Cliu8CA, CN=Cliu8CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c5:f1:aa:1e:01:04:1b:a5:dd:7a:ef:c3:7d:2a:
9c:73:b6:46:bb:f8:be:90:9d:3f:d8:d7:d6:d5:8b:
a5:17:e3:aa:e5:37:bd:cd:fb:da:84:ce:0b:38:56:
b4:19:6d:f6:11:32:bb:e5:77:2d:75:39:49:a0:2a:
6c:fd:ed:39:0d:b5:59:bc:60:09:c6:5f:06:a0:aa:
53:a5:3b:94:ad:08:a7:13:99:1b:c4:e4:38:79:07:
9e:fd:c1:2d:db:ab:f6:2e:d3:2c:51:24:56:e3:3f:
60:fd:e4:b5:6b:1b:ff:f2:8b:83:7d:11:a1:10:d6:
85:75:ed:0d:76:69:7a:ac:77
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
16:61:a5:1f:c9:3c:0f:84:48:e4:52:2f:23:06:bf:c7:2c:29:
17:ed:26:e0:b8:1a:0e:d1:9b:bb:f7:57:1a:bd:f3:41:75:b1:
ed:d1:44:ea:b6:a8:4d:f4:17:82:af:d7:1d:e8:4f:82:fc:bb:
87:9b:74:a2:2a:2d:16:8b:26:5b:bf:60:10:ee:2d:0d:e0:d3:
0e:30:9e:12:1e:2b:12:34:3d:e8:7f:db:0b:05:8b:52:ba:e6:
36:97:2d:df:72:90:23:16:4e:ab:e4:6a:d1:0b:92:4f:84:ef:
3e:8f:ec:f7:8f:c2:11:81:c2:e8:aa:57:35:61:20:11:6b:d4:
b5:ef
CA的证书和private key应该是一对
我们首先获取certificate中public key的RSA模
# openssl x509 -in cacertificate.pem -noout -modulus
Modulus=C5F1AA1E01041BA5DD7AEFC37D2A9C73B646BBF8BE909D3FD8D7D6D58BA517E3AAE537BDCDFBDA84CE0B3856B4196DF61132BBE5772D753949A02A6CFDED390DB559BC6009C65F06A0AA53A53B94AD08A713991BC4E43879079EFDC12DDBABF62ED32C512456E33F60FDE4B56B1BFFF28B837D11A110D68575ED0D76697AAC77
然后获取private key的RSA模
# openssl rsa -in caprivate.key -noout -modulus
Modulus=C5F1AA1E01041BA5DD7AEFC37D2A9C73B646BBF8BE909D3FD8D7D6D58BA517E3AAE537BDCDFBDA84CE0B3856B4196DF61132BBE5772D753949A02A6CFDED390DB559BC6009C65F06A0AA53A53B94AD08A713991BC4E43879079EFDC12DDBABF62ED32C512456E33F60FDE4B56B1BFFF28B837D11A110D68575ED0D76697AAC77
应该是一致的
下面假设自己是一个普通的机构Cliu8Site
这个普通的机构需要有自己的private key
openssl genrsa -out cliu8siteprivate.key 1024
也需要一个证书,里面放自己的public key,需要一个证书请求
# openssl req -key cliu8siteprivate.key -new -out cliu8sitecertificate.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Cliu8Site
Locality Name (eg, city) []:Cliu8Site
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cliu8Site
Organizational Unit Name (eg, section) []:Cliu8Site
Common Name (e.g. server FQDN or YOUR name) []:Cliu8Site
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
要使得这个证书被认可,则需要一个CA对这个证书进行签名,我们用上面的Cliu8CA的private key对他进行签名
其实这个过程是Cliu8Site这个普通网站,将自己的请求发送给Cliu8CA后,由Cliu8CA来做的,只有Cliu8CA才有自己的private key
# openssl x509 -req -in cliu8sitecertificate.req -CA cacertificate.pem -CAkey caprivate.key -out cliu8sitecertificate.pem -CAcreateserial
Signature ok
subject=/C=CN/ST=Cliu8Site/L=Cliu8Site/O=Cliu8Site/OU=Cliu8Site/CN=Cliu8Site
Getting CA Private Key
查看这个证书
# openssl x509 -in cliu8sitecertificate.pem -noout -text Certificate:
Data:
Version: 1 (0x0)
Serial Number: 9637235651545248876 (0x85be56c3cb15b46c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Cliu8CA, L=Cliu8CA, O=Cliu8CA, OU=Cliu8CA, CN=Cliu8CA
Validity
Not Before: Jul 14 18:53:42 2014 GMT
Not After : Aug 13 18:53:42 2014 GMT
Subject: C=CN, ST=Cliu8Site, L=Cliu8Site, O=Cliu8Site, OU=Cliu8Site, CN=Cliu8Site
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e0:53:64:76:ae:f2:30:83:24:ae:0e:b6:a0:88:
9b:e9:c0:a1:8a:81:f4:ad:0c:79:ac:e0:52:94:2f:
56:91:09:8c:ec:a8:8b:9b:1a:f9:37:68:dd:57:63:
06:ec:5f:90:54:d0:8c:3a:da:c5:04:7e:15:b6:32:
c9:2d:f3:c5:4f:c8:a7:f6:0a:99:24:a6:85:9f:79:
48:c0:7e:8b:b4:58:be:f7:3f:45:a5:a8:eb:ed:dd:
e1:6a:95:bd:a4:12:47:ed:02:11:9a:36:28:52:43:
3b:6d:33:fe:25:ce:f9:b6:b3:23:e1:e6:a5:5c:65:
03:4f:24:03:1a:14:fb:d2:21
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
35:df:de:b9:aa:6b:d0:f9:4f:c6:3f:ba:6d:de:4b:5a:a3:88:
b1:9f:dd:75:c7:4a:7a:58:84:3b:aa:3e:fb:7b:f1:78:c6:19:
65:43:94:fb:69:10:1b:3a:7f:65:61:2b:6e:33:9d:0a:92:e5:
8a:93:74:fe:ee:11:cf:8e:85:37:da:14:db:32:f9:4d:3d:e6:
c3:21:5e:e8:c9:50:85:71:b4:16:60:4b:04:87:df:84:60:4a:
49:66:a9:69:30:a9:f5:90:95:34:6c:49:23:68:42:16:ef:b1:
91:e8:60:b8:de:29:d8:aa:10:63:8c:99:05:14:b8:c9:be:c5:
a7:79
从这个证书我们可以看到,它是Cliu8CA颁发给Cliu8Site的
Cliu8Site的certificate和public key是应该相互匹配的
root@popsuper1982:/home/cliu8/keys# openssl x509 -in cliu8sitecertificate.pem -noout -modulus Modulus=E0536476AEF2308324AE0EB6A0889BE9C0A18A81F4AD0C79ACE052942F5691098CECA88B9B1AF93768DD576306EC5F9054D08C3ADAC5047E15B632C92DF3C54FC8A7F60A9924A6859F7948C07E8BB458BEF73F45A5A8EBEDDDE16A95BDA41247ED02119A362852433B6D33FE25CEF9B6B323E1E6A55C65034F24031A14FBD221
root@popsuper1982:/home/cliu8/keys# openssl rsa -in cliu8siteprivate.key -noout -modulus Modulus=E0536476AEF2308324AE0EB6A0889BE9C0A18A81F4AD0C79ACE052942F5691098CECA88B9B1AF93768DD576306EC5F9054D08C3ADAC5047E15B632C92DF3C54FC8A7F60A9924A6859F7948C07E8BB458BEF73F45A5A8EBEDDDE16A95BDA41247ED02119A362852433B6D33FE25CEF9B6B323E1E6A55C65034F24031A14FBD221
证书链的验证过程
假设我是一个普通用户,要访问网站Cliu8Site,通过https协议
Cliu8Site会用自己的private key cliu8siteprivate.key加密数据,传给我,我接收到数据后,需要用Cliu8Site的public key进行解密
这个时候Cliu8Site会把它的certificate cliu8sitecertificate.pem通过浏览器传给我,里面就有public key。
但是我怎么能够相信这个certificate呢?我不相信,需要更高的权威机构
我查看cliu8sitecertificate.pem,发现这个certificate是由Cliu8CA进行签发的,所谓签发,也即用Cliu8CA的private key caprivate.key进行的签名。所以我要从Cliu8CA的网站上下载它的certificate,cacertificate.pem,里面包含这public key,我们用这个public key来解签名
# openssl verify -CAfile cacertificate.pem cliu8sitecertificate.pem
cliu8sitecertificate.pem: OK
哦,我明白了,Cliu8CA可以证明cliu8sitecertificate.pem是一个对的certificate,里面的public key是可以信任的,你是可以用它来解密Cliu8Site发来的数据。
但是问题来了,我能相信Cliu8CA这个机构么?
我查看cacertificate.pem,发现它是自签名的,也即是一个root certificate,没有一个更高的机构为它证明了。
如果我相信Cliu8CA这个机构,那么我解密Cliu8Site的数据,接着进行我们之间的信息交互。
如果我不相信Cliu8CA这个机构,在交互到此为止。
当然有的时候,我们发现Cliu8CA这个机构的证书是更高权威机构签名的,比如是BeijingPoliceOffice签发的,如果你相信他,你就可以进行访问。这就是证书链。