使用 Openssl 备忘录

最新推荐文章于 2023-09-18 15:00:09 发布
最新推荐文章于 2023-09-18 15:00:09 发布
阅读量569 收藏
点赞数
分类专栏: 备忘 文章标签: bash linux 开发语言
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Kgong/article/details/129475593
版权

Openssl 创建 certificates

创建 self-signed 证书

“certificate authority” 要创建一个自己的证书来签名别的 server 证书

  1. 创建 CAprivate keyself-signed certificate
openssl req -x509 -newkey rsa:4096 -days 365 -keyout ca-key.pem -out ca-cert.pem
  • req: request 请求创建
  • -x509: 用来告知 openssl 输出一个 x509 格式的 public key certificate,而不是创建一个 CSR。
  • -newkey: 用来告知 openssl 使用 rsa 4096 bit key 来创建 private key。
  • -days: 用来告知 openssl certificate 的有效期。
  • pem: 常用格式后缀。

命令执行过程中会要求设置密码,用于保护 ca-key.pem private key。同时会需要输入一些身份信息,其中比较重要的是 Common Name(Domain name)用于后续的访问。如下

 openssl req -x509 -newkey rsa:4096 -days 365 -keyout ca-key.pem -out ca-cert.pem
Generating a 4096 bit RSA private key
..........................................................++
..............................................................................................................................++
writing new private key to 'ca-key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) []:CY
Organization Name (eg, company) []:GOV
Organizational Unit Name (eg, section) []:SEC
Common Name (eg, fully qualified host name) []:*.test.com
Email Address []:

cat 一下 ca-key.pem,可以看到 ENCRYPTED PRIVATE KEY

 cat ca-key.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIvFS8k4gUo4ECAggA
MB0GCWCGSAFlAwQBKgQQBpr4eUDvLnLDM/vByHSJxgSCCVAMn4NTiA5PKYpvbGfI
...
z2bl5JB7l32UU1nlgql3b5m+6w==
-----END ENCRYPTED PRIVATE KEY-----

cat 一下 ca-cert.pem,可以看到 crt 并没有 ENCRYPTED,只是 base64 了一下。因为 ca-cert.pem 只包含 public key,身份信息,和 signature。这些都是一些公开的信息。

 cat ca-cert.pem
-----BEGIN CERTIFICATE-----
MIIFLDCCAxQCCQCO9xL3XIFtpTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJD
TjELMAkGA1UECAwCQkoxCzAJBgNVBAcMAkNZMQwwCgYDVQQKDANHT1YxDDAKBgNV
...
zF5g86JXkox1GzAYaU3VCzGaH+hbKZFZFiz7T2f/VWA=
-----END CERTIFICATE-----

ca-cert.pem 信息可以使用 openssl x509 命令查看。
openssl x509 -in ca-cert.pem -noout -text

  • -noout:告知 openssl 不用输出 base64 后的值。
  • -text:告知 openssl 输出 readable text 格式。
 openssl x509 -in ca-cert.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 10301723526251507109 (0x8ef712f75c816da5)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=CY, O=GOV, OU=SEC, CN=*.test.com
        Validity
            Not Before: Mar 12 06:59:43 2023 GMT
            Not After : Mar 11 06:59:43 2024 GMT
        Subject: C=CN, ST=BJ, L=CY, O=GOV, OU=SEC, CN=*.test.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:bb:3c:ab:8f:2c:2f:61:04:f2:a1:48:02:0c:48:
                    85:9d:35:2e:7f:58:a3:db:0f:af:11:ac:3d:44:34:
                    0d:12:3e:c7:25:9b:8c:93:06:5b:c8:a1:ee:12:4d:
                    e2:c5:0b:07:2f:46:b8:e8:3d:a5:97:da:27:88:1f:
                    01:b1:59:79:91:56:e6:c6:a0:1e:95:12:1c:0c:a3:
                    54:dd:ce:45:d1:2b:61:98:ef:c1:41:c2:f9:c9:4c:
                    b6:5b:54:43:00:9c:87:8a:73:c4:8e:ca:28:8c:f1:
                    29:2a:a4:8b:6e:c4:86:fb:56:fe:17:a4:e0:9b:b1:
                    a5:f0:8f:8f:a8:5a:bb:8f:81:da:e4:39:e9:44:0c:
                    dd:f4:d2:29:13:3d:73:ce:4a:82:90:70:c5:c5:9a:
                    20:cf:d5:48:a3:13:2a:bb:09:8a:d8:ae:76:3c:af:
                    1d:e8:80:e2:a6:48:f2:55:8c:27:4c:19:08:d1:a0:
                    da:d1:70:c4:d9:90:b5:df:8f:4c:e1:26:3e:2d:48:
                    4f:a1:28:42:0e:4e:02:34:f3:cb:9f:6b:23:e6:33:
                    fd:64:6c:4d:77:45:09:97:42:5c:cb:71:de:94:49:
                    41:27:28:30:dd:c9:7f:35:08:a5:6f:2b:ea:35:f2:
                    77:3a:a7:a3:71:75:9b:60:d4:59:31:3f:08:44:af:
                    aa:00:4b:c9:d7:21:02:77:e9:9f:f8:47:f5:84:cd:
                    ff:9c:aa:bd:66:d3:53:fa:7e:60:07:c3:a7:f5:f9:
                    b3:dd:25:3c:4f:7f:95:62:72:f4:9b:0f:e4:f2:09:
                    74:96:a7:96:33:4a:fd:51:3b:f3:51:f2:41:97:51:
                    51:c6:fe:95:25:97:fc:15:22:51:79:78:b7:a3:f3:
                    e6:2d:69:49:1b:18:02:99:20:8e:fd:c8:86:ac:d8:
                    ab:fa:cf:1e:43:1c:be:c2:1f:a2:61:0d:3c:11:6f:
                    06:b6:36:c1:20:83:ef:4d:e8:e5:8c:cd:f9:fd:cf:
                    b2:1a:9d:09:99:94:2d:d6:0c:bf:88:6a:03:f8:6d:
                    20:94:48:f5:6e:74:cf:ba:7b:d4:f7:a1:29:7e:95:
                    60:1f:ed:2b:e4:54:2c:d3:dd:67:a4:b9:af:30:55:
                    b1:74:c7:f8:05:7b:d2:f4:8f:ac:4c:cc:27:de:1d:
                    4a:89:09:80:f1:3d:3d:ba:92:c0:71:50:3f:7a:08:
                    d8:10:49:4d:69:b2:74:1e:b6:34:06:c3:19:6f:ba:
                    24:75:97:bc:40:f4:6a:13:50:c8:fe:e9:c8:b8:10:
                    94:af:f5:57:8d:3c:38:2e:2a:4d:b4:03:58:ed:8c:
                    1d:86:ce:61:15:69:14:1f:bc:d0:b6:86:34:86:4b:
                    1d:69:91
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         2f:7d:64:1d:6f:45:58:7a:d9:13:ec:d5:22:31:95:87:58:d4:
         2e:ae:e9:0e:7f:d1:c9:ce:57:e2:b8:38:e0:c5:c7:f9:03:23:
         ca:4c:2d:6b:80:40:51:71:5d:87:2e:29:c2:cd:a9:72:08:10:
         1e:86:10:bf:4d:b7:9a:69:61:78:90:97:7a:8c:c1:8b:48:fc:
         b0:d7:e5:96:c6:6a:3f:b7:3d:41:91:20:0e:2b:d2:16:60:a8:
         56:03:c5:10:f8:ed:14:b9:1e:8f:6b:b2:2f:e9:2d:fe:ea:25:
         15:85:6c:65:51:96:f8:c3:99:66:72:c5:d9:93:bf:b4:c4:4d:
         32:21:dd:84:68:c7:d7:69:ca:6b:26:cd:83:39:11:6e:56:ae:
         90:2e:f8:0e:3b:43:e1:89:9a:c7:7d:be:30:8b:13:5c:1b:5c:
         f2:b7:35:dc:e9:2c:76:fd:fa:c3:b2:ef:ba:57:2a:e1:60:a0:
         e4:62:7d:ee:ff:f7:23:4d:14:43:6e:c2:53:a2:09:ef:b3:36:
         13:31:80:42:12:17:b9:47:ef:88:e3:91:bc:af:0c:93:02:fd:
         0b:58:8d:f2:1d:b1:14:b6:8c:eb:71:22:06:c0:ec:3b:a4:d9:
         86:65:42:ca:30:b3:b2:24:fb:1d:20:55:e8:74:d8:3f:77:7e:
         11:46:aa:7e:90:17:52:69:03:fc:21:2f:6e:c4:4a:5f:25:85:
         9c:be:8b:25:f5:24:7a:83:e7:98:ee:7f:27:97:47:6e:57:68:
         84:9f:bb:07:d1:7c:2c:f6:dd:c1:6e:a4:a8:63:99:5d:96:33:
         f0:a2:91:d4:71:51:81:5d:c8:61:9f:fe:bf:1d:91:ab:fa:dd:
         67:91:15:eb:26:f1:22:58:22:ad:16:01:78:f2:14:57:fa:ec:
         ad:98:cc:be:e5:a7:24:04:2b:84:2a:22:cc:d1:e8:b6:0f:e4:
         19:8a:a4:66:15:a2:f9:c5:94:a7:4e:00:51:02:0e:2e:24:e3:
         52:e2:ce:79:34:62:1e:c2:3e:01:d5:1e:85:5b:33:07:61:83:
         00:a8:00:48:43:82:0e:7d:33:cf:79:52:36:c9:2e:87:fc:b1:
         ed:5a:34:0d:d3:41:2a:4b:e4:4b:a6:4c:fa:e4:1d:09:41:1a:
         98:92:ec:d1:40:3c:fa:55:0e:e3:9a:b4:b9:7b:f9:f0:02:0c:
         09:c3:d8:9d:04:50:f6:e4:5c:1d:d8:1c:43:ce:88:bf:b1:38:
         35:05:99:00:e1:42:dc:d7:cf:1b:e8:db:cc:5e:60:f3:a2:57:
         92:8c:75:1b:30:18:69:4d:d5:0b:31:9a:1f:e8:5b:29:91:59:
         16:2c:fb:4f:67:ff:55:60

这个证书的 IssuerSubject 一样,原因是这是我们自己 self signed CA 证书。同时可以看到 Subject Public KeySignature

如何避免交互模式

避免交互身份信息

openssl 如何避免使用interactive mode。可以使用 -subj 选项配置身份信息,但是还是需要输入 private key 的密码。
openssl req -x509 -newkey rsa:4096 -days 365 -keyout ca-key.pem -out ca-cert.pem -subj "/C=CN/ST=BJ/L=CY/O=GOV/OU=SEC/CN=*.test.com"

openssl req -x509 -newkey rsa:4096 -days 365 -keyout ca-key.pem -out ca-cert.pem -subj "/C=CN/ST=BJ/L=CY/O=GOV/OU=SEC/CN=*.test.com"
Generating a 4096 bit RSA private key
..............++
.......................................................................++
writing new private key to 'ca-key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
避免 encrypted private key(测试使用)

-nodes 选项可以让 openssl 命令避免加密 private key

openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout ca-key.pem -out ca-cert.pem -subj "/C=CN/ST=BJ/L=CY/O=GOV/OU=SEC/CN=*.test.com"
Generating a 4096 bit RSA private key
....................++
......++
writing new private key to 'ca-key.pem'
-----

cat 一下 ca-key.pem,看看 private key 文件内容变化。

 cat ca-key.pem
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+z0yX8yIOlNB1
BxxG1nbarVqUuh+V4wyGBNT+Klo/Dov0iaUg6giTYVtSsYrQ+0IN8YhiezIc6e9N
...
lA8Y3j5m24j01sWZm9K8xI/plLI/dFo=
-----END PRIVATE KEY-----

可以看到这里已经不是 encrypted private,只是-----BEGIN PRIVATE KEY-----

创建 web serverprivate keycertificate signing request(CSR)

创建CA 根证书命令如下

openssl req -x509 -newkey rsa:4096 -days 365 -keyout ca-key.pem -out ca-cert.pem -subj "/C=CN/ST=BJ/L=CY/O=GOV/OU=SEC/CN=*.test.com"

对比创建 web server 的 private key 和 CSR 命令几乎和创建 CA 根证书类似,只是去掉了-x509-days 365,修改了身份信息和输出文件,如下

openssl req -newkey rsa:4096 -keyout server-key.pem -out server-req.pem -subj "/C=CN/ST=SH/L=YY/O=OV/OU=SEC/CN=*.shtest.com"

cat 一下 server-key.pem 可以看到 private key 还是 ENCRYPTED

cat server-key.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIdM4hPMIR/pgCAggA
MB0GCWCGSAFlAwQBKgQQ92ZEhY0dtQ12BtIZT8aA+ASCCVC+3tpLpF1uPztSpCkt
...
jMKNNOB34KxuOtJirCCHMJ31ww==
-----END ENCRYPTED PRIVATE KEY-----

cat 一下 server-req.pem 可以看到 server-req.pemCERTIFICATE REQUEST

cat server-req.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIEnjCCAoYCAQAwWTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNIMQswCQYDVQQH
DAJZWTELMAkGA1UECgwCT1YxDDAKBgNVBAsMA1NFQzEVMBMGA1UEAwwMKi5zaHRl
...
zTYvI36Tn9F6HiRoxa4X7qanazYDKWDIvmKn9PskWY0GAg==
-----END CERTIFICATE REQUEST-----

self-signed CA 证书的 private key 签名 web server 的 certificate signing request(CSR),最后得到 signed web server certificate

openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem

  • -req: 告知 openssl 命令传入一个 certificate signing request。
  • -in: 传入certificate signing request。
  • -CA: 指定 CA 根证书。
  • -CAkey: 指定 CA 根证书的 private key
  • -CAcreateserial: 给每个 certificate 一个独有的序列号。
  • -out: 输出 web server 的 certificate。
openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/C=CN/ST=SH/L=YY/O=OV/OU=SEC/CN=*.shtest.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:

运行后,因为 CA 根证书的 private key 创建时候有设置密码,所以使用的时候需要同样输入 private key 的密码。

创建完 web server 的 certificate 后可以使用之前 openssl x509 命令查看

openssl x509 -in server-cert.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 11480488640831871058 (0x9f52e397b4b0d852)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=CY, O=GOV, OU=SEC, CN=*.test.com
        Validity
            Not Before: Mar 12 07:58:37 2023 GMT
            Not After : Apr 11 07:58:37 2023 GMT
        Subject: C=CN, ST=SH, L=YY, O=OV, OU=SEC, CN=*.shtest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b7:8f:5b:b8:a0:8e:53:ab:4e:8b:23:ee:49:7a:
                    e8:07:ec:d2:0d:11:83:65:93:dc:1b:ed:ac:81:3f:
                    5b:70:d5:6e:2d:14:f1:b1:62:92:3e:70:9e:6e:78:
                    06:43:b5:3b:c2:ed:e6:7e:f4:2f:59:c1:b9:aa:cc:
                    0b:09:a2:a0:15:90:e9:8d:da:1d:b4:73:ea:83:6a:
                    13:48:57:dc:1c:f3:45:86:e7:d8:48:98:df:ae:4d:
                    e5:7f:dc:23:54:64:58:34:28:88:39:b0:89:bc:af:
                    75:1d:6a:a3:c6:87:56:3a:4f:c9:a6:6f:d7:74:ba:
                    79:5d:9b:79:ab:dc:c7:06:c5:d9:05:9e:fa:52:d8:
                    d2:4d:95:e9:61:ec:ca:5a:1b:0e:0a:c9:09:c1:10:
                    1e:61:3f:84:99:f9:ab:c8:f1:16:65:53:ad:f2:b0:
                    4d:33:35:e9:06:30:bf:08:6e:ec:df:ac:cd:19:cc:
                    8e:62:73:8f:63:65:a3:32:35:a0:83:b8:a8:a3:f2:
                    8a:80:0f:62:82:49:7f:5c:c0:b4:c4:ec:e3:3c:4b:
                    ef:ca:fd:99:8e:67:e0:99:a5:32:2a:33:49:73:81:
                    05:e2:99:04:20:ad:a5:10:3f:f4:f4:35:d4:8e:f4:
                    6c:f5:e2:32:99:56:0c:34:c7:80:d3:4f:a2:af:fa:
                    b0:ef:1b:70:44:7a:7a:29:f6:d8:d8:05:3a:3f:b1:
                    4b:91:07:7e:36:6f:5f:83:f7:5e:6f:c4:b9:bc:c4:
                    0d:cb:57:58:99:a3:91:7e:fb:a0:93:91:4f:84:be:
                    b4:00:81:e8:94:d9:f5:c7:a4:57:b1:f3:a0:e4:71:
                    08:ad:90:0f:ea:ae:63:64:92:88:7e:44:e1:3a:f5:
                    87:9f:eb:bb:a5:b0:49:f3:99:68:38:17:ca:32:60:
                    ea:ec:ef:9d:80:05:a3:6d:bb:e5:ed:a2:c2:ae:38:
                    96:d1:e0:fa:b8:a8:ed:be:54:13:97:5d:ce:35:f1:
                    06:cb:1c:35:2d:5c:ea:2b:91:4c:99:cd:9b:da:21:
                    ec:2b:a3:ff:1d:3c:0e:9e:dc:25:c0:06:37:81:e5:
                    14:80:c5:6f:22:58:bf:25:04:00:0f:a4:6d:0c:d9:
                    e6:68:bc:f7:61:5d:04:e9:d9:c7:e7:8c:15:82:f1:
                    df:26:cc:46:1e:fb:ef:d8:96:36:c7:3e:6c:06:cb:
                    56:72:9a:d1:78:79:65:cc:b8:40:13:31:a0:6e:29:
                    e2:80:93:7d:a4:ac:73:fc:24:70:de:8c:74:9c:36:
                    91:7d:f1:5b:6c:69:37:63:3c:10:04:49:8c:17:84:
                    75:d9:0b:86:3f:1c:00:43:5b:b2:76:85:e8:bd:ed:
                    95:8d:db
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         13:c4:26:76:2e:d9:22:13:9a:41:d0:6d:45:a2:f0:06:b2:83:
         85:7b:fc:e6:34:9e:e4:14:64:23:59:08:bf:0d:b1:55:e8:56:
         ce:91:05:0f:5b:80:28:89:8a:4a:bd:1f:39:61:1f:b9:f7:45:
         55:38:8b:8f:c2:ad:a9:cc:58:6a:d5:f7:a7:0f:f4:6f:af:b3:
         6a:0d:d7:35:10:8e:65:ba:17:5a:da:9e:cf:b5:e3:9f:db:43:
         76:81:89:ee:77:23:5c:4b:d6:bc:df:81:44:ce:7a:7f:b3:bb:
         97:9d:cf:61:c5:b2:07:d9:12:5e:26:8b:e2:f8:7a:02:18:b7:
         42:db:2f:74:7e:bf:71:65:4d:c9:d2:21:92:75:56:7b:e5:32:
         86:50:22:72:65:e1:1c:c4:0a:a4:ac:d9:47:98:6e:1a:c6:08:
         d9:11:2b:1d:f8:14:f3:d4:0f:99:79:35:a5:c5:95:20:09:f0:
         1c:1b:34:ff:f5:09:1a:74:14:dc:4e:a3:c1:0c:a2:33:0a:59:
         51:95:2f:ef:30:7f:9f:7c:54:35:88:5e:a0:f1:31:99:19:d0:
         e7:c2:fb:a8:50:9e:9f:48:95:2b:af:a1:1c:9e:13:9f:e7:eb:
         92:19:55:9c:db:1c:fe:bd:80:a9:bb:62:68:1c:10:c4:5c:7f:
         6f:93:7e:40:54:77:26:78:d8:a6:f7:f6:f0:a3:a2:92:08:5f:
         67:0b:d3:19:34:85:59:61:2d:87:f7:ea:d4:f4:59:ae:0f:2b:
         e3:10:b5:96:1b:e9:fb:d0:8f:83:6a:28:6f:42:40:1a:83:43:
         5b:49:ea:c5:4e:80:af:51:b8:cc:82:e8:8c:d7:0f:59:29:59:
         53:c7:0a:2e:c8:8e:99:17:a7:a0:f9:d6:33:5e:63:12:bd:26:
         13:2b:d0:a3:5e:a4:a0:24:2c:3b:d9:6b:43:44:84:82:bd:53:
         2e:ed:c4:b9:8d:29:e5:a0:7a:f3:fa:97:6c:df:9b:95:94:1d:
         40:29:cf:67:ac:27:ec:04:44:9d:08:56:1d:95:00:7f:ed:e2:
         63:44:b5:03:f9:09:9f:df:db:ed:38:da:e4:ce:e3:df:78:ac:
         0b:bf:69:8f:ab:e1:f5:21:47:96:f4:ac:73:79:d8:cd:a1:71:
         89:b4:4d:0d:96:82:64:7b:b1:66:c3:d0:28:ad:a2:10:80:27:
         80:8e:df:f3:ae:b9:27:e2:04:68:68:53:60:c4:d3:2e:9e:e0:
         38:88:38:b1:da:92:b6:23:ee:42:1f:b2:89:57:c9:7f:40:56:
         11:b7:98:01:a2:28:65:b0:e3:c2:a1:fc:4d:08:03:ba:9f:87:
         84:4d:e6:88:f2:e3:e1:bd

修改 web server certificate validate days

可以看到 web server certificate validate 30 days

        Validity
            Not Before: Mar 12 07:58:37 2023 GMT
            Not After : Apr 11 07:58:37 2023 GMT

可以通过 -days 选项指定 certificate 的 validate days。

openssl x509 -req -in server-req.pem -days 60 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
Signature ok
subject=/C=CN/ST=SH/L=YY/O=OV/OU=SEC/CN=*.shtest.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:

这里可以看到 Validity60 天。

 openssl x509 -in server-cert.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 11480488640831871059 (0x9f52e397b4b0d853)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=CY, O=GOV, OU=SEC, CN=*.test.com
        Validity
            Not Before: Mar 12 08:12:00 2023 GMT
            Not After : May 11 08:12:00 2023 GMT
        Subject: C=CN, ST=SH, L=YY, O=OV, OU=SEC, CN=*.shtest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b7:8f:5b:b8:a0:8e:53:ab:4

给 web server certificate 指定多个 domain name 和 IP address

可以通过给 certificate 的 Extension Subject Alternative Name 来制定 certificate 的不同 domain name,甚至到是 IP 地址。

subject
指定 Extension Subject Alternative Name 需要再创建一个文件 server-ext.cnf,内容如下

# cat server-ext.cnf
subjectAltName=DNS:*.hello.com,DNS:*.world.org,IP:0.0.0.0
  • DNS:指定其他的 domain name
  • IP: 指定 IP 地址

重新生成带 web server certificate。 通过 -extfile 选项指定 Extension Subject Alternative Name 文件 server-ext.cnf

openssl x509 -req -in server-req.pem -days 60 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile server-ext.cnf
Signature ok
subject=/C=CN/ST=SH/L=YY/O=OV/OU=SEC/CN=*.shtest.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:

查看 web server certificate。

 openssl x509 -in server-cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11480488640831871060 (0x9f52e397b4b0d854)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=CY, O=GOV, OU=SEC, CN=*.test.com
        Validity
            Not Before: Mar 12 08:23:43 2023 GMT
            Not After : May 11 08:23:43 2023 GMT
        Subject: C=CN, ST=SH, L=YY, O=OV, OU=SEC, CN=*.shtest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b7:8f:5b:b8:a0:8e:53:ab:4e:8b:23:ee:49:7a:
                    e8:07:ec:d2:0d:11:83:65:93:dc:1b:ed:ac:81:3f:
                    5b:70:d5:6e:2d:14:f1:b1:62:92:3e:70:9e:6e:78:
                    06:43:b5:3b:c2:ed:e6:7e:f4:2f:59:c1:b9:aa:cc:
                    0b:09:a2:a0:15:90:e9:8d:da:1d:b4:73:ea:83:6a:
                    13:48:57:dc:1c:f3:45:86:e7:d8:48:98:df:ae:4d:
                    e5:7f:dc:23:54:64:58:34:28:88:39:b0:89:bc:af:
                    75:1d:6a:a3:c6:87:56:3a:4f:c9:a6:6f:d7:74:ba:
                    79:5d:9b:79:ab:dc:c7:06:c5:d9:05:9e:fa:52:d8:
                    d2:4d:95:e9:61:ec:ca:5a:1b:0e:0a:c9:09:c1:10:
                    1e:61:3f:84:99:f9:ab:c8:f1:16:65:53:ad:f2:b0:
                    4d:33:35:e9:06:30:bf:08:6e:ec:df:ac:cd:19:cc:
                    8e:62:73:8f:63:65:a3:32:35:a0:83:b8:a8:a3:f2:
                    8a:80:0f:62:82:49:7f:5c:c0:b4:c4:ec:e3:3c:4b:
                    ef:ca:fd:99:8e:67:e0:99:a5:32:2a:33:49:73:81:
                    05:e2:99:04:20:ad:a5:10:3f:f4:f4:35:d4:8e:f4:
                    6c:f5:e2:32:99:56:0c:34:c7:80:d3:4f:a2:af:fa:
                    b0:ef:1b:70:44:7a:7a:29:f6:d8:d8:05:3a:3f:b1:
                    4b:91:07:7e:36:6f:5f:83:f7:5e:6f:c4:b9:bc:c4:
                    0d:cb:57:58:99:a3:91:7e:fb:a0:93:91:4f:84:be:
                    b4:00:81:e8:94:d9:f5:c7:a4:57:b1:f3:a0:e4:71:
                    08:ad:90:0f:ea:ae:63:64:92:88:7e:44:e1:3a:f5:
                    87:9f:eb:bb:a5:b0:49:f3:99:68:38:17:ca:32:60:
                    ea:ec:ef:9d:80:05:a3:6d:bb:e5:ed:a2:c2:ae:38:
                    96:d1:e0:fa:b8:a8:ed:be:54:13:97:5d:ce:35:f1:
                    06:cb:1c:35:2d:5c:ea:2b:91:4c:99:cd:9b:da:21:
                    ec:2b:a3:ff:1d:3c:0e:9e:dc:25:c0:06:37:81:e5:
                    14:80:c5:6f:22:58:bf:25:04:00:0f:a4:6d:0c:d9:
                    e6:68:bc:f7:61:5d:04:e9:d9:c7:e7:8c:15:82:f1:
                    df:26:cc:46:1e:fb:ef:d8:96:36:c7:3e:6c:06:cb:
                    56:72:9a:d1:78:79:65:cc:b8:40:13:31:a0:6e:29:
                    e2:80:93:7d:a4:ac:73:fc:24:70:de:8c:74:9c:36:
                    91:7d:f1:5b:6c:69:37:63:3c:10:04:49:8c:17:84:
                    75:d9:0b:86:3f:1c:00:43:5b:b2:76:85:e8:bd:ed:
                    95:8d:db
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:*.hello.com, DNS:*.world.org, IP Address:0.0.0.0
    Signature Algorithm: sha1WithRSAEncryption
         90:3d:97:f8:03:bb:8c:f4:35:2d:3a:7a:46:6e:92:0b:93:bb:
         dd:a5:b0:2a:cb:0f:0f:aa:76:50:f0:71:a8:0c:8e:08:36:36:
         b8:44:cc:e1:d8:06:7e:ab:5f:29:e7:f4:2d:e2:20:2a:b4:8a:
         eb:61:9f:b5:fa:3a:8d:3c:fc:df:b3:2a:c2:be:de:e1:e5:31:
         6f:82:cc:54:83:8a:4c:c2:cc:fe:e8:04:64:8d:8e:bb:f5:54:
         f8:e5:c1:1e:3f:30:26:87:45:e6:72:5a:ae:1d:ef:a1:8e:7a:
         59:54:05:0e:b4:e9:bb:ff:4b:c3:16:b8:f7:77:50:d0:7f:ce:
         4b:81:0b:ba:8d:07:93:c2:6f:dc:31:8d:6d:4d:76:fc:84:47:
         7b:8e:bc:12:dd:2c:df:3c:32:18:e7:6b:77:1e:6c:6d:99:72:
         ca:1e:fe:7c:cf:85:40:90:7b:64:c2:22:e5:eb:f1:78:ab:4f:
         d5:9d:77:28:84:e4:1a:14:01:54:32:6b:4d:40:ba:8c:ea:c3:
         c8:5e:9b:cd:a9:7e:e6:89:21:75:1c:3c:75:4f:29:04:ff:77:
         46:34:b6:14:32:3c:98:8f:11:5e:5f:7f:54:b7:30:42:63:b6:
         cf:a5:52:85:42:29:23:a2:15:55:13:3d:20:91:b0:d3:4a:f9:
         40:21:a2:86:7d:1d:b0:46:03:e7:3f:89:e4:0f:fc:ce:bb:a6:
         dd:f6:63:80:74:f0:bb:22:77:ba:f3:c0:24:e4:ce:74:37:32:
         c5:a7:52:db:e9:19:51:91:da:7b:a8:51:df:b7:1f:42:ad:25:
         a5:ec:2d:01:b5:f5:45:11:34:2c:b9:57:99:c9:f7:25:f7:04:
         81:74:f5:e3:c3:62:b3:e5:b7:89:57:c4:4a:20:23:9e:50:24:
         b2:cd:8d:33:d6:80:8c:28:13:89:92:1b:c3:66:11:9f:6d:96:
         c8:14:41:18:90:bc:09:9b:69:64:7c:57:5e:85:47:14:e9:39:
         48:5f:57:69:bb:40:11:5e:de:99:26:66:f0:98:32:ce:f6:5f:
         be:a7:a3:d7:9c:a5:45:cb:71:cb:45:df:f7:11:9c:95:3e:f9:
         10:80:77:57:c1:ce:40:fa:46:53:da:3d:ef:67:f6:79:d3:2c:
         5a:dc:de:6d:ad:ff:04:c1:86:94:b0:ab:32:e0:83:db:09:cd:
         79:4b:c0:3e:29:b8:60:e1:25:fe:45:26:3b:3c:31:79:1d:8c:
         bc:af:56:9b:65:97:ce:5d:ae:9e:30:28:12:7c:fb:8e:e1:f6:
         a8:65:4f:fb:ef:28:d5:20:70:3a:bf:a6:e9:b0:5b:0a:a1:d3:
         33:b0:55:52:43:ca:0f:dc

可以看到 Subject Alternative Name 改变。

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:*.hello.com, DNS:*.world.org, IP Address:0.0.0.0

用 self-sgined CA 验证 web server certificate

可以使用命令 openssl verify -CAfile ca-cert.pem server-cert.pem

  • -CAfile: 指定 self-signed CA 证书
openssl verify -CAfile ca-cert.pem server-cert.pem
server-cert.pem: OK

reference

https://www.youtube.com/watch?v=7YgaZIFn7mY

几十年黄钻会员
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Https知识专题
demon7552003的小本本
07-06 843
https一些专题知识
OpenSSL下载安装教程
热门推荐
灵魂学者的博客
01-31 1万+
(加急)下载地址:Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions首先,进入官网 Shining Light Productions - Home ,可以看到如下界面: 这里演示用的版本是V1.1的版本,这里版本比较多,可以看一下自己需要哪些版本自行下载!地址已经在最上面提供了;下载完成之后,双击会弹出如下界面: 自定义安装的位置要记住大致的位置,在后续需要进行一个环境的配置;通过以上的步骤就已经安装完
java pem 私钥_Java-如何解锁受密码保护的PEM私钥
weixin_29903713的博客
02-24 1061
openssl rsa -in testfile.pem -out testfile_pub.pub does not export the public key, it actually exports the private key out in clear text (if you provided the correct password). To export the public ke...
参数理解 openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj “/CN=admission_ca“
liuchenbei的博客
09-18 614
在这个例子中,证书的 CN 设置为 “admission_ca”,表示这是一个用于 Admission Webhook 的证书。总之,这个命令用于生成一个自签名的 X.509 证书,该证书不加密私钥,有效期很长(10000 天),并将证书保存为 ca.crt 文件。这个证书可以用于安全通信或身份验证,但由于是自签名证书,不被公认的证书颁发机构(CA)签发,因此在生产环境中,需要小心使用。5.-key ca.key:这个选项指定了用于生成证书的私钥文件的路径,这是证书的关键部分。
OPENSSL错误码处理
在线笔记
10-08 4637
SSL_GET_ERROR () 在ssl.h里面看SSL_ERROR_XXX的错误类型 ERR_get_error() 管理员在2009年8月13日编辑了该文章文章。 --> --> window._
使用 OpenSSL 创建生成CA 证书服务器客户端证书及密钥
最新发布
01-16
本文将详细介绍如何使用 OpenSSL 创建和管理CA证书、服务器证书和客户端证书,以实现SSL单向认证和双向认证。 首先,我们来看一下如何生成 CA(证书颁发机构)证书。CA证书是信任的根,用于签署其他证书,确保网络...
openssl详细使用教程
01-08
OpenSSL 详细使用教程 OpenSSL 是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,避免窃听,同时确认另一端连接者的身份。这个包广泛被应用在互联网的网页服务器上。 1. 获取百度服务器的证书 ...
OpenSSL使用指南.pdf
07-11
OpenSSL 使用指南 OpenSSL 是一个开源的 SSL/TLS 实现,提供了各种加密算法和工具,广泛应用于网络安全领域。本文将详细介绍 OpenSSL使用指南,包括密码学基础、对称加密、非对称加密、数字签名、HASH 算法、...
使用openssl生成单向ssl证书
04-04
本文将详细介绍如何使用openssl工具生成单向SSL证书,以及如何将其应用于基于Boost.Asio库的SSL通讯测试。 首先,让我们了解什么是单向SSL认证。在单向SSL认证中,服务器验证其身份给客户端,但客户端无需向服务器...
C#版 openssl使用文档
05-18
本节介绍一些必须事先了解的密码学知识和密码算法。密码算法都是公开的,保密应该依赖于密钥的保密,而不是算法的保密。 以C#版使用为主。
java rsa openssl_java读取openssl生成的RSA密钥
weixin_31785421的博客
02-12 471
在这里不贴代码,只为了说明遇到的问题,及怎么解决。问题:最近项目需要,要根据对方给定的rsa密钥来给程序通信身份认证。发现在正常编码过程中,无法解析rsa密钥文件。一番搜索,知道关键点:1.openssl生成的RSA密钥默认是PEM格式;2.java包默认只支持DER格式;那么PEM和DER是什么东东呢?这个要扯到ASN1了。哪这个又是啥?ASN1:Abstract Syntax Notation...
delphi php 加密解密_PHP基于openssl实现的非对称加密操作
weixin_39972741的博客
11-14 213
文章来自:脚本之家链接:https://www.jb51.net/article/154483.htm作者:erdan商务合作:请加微信(QQ):2230304070资源教程分享码农网-技术教程资源分享平台:http://www.mano100.cn。这是一个资源教程分享网,网站收集了php视频教程,前端各种视频教程,接口API,微信公众号,支付宝视频教程,还有go语言,python等视...
openssl
姜海强
07-30 1299
openssl是一个加解密相关的库,这个库在计算机领域得到了广泛的应用。 1.操作系统中安装openssl 安装openssl扩展之前,你的操作系统需要先安装openssl,centos操作系统安装方式 yum install openssl openssl-devel 执行一下命令,如果可以输出版本信息表示安装成功 openssl version -a 作者环境输出 OpenSSL 1.0.2k-fips 26 Jan 2017 built on: reproducible buil.
深度学习之加载VGG19模型分类识别
weixin_30539835的博客
07-03 3362
主要参考博客: https://blog.csdn.net/u011046017/article/details/80672597#%E8%AE%AD%E7%BB%83%E4%BB%A3%E7%A0%81http://www.cs.toronto.edu/~frossard/post/vgg16/ 1、物体分类imagenet_classes.py class_names ...
SSL证书怎么删除私钥密码保护?
AllisWell_Wotrus的博客
07-02 3274
SSL/TLS协议是一种网络通信安全协议,采用公钥加密技术和对称加密技术,对客户端和服务器端之间的数据传输进行加密,确保数据传输的机密性、完整性以及通信方身份真实性。公钥和私钥本身不直接用来加解密数据内容的,而是用来协商算法、安全交换会话密钥,SSL证书私钥泄露会导致加密会话的密钥泄露,进而造成网站数据泄露。 SSL证书怎么删除私钥密码保护 私钥文件用文本编辑器打开,如果私钥文件是如下样式,则...
SpringMVC+Mybatis框架集成开发基础——项目开发流程——01
Coder_Boy_的博客
10-20 1万+
项目开发一般流程: 1.描述项目的主要功能及各个模块的功能 2.系统采用的技术方案 3.创建E-R模型图(实体关系模型图,数据库)​​​​​​ 4.搭建数据库环境、创建数据库表及表间约束 5.搭建项目工程,定制项目结构规则及约定 6.resources配置文件的设置 7.导入项目所需的 jar包 8.导入前端开发所需的资源 (html/css/js/images/styles公用...
iOS开发--使用OpenSSL生成私钥和公钥的方法
u013712343的博客
09-24 736
最近要在新项目中使用支付宝钱包进行支付,所以要调研对接支付宝的接口,支付宝开放平台采用了RSA安全签名机制,开发者可以通过支付宝 公钥验证消息来源,同时可使用自己的私钥对信息进行加密,所以需要在本机上生成私钥和公钥 ... 由此需要开发者在本地上使用openssl来生成私钥和公钥 由于mac 自带openssl工具,所以不用像windows那样要下载安装openssl工具 生成私钥公钥很简单:只要三句命令就可以搞定 打开openssl :$openssl =====>&gt...
使用openssl工具生成CSR文件
小小关的博客
12-07 2718
申请数字证书之前,您必须先生成证书的密钥文件和CSR文件。CSR文件是您的公钥证书原始文件,包含了您的服务器信息和您的单位信息,需要提交给CA认证中心进行审核。建议您使用系统创建的CSR文件,避免出现输入信息错误而导致审核失败,若审核失败请参见上传CSR文件时出现“审核失败-主域名不能为空”报错。若您选择手动生成CSR文件,请务必妥善保管并备份您的密钥文件。手动生成CSR文件时需要注意以下信息:输入的中文信息需要使用UTF-8编码格式,同时需要在编辑OpenSSL工具时,指定支持UTF-8编码格式。证书服务
OpenSSL 创建可以用于 https 的证书
NULL BLOG
06-12 1万+
个人制作的证书也就玩玩而已,浏览器是不认的,会一直有红色的安全警告,不过仅实现加密连接倒是没问题。 而阿里云和腾讯云都有1年期免费的单域名证书,可正常使用,浏览器不会出现红色“不安全”警告,而是显示绿色的“安全”提示。 以下是自助生成证书的过程。 OpenSSL 下载 http://www.slproweb.com/products/Win32OpenSSL.html 这里下载 opens...
js 使用openssl
09-09
Js可以使用OpenSSL来进行加密和解密操作。通过引用中提供的资料,可以学习如何使用AES算法加密数据,并通过PHP和OpenSSL进行解密。具体的实现示例代码可以在资料中找到。 此外,Js还可以使用OpenSSL进行任意精度的整数运算。通过引用中提供的相关库,可以使用OpenSSL提供的内置BIGNUM功能进行高精度的计算。这个库的优点是不需要额外的外部依赖项,并且能够充分利用Node.js中已经内置的OpenSSL功能。 除了加密和解密以及整数运算,Js还可以使用OpenSSL进行一些其他的操作,如检查openssl Heartbleed错误。引用提供了一个针对Node.js的openssl Heartbleed错误检查的示例代码,并可以根据检查结果来确定系统是否易受攻击。 综上所述,Js可以使用OpenSSL来进行加密解密、任意精度整数运算以及其他操作。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值