文章目录
加密技术
单向加密
- 介绍:
通过对数据进行摘要计算生成密文,密文不可逆推还原。 - 特点:
定长输出,雪崩效应。 - 场景:
签名。
算法:md5(128bits)
sha1(160bits)
sha224
sha256
sha384
sha512
对称加密
- 介绍:
同一个密钥可以同时用作信息的加密和解密 - 特点:
加密计算量小、速度块。 - 场景:
适用加密大量数据。
算法:des
3des
aes
非对称加密
- 介绍:
密钥对包含公钥和私钥,公钥由私钥生成。公钥加密,私钥解密;私钥加密,公钥解密。 - 特点:
安全性高,但加密计算量大,速度慢。 - 场景:
适用加密少了数据。
算法:rsa
dsa
证书
简单来说证书就是“公钥”+“签名”。
X509
X.509的 v3版本规范 (RFC5280), 其中定义了如下证书信息域:
版本号(Version Number)
序列号(Serial Number)
签名算法ID(ID Signature Algorithm)
颁发者名称(Issuer Name)
有效期限(Validity period)
主体名称(Subject Name)
主体公钥 (SubJect Public Key Info)
公钥算法 (Public Key Algorithm)
主体唯一标识符(Subject Unique Identifier)
颁发者唯一标识符(Issuer Unique Identifier)
扩展:
……省略……
签名(Certificate Signature)
签名算法(Certificate Sigature Algorithm)
编码格式
- der
二进制存储格式 - pem
二进制存储格式的 Base64 编码格式 - CRT
CRT应该是certificate的三个字母,其实还是证书的意思,常见于*NIX系统,有可能是PEM编码,也有可能是DER编码,大多数应该是PEM编码,相信你已经知道怎么辨别。 - CER
还是certificate,还是证书,常见于Windows系统,同样的,可能是PEM编码,也可能是DER编码,大多数应该是DER编码。 - KEY
通常用来存放一个公钥或者私钥,并非X.509证书,编码同样的,可能是PEM,也可能是DER。
查看KEY的办法:openssl rsa -in mykey.key -text -noout
如果是DER格式的话,同理应该这样了:openssl rsa -in mykey.key -text -noout -inform der
- CSR
Certificate Signing Request,即证书签名请求,这个并不是证书,而是向权威证书颁发机构获得签名证书的申请,其核心内容是一个公钥(当然还附带了一些别的信息),在生成这个申请的时候,同时也会生成一个私钥,私钥要自己保管好。
证书格式转换
# 从 PEM 转换到 DER:
$ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
# 从 DER 转换到 PEM:
$ openssl x509 -in cert.der -inform DER -out cert.pem -outform PE
PKI
CA(Certification Authority):负责证书的颁发和吊销(Revoke),接收来自 RA 的请求,是最核心的部分;
RA(Registration Authority):对用户身份进行验证,校验数据合法性,负责登记,审核过了就发给 CA;
证书数据库:存放证书,多采用 X.500 系列标准格式。可以配合LDAP 目录服务管理用户信息。
OpenSSL
单向加密
[root@server ~]# openssl dgst --help
Usage: dgst [options] [file...]
-out /path/file: 输出加密文件
-hex: 16进制格式输出
-binary: 二进制格式输出
-sign /path/private.key: 签名操作
-sginature /path/file.sign: 签名文件
-verify /path/public.key : 公钥验证
-prverify /path/private.key: 私钥验证
-md5: 摘要算法md5
-sha: 摘要算法sha
-sha1: 摘要算法sha1
-sha224: 摘要算法sha223
-sha256: 摘要算法sha256
-sha384: 摘要算法sha384
-sha512: 摘要算法sha512
- 摘要计算
[root@server ~]# echo 12345 > sFile
[root@server ~]# openssl dgst -sha1 sFile #支持更多摘要算法:md5、sha256、sha512……
SHA1(sFile)= 2672275fe0c456fb671e4f417fb2f9892c7573ba
[root@server ~]# openssl dgst -sha1 -out sFile.dgst sFile #结果保存到指定文件
[root@server ~]# cat sFile.dgst
SHA1(sFile)= 2672275fe0c456fb671e4f417fb2f9892c7573ba
[root@server ~]# openssl dgst -sha1 -hex sFile #16进制格式
SHA1(sFile)= 2672275fe0c456fb671e4f417fb2f9892c7573ba
[root@server ~]# openssl dgst -sha1 -binary sFile #二进制格式
&r'_ზ²봳º
- 签名操作
#生成私钥
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................+++++
........+++++
e is 65537 (0x010001)
#签名
[root@server ~]# openssl dgst -sign private.key -sha256 -out sFile.sign sFile
[root@server ~]# ll
-rw-r--r-- 1 root root 54 Feb 7 04:45 sFile.dgst
#验证签名
#私钥验证
[root@server ~]# openssl dgst -prverify private.key -sha256 -signature sFile.sign sFile
Verified OK
#公钥验证
[root@server ~]# openssl rsa -in private.key -pubout -out public.key
writing RSA key
[root@server ~]# openssl dgst -verify public.key -sha256 -signature sFile.sign sFile
Verified OK
对称加密
[root@server ~]# openssl enc --help
Usage: enc -cipher [options]
--help 帮助
-in /path/file.plain 明文
-out /path/file.cipher 密文
-pass val 密码
-val:pass、stdin、file
-e 加密
-d 解密
-salt 盐值
-nosalt 无盐值
-base64 base64编码
#下面两个参数使用了更新的函数更安全
-iter int
-pbkdf2
-base64 是一种能将任意Binary资料用64种字元组合成字串的方法,而这个Binary资料和字串资料彼此之间是可以互相转换的,十分方便。在实际应用上,Base64除了能将Binary资料可视化之外,也常用来表示字串加密过后的内容。
-hex 也就是base16
- 加解密
#加密
1.
[root@server ~]# openssl enc -e -salt -des3 -base64 -in sFile -out sFile.cipher -pass pass:"1234"
2.
[root@server ~]# echo "1234" | openssl enc -e -salt -des3 -base64 -in sFile -out sFile.cipher -pass stdin
3.
[root@server ~]# echo "1234" > passwd.txt
[root@server ~]# openssl enc -e -salt -des3 -base64 -in sFile -out sFile.cipher -pass file:passwd.txt
#解密
[root@server ~]# openssl enc -d -salt -des3 -base64 -in sFile.cipher -out sFile1 -pass pass:"1234"
非对称加密
密钥生成
[root@server ~]# openssl genrsa --help
Usage: genrsa [options] bits
-out /path/private.key 私钥
bits 密钥长度
[root@server ~]#(umask 077; openssl genrsa -out private.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
..+++++
e is 65537 (0x010001)
[root@server ~]# cat private.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyns8awGpDKSi9M/DAyqs7k8sAEqmvRhGAKdEb1+CR64GXF8F
DFyrqRQ0Ils2pG7vto7LtSUowkJOnYVExxXS7ssCqoC6T0V1FN4CKEOWUWtjaxKR
F0A9Sr/pabGH8r7DB9MO7MAeymyNLWXTgm4W0jC6jO2RXwGNxrjZhEgHXNFmsWAC
LbjeDCMJonneOLqilZXzYqnjzaA9hrD4knLgbAgFBrr9SY1++WxBcpCkgpQpbrYE
qqd5Q/6T0mlbe1GRC3X8yzHtOTLtj0i+alsumYJT5j+4h/Ae/Rj8IAKik6fvjI6N
lWMVnr6TNp+EGzRptNJV13XD65qkitIhuQjQFwIDAQABAoIBAEwq0Y57QGlWIUqw
QO6XBhhbRfUSH+jwEZ07Tr4Kkop+RzxGLjL5RUXEKNxnrYVridcFnlGVGeEBamtM
75NofUGAso8K/4rEWQexf+Q/kHMuT2a+xD+X1bahvJ8avkYtRlZSKcIbfzmsXese
69KbsQ/+bp6G23F+tyNy87gUFFjwbI7ye7BwT1hxu5umGoEGllZyVUvFb8pncJqt
Cqktoa/PdFXgbbiLx/HM0hA5ypbIZckUWOV3A9PKL815K+GSVz3bJtA04/2jDQvc
pQ8tAPqm3m/eOVCBHXy97wHJYrYDywGCPOL2vIeiUXXX0pyJZpAJyU1W7QvE+3BX
XWYE8EECgYEA+U41b3vdX4Up1r3Ip6+I2l2lx5Hx8eBxbo7yqf/n45l0g0CHSxRq
b0j2tiBF3c5OPjdK5N1mKVxXN883ohYN4Wgi7lhaaoqEljt272QYDOki+Kv7dL0Q
WeTVyCrz9prrqmvYZJq+F4v3yVOEgaayNNs4q5vF2T4I10Vc6x78h+ECgYEAz+sl
ZSaYh3sdKzx7kSgqCCHqtjbEI/rLRsdWE/D7yrRDcZpKNo24AZTkSDKshiEz6s55
nD9GGJ8uyHpvfD7/HyFfkp/e2Zo5Tgt/Tr2ijL4XbK+hswe11BdIM0kCSej84+iN
OMLIIzv7egq30M4KXLXKyeyZaQkIXZ4mmQTAdvcCgYAxUMs5NmNgFdNk6z3aDdsg
dw3oIHKfyiomGJjgEAMq/pwRqp4Yt/0l7mT/OfsYGUtY+08RXspqvB10qMT0hzBP
um3OgCPCl4wKu9CXIlGvnB6S2lJvkUa+wYmYgwanbZXYrGSt4f5gYguuA5temj7+
Pa9EIxhMFP1iuBHdYM/LgQKBgQCu02g0L0nd0XVrX4X/PihpgitbX515K241a3ND
fUQa44w6P6PbTzrDibCRzJoohk6jR04WRVXpah/qTpjjfg0C3gsAvRCjI/y/VQeM
7AN8GHKV3vA2G2uWlKUPCnq0LwZFlMr6ST4D8nG34r9BAZ7Q6cNEGn+8Q+4W2d5W
mBpFbQKBgQCQLjG2ptTqfLz8CjGAqtBt2a8qtbGyLrNBiPTOnds70w2Ct/lAwjcX
etVfgG5/fBGvZGsNyrC4bE7Ov07yFfrm5at4sP+sYiDScdGbqAS+5l8O76SfeCuv
XYiF3Y4OYzByIbgdjuHJW83RkYHaZPS8BmRuTgBiyjwIij6ZjuEC+g==
-----END RSA PRIVATE KEY-----
公钥提取
[root@server ~]# openssl rsa --help
Usage: rsa [options]
-in /path/private.key 私钥
-pubout 输出为公钥
-out /path/public.key 公钥
[root@server ~]# openssl rsa -in private.key -pubout -out public.key
[root@server ~]# cat public.key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyns8awGpDKSi9M/DAyqs
7k8sAEqmvRhGAKdEb1+CR64GXF8FDFyrqRQ0Ils2pG7vto7LtSUowkJOnYVExxXS
7ssCqoC6T0V1FN4CKEOWUWtjaxKRF0A9Sr/pabGH8r7DB9MO7MAeymyNLWXTgm4W
0jC6jO2RXwGNxrjZhEgHXNFmsWACLbjeDCMJonneOLqilZXzYqnjzaA9hrD4knLg
bAgFBrr9SY1++WxBcpCkgpQpbrYEqqd5Q/6T0mlbe1GRC3X8yzHtOTLtj0i+alsu
mYJT5j+4h/Ae/Rj8IAKik6fvjI6NlWMVnr6TNp+EGzRptNJV13XD65qkitIhuQjQ
FwIDAQAB
-----END PUBLIC KEY-----
密钥查看
[root@server ~]# openssl rsa --help
Usage: rsa [options]
-in /path/private.key 私钥
-text 输出私钥信息
-noout 不显示密钥
[root@server ~]# openssl rsa -in private.key -text -noout
格式转换
[root@server ~]# openssl rsa --help
Usage: rsa [options]
-in /path/rsa 要转换格式的密钥
-inform pem|der 要转换格式密钥的密钥格式
-outform pem|der 按给定格式输出密钥
-out /path/rsa 转换格式后的密钥
- pem→der
[root@server ~]# openssl genrsa -out rsa.pem 1024
[root@server ~]# openssl rsa -in rsa.pem -inform pem -outform der -out rsa.der
- der→pem
[root@server ~]# openssl rsa -in rsa.der -inform der -outform pem -out rsa.pem
rsautl
[root@server ~]# openssl rsautl --help
Usage: rsautl [options]
-help 帮助
-in infile 输入文件
-out outfile 输出文件
-inkey keyfile 密钥文件
-pubin pubic.key 指明密钥文件为公钥
-certin 输入一个证书,使用证书的公钥
-sgin 签名,使用私钥加密
-verfy 验证,使用公钥解密
-hexdump 16进制格式
-encrypt 加密
-decrypt 解密
加解密
公钥加密
#生成公私钥
[root@server ~]# openssl genrsa -out private.key 2048
[root@server ~]# openssl rsa -in private.key -pubout -out public.key
1.传入公钥加密
#加密
[root@server ~]# echo hello > plain.txt
[root@server ~]# openssl rsautl -encrypt -in plain.txt -pubin -inkey public.key -out cipher.txt
#解密
[root@server ~]# openssl rsautl -decrypt -in cipher.txt -inkey private.key -out plain.txt
2.传入私钥加密(实际提取私钥的公钥进行加密)
#加密
[root@server ~]# openssl rsautl -encrypt -in plain.txt -inkey private.key -out cipher.txt
#解密
[root@server ~]# openssl rsautl -decrypt -in cipher.txt -inkey private.key -out plain.txt
私钥加密(签名)
#生成公私钥
[root@server ~]# openssl genrsa -out private.key 2048
[root@server ~]# openssl rsa -in private.key -pubout -out public.key
1.传入公钥解密
#加密
[root@server ~]# echo hello > plain.txt
[root@server ~]# openssl rsautl -sign -in plain.txt -inkey private.key -out sign.txt
#解密
[root@server ~]# openssl rsautl -verify -in sign.txt -pubin -inkey public.key -out plain.txt
2.传入私钥解密(实际提取私钥的公钥进行加密)
#加密
[root@server ~]# openssl rsautl -sign -in plain.txt -inkey private.key -out sign.txt
#解密
[root@server ~]# openssl rsautl -verify -in sign.txt -inkey private.key -out plain.txt
rand
[root@server ~]# openssl rand --help
Usage: rand [flags] num
-out outfile 输出到文件
-base64 64种字元组合成格式,6位
-hex 16种字元组合成格式,4位
num: 字节数,一个字节8位
[root@server ~]# openssl rand -base64 3
wNgL #3*8/6=4
passwd
[root@server ~]# openssl passwd -help
Usage: passwd [options]
-in file 从文件中读取密码
-stdin 从标准输入读取密码
-salt val 盐值
-6 sha512
-5 sha256
-1 md5
[root@server ~]# echo '1234' | openssl passwd -1 -salt `openssl rand -hex 4` -stdin
对称加密脚本
#对称加密文件
#!/bin/bash
Usage() {
cat << 'EOF'
Usage:
enc.sh [-e|-d] -t=enc_type [-n=</path/>] [-k=</path/>] --in=/path/file --out=/path/file
-e 加密
-d 解密
-t 密钥类型
-n 新生成密码
-k 加解密时指定密码
-in 待加解密文件
-out 加解密输出文件
-t 默认类型des3
-n 给出选项时刷新密码,不指定参数默认位置:./
-k 默认位置:./
-n 不可和 -d 同时使用
-in 必要
-out 加密时必要,解密看需要
EOF
}
paras=$(getopt -o e,d,t:,n::,k:: -l in:,out::,usage -n "$0" -- "$@")
[ $? != 0 ] && exit 1
eval set -- "$paras"
while [ -n "$1" ]
do
case $1 in
-e) e=1; shift;;
-d) d=1; shift;;
-t) t=1; enc_type=${2##*=}; shift 2;;
-n) n=1; pass_dir=${2##*=}; shift 2;;
-k) k=1; key_dir=${2##*=}; shift 2;;
--in) i=1; in_file=${2##*=}; shift 2;;
--out) o=1; out_file=${2##*=}; shift 2;;
--usage) Usage; shift ;;
--) break ;;
*) break ;;
esac
done
e=${e:-0}
d=${d:-0}
t=${t:-0}
n=${n:-0}
k=${k:-0}
i=${i:-0}
o=${o:-0}
gen_passwd() {
$(openssl rand -hex 4 > $pass_dir/$pass_file)
}
enc_file() {
if [ -f $pass_dir/$pass_file -a -f $in_file ] ; then
$(openssl enc -e -salt -pbkdf2 -$enc_type -in $in_file -out $out_file -pass file:$key_dir/$key_file)
fi
}
dec_cipher() {
if [ -f $pass_dir/$pass_file -a -f $in_file ] ; then
[ $o == 1 ] && $(openssl enc -d -salt -pbkdf2 -$enc_type -in $in_file -out $out_file -pass file:$key_dir/$key_file)
[ $o == 0 ] && echo "$(openssl enc -d -salt -pbkdf2 -$enc_type -in $in_file -pass file:$key_dir/$key_file)"
fi
}
pass_file="enc.key"
pass_dir=${pass_dir:-"./"}
if [ $n == 1 ] ; then
gen_passwd
fi
enc_type=${enc_type:-"des3"}
[ x$in_file == x ] && exit 1
[ -f $in_file ] || exit 1
key_file="enc.key"
key_dir=${key_dir:-"./"}
if [ $e == 1 -a $o == 1 ] ; then
enc_file
fi
if [ $d == 1 -a $n == 0 ] ; then
dec_cipher
fi
私有CA
配置文件openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # 默认的CA配置;CA_default指向下面配置块
####################################################################
[ CA_default ]
dir = /etc/pki/CA # 定义路径变量
certs = $dir/certs # 已颁发证书的保存目录
crl_dir = $dir/crl # 证书吊销列表的路径
database = $dir/index.txt # 数据库的索引文件
new_certs_dir = $dir/newcerts # 新颁发证书的默认路径
certificate = $dir/cacert.pem # 此服务认证证书,如果此服务器为根CA那么这里为自颁发证书
serial = $dir/serial # 下一个证书的证书编号
crlnumber = $dir/crlnumber # 下一个吊销的证书编号
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# CA的私钥
RANDFILE = $dir/private/.rand # 随机数文件
default_days = 365 # 证书默认有效期
default_crl_days= 30 # CRl的有效期
default_md = sha256 # 加密算法
preserve = no
policy = policy_match #policy_match策略生效
# For the CA policy
#match 表示证书认证机构和证书申请者该项必须匹配
#optional 表示该项可选
#supplied 表示该项必填
[ policy_match ]
countryName = match #国家或地区
stateOrProvinceName = match #省份/州
organizationName = match #公司组织名称
organizationalUnitName = optional #部门名称
commonName = supplied #主机名/域名
emailAddress = optional #邮件地址
根CA搭建
- 为CA提供所需目录和文件
[root@server ~]# mkdir -p /etc/pki/CA/{private,certs,crl,newcerts}
[root@server ~]# touch /etc/pki/CA/{serial,index.txt}
[root@server ~]# echo 01 > /etc/pki/CA/serial
- 生成CA的私钥
[root@server ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
- 生成自签证书
[root@server ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:CQ
Locality Name (eg, city) [Default City]:CQ
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:CR
Common Name (eg, your name or your server's hostname) []:master
Email Address []:
子CA搭建
- 为子CA提供所需目录和文件
[root@sub_server ~]# mkdir -p /etc/pki/CA/{private,certs,crl,newcerts}
[root@sub_server ~]# touch /etc/pki/CA/{serial,index.txt}
[root@sub_server ~]# echo 01 > /etc/pki/CA/serial
- 生成子CA的私钥
[root@sub_server ~]# (umask 077; openssl genrsa -out /etc/pki/tls/private/sub_server.key 2048)
- 生成子CA证书申请文件
[root@sub_server ~]# openssl req -new -key /etc/pki/tls/private/sub_server.key -out /etc/pki/tls/sub_master.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:CQ
Locality Name (eg, city) [Default City]:CQ
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:sub_server
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 复制子CA证书申请文件到根CA服务器
[root@sub_server ~]# scp /etc/pki/tls/sub_master.csr root@10.10.10.10:/etc/pki/CA/certs/
root@10.10.10.10's password:
sub_master.csr 100% 980 282.5KB/s 00:00
- 在根CA上签署子CA请求文件
[root@server ~]# openssl ca -in /etc/pki/CA/certs/sub_master.csr -out /etc/pki/CA/certs/sub_master.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 14 05:49:06 2020 GMT
Not After : Feb 13 05:49:06 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = CQ
organizationName = CA
organizationalUnitName = CA
commonName = sub_server
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F9:B8:43:87:C6:57:5F:56:48:32:A8:DE:86:E2:7B:E0:9F:70:D4:B3
X509v3 Authority Key Identifier:
keyid:F0:86:B1:A1:1D:77:9C:58:B0:32:A0:8B:AF:02:C1:89:CE:12:AF:6D
Certificate is to be certified until Feb 13 05:49:06 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- 查看根CA目录
[root@server ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ ├── sub_master.crt
│ └── sub_master.csr
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
- 回传子CA证书
[root@server ~]# scp /etc/pki/CA/certs/sub_master.crt root@10.10.10.11:/etc/pki/CA/cacert.pem
root@10.10.10.11's password:
sub_master.crt 100% 5635 1.6MB/s 00:00
- 复制/tls/private生成的私钥到/CA下
[root@client ~]# cp /etc/pki/tls/private/sub_server.key /etc/pki/CA/private/cakey.pem
nginx向子CA申请证书
- 生成/etc/pki/nginx目录
[root@nginx ~]# mkdir -p /etc/pki/nginx/private
- 生成密钥
[root@nginx ~]# (umask 077; openssl genrsa -out /etc/pki/nginx/private/nginx.key 2048) &> /dev/null
- 生成申请文件
[root@nginx ~]# openssl req -new -key /etc/pki/nginx/private/nginx.key -out /etc/pki/nginx/private/nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:CQ
Locality Name (eg, city) [Default City]:CQ
Organization Name (eg, company) [Default Company Ltd]:nginx
Organizational Unit Name (eg, section) []:nginx
Common Name (eg, your name or your server's hostname) []:10.10.10.12
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 复制nginx申请文件到根CA服务器
[root@nginx ~]# scp /etc/pki/nginx/private/nginx.csr root@10.10.10.11:/etc/pki/CA/certs
root@10.10.10.11's password:
nginx.csr 100% 989 284.1KB/s 00:00
- CA服务器签署nginx证书
[root@sub_server ~]# openssl ca -in /etc/pki/CA/certs/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 14 06:36:17 2020 GMT
Not After : Feb 13 06:36:17 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = CQ
organizationName = nginx
organizationalUnitName = nginx
commonName = 10.10.10.12
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B7:F4:BB:2A:7C:6A:07:54:44:84:E5:76:BA:73:8F:4A:17:F6:B3:A8
X509v3 Authority Key Identifier:
keyid:F9:B8:43:87:C6:57:5F:56:48:32:A8:DE:86:E2:7B:E0:9F:70:D4:B3
Certificate is to be certified until Feb 13 06:36:17 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
- 查看根CA目录
[root@sub_server ~]# tree /etc/pki/CA/
/etc/pki/CA
├── cacert.pem
├── cakey.pem
├── certs
│ ├── nginx.crt
│ └── nginx.csr
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
- 回传nginx证书
[root@sub_server ~]# scp /etc/pki/CA/certs/nginx.crt root@10.10.10.12:/etc/pki/nginx/
root@10.10.10.12's password:
nginx.crt 100% 5654 1.2MB/s 00:00
nginx服务https配置
浏览器测试
测试浏览器火狐,导入根证书,访问https://10.10.10.12
证书吊销
- 查看要吊销证书的信息
[root@nginx ~]# openssl x509 -in /etc/pki/nginx/nginx.crt -noout -serial -subject -dates
serial=01
subject=C = CN, ST = CQ, O = nginx, OU = nginx, CN = 10.10.10.12
notBefore=Feb 14 06:36:17 2020 GMT
notAfter=Feb 13 06:36:17 2021 GMT
- 在授权CA上对比要吊销证书信息
[root@sub_server ~]# cat /etc/pki/CA/index.txt
V 210213063617Z 01 unknown /C=CN/ST=CQ/O=nginx/OU=nginx/CN=10.10.10.12
- 在授权CA上吊销证书
[root@client ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
- 首次吊销时,创建吊销列表
[root@client ~]# echo 01 > /etc/pki/CA/crlnumber
- CA更新证书吊销列表
[root@client ~]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
- 查看吊销证书
[root@client ~]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = CQ, O = CA, OU = CA, CN = sub_server
Last Update: Feb 14 07:15:51 2020 GMT
Next Update: Mar 15 07:15:51 2020 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Feb 14 07:12:26 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
79:04:61:b6:a7:7d:3a:99:de:44:63:2d:a5:5a:43:c7:57:27:
23:ae:6e:fc:32:4e:98:53:b6:68:84:a4:29:e0:e2:da:b0:ed:
75:52:2a:29:10:9f:c4:ca:1f:cc:de:39:27:75:01:c4:76:b2:
8e:87:1b:3b:81:78:ae:0d:18:e8:83:09:d9:05:e1:8a:72:f9:
4c:b4:7c:e0:26:9a:4c:e4:d5:bd:23:ff:77:9b:17:44:76:59:
13:b9:62:91:bc:3f:22:47:a2:4e:53:db:b7:30:cc:30:f1:48:
82:d6:58:e6:f5:7f:8e:0d:ec:23:a7:2f:f1:31:e7:5b:31:84:
43:30:81:dc:0c:8a:54:f1:30:05:08:17:8b:99:03:68:ab:e2:
e7:b9:e2:ac:02:d5:51:40:50:8e:57:81:06:d5:3e:0e:59:7b:
dd:7b:29:b5:d3:d3:99:1e:8c:22:aa:ce:e8:fe:2b:e6:00:fc:
6e:dd:3e:1c:7c:9e:ac:c8:e7:2d:6b:46:49:89:ab:86:00:8d:
fe:c2:be:26:77:9c:26:5a:38:ec:26:82:d1:db:20:df:1f:68:
c0:54:74:a9:ed:5d:26:82:a4:7f:e3:c1:e6:a2:7b:86:c2:82:
2d:ce:67:ed:a1:89:fc:30:b4:97:d1:e1:ca:66:b4:56:d9:a4:
09:c9:c4:0a
8万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
