生成CA证书
- 生成ca秘钥,得到ca.key
$ openssl genrsa -out ca.key 4096
- 生成ca证书签发请求,得到ca.csr
$ cat << 'EOF' > ca.conf
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Guangdong
localityName = Locality Name (eg, city)
localityName_default = ShenZhen
organizationName = Organization Name (eg, company)
organizationName_default = LingQiao
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = RootCA
EOF
$ openssl req -new -sha256 -key ca.key -config ca.conf -out ca.csr -batch
- 生成ca根证书,得到ca.crt
openssl x509 -req -days 3650 -signkey ca.key -in ca.csr -out ca.crt
生成server证书
- 生成server秘钥,得到server.key
$ openssl genrsa -out server.key 2048
- 生成server证书签发请求,得到server.csr
$ cat << 'EOF' > server.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Guangdong
localityName = Locality Name (eg, city)
localityName_default = Shenzhen
organizationName = Organization Name (eg, company)
organizationName_default = LingQiao
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = Server-localhost
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = minikube.com
DNS.2 = *.minikube.com
DNS.3 = localhost
IP = 127.0.0.1
EOF
$ openssl req -new -sha256 -key server.key -config server.conf -out server.csr -batch
- 用CA证书生成终端server证书,得到server.crt
$ openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extfile server.conf -extensions req_ext -in server.csr -out server.crt
$ openssl x509 -noout -text -in server.crt
验证证书链:
$ openssl verify -CAfile <(cat ca.crt root.crt) ./server.crt
生成client证书
- 生成client秘钥,得到client.key
$ openssl genrsa -out client.key 2048
- 生成client证书签发请求,得到client.csr
$ cat << 'EOF' > client.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Guangdong
localityName = Locality Name (eg, city)
localityName_default = Shenzhen
organizationName = Organization Name (eg, company)
organizationName_default = LingQiao
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = Client-localhost
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP = 127.0.0.1
EOF
$ openssl req -new -sha256 -key client.key -config client.conf -out client.csr -batch
- 用CA证书生成终端client证书,得到client.crt
$ openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extfile client.conf -extensions req_ext -in client.csr -out client.crt
$ openssl x509 -noout -text -in client.crt
测试证书
- 单向认证测试
$ openssl s_server -accept 30000 -key server.key -cert server.crt
$ echo | openssl s_client -connect localhost:30000 -showcerts
$ echo | openssl s_client -connect localhost:30000 -verify 1 -CAfile ca.crt -showcerts
- 双向认证测试(mTLS)
$ openssl s_server -accept 30000 -key server.key -cert server.crt -Verify 1 -CAfile ca.crt
$ echo | openssl s_client -connect localhost:30000 -showcerts
$ echo | openssl s_client -connect localhost:30000 -cert client.crt -key client.key -verify 1 -CAfile ca.crt -showcerts
- 其它测试:
openssl s_server:
-www - Respond to a 'GET /' with a status page
-WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
-HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>
$ openssl s_server -accept 30000 -key server.key -cert server.crt -Verify 1 -CAfile ca.crt -HTTP
$ echo 'GET /ca.crt HTTP/1.0' | openssl s_client -connect localhost:30000 -cert client.crt -key client.key -verify 1 -CAfile ca.crt -quiet
$ cat /etc/passwd | openssl s_server -accept 30000 -key server.key -cert server.crt -Verify 1 -CAfile ca.crt
$ echo | openssl s_client -connect localhost:30000 -cert client.crt -key client.key -verify 1 -CAfile ca.crt -quiet
获取服务的证书:
echo|openssl s_client -connect <host:port> 2>&1 |sed -ne '/-BEGIN CERTIFICATION-/,/-END CERTIFICATION-/ > server-cert.pem
验证证书:
openssl -verify server-cert.pem
openssl s_client -connect <host:port> -ssl3
openssl 其它操作
- 提取公钥
$ openssl rsa -in server.key -check
$ openssl rsa -in server.key
$ openssl rsa -in server.key -test
$ openssl rsa -in server.key -pubout -out server.pub #私钥提取公钥
$ openssl req -in server.csr -pubkey -noout > server.pub #证书请求提取公钥
$ openssl x509 -in server.crt -pubkey -noout > server.pub #证书提取公钥
$ diff <(openssl x509 -pubkey -noout -in server.crt) <(openssl rsa -pubout -in server.key)
$ openssl rsa -pubin -in server.pub
$ openssl rsa -pubin -in server.pub -text
keytool
keytool -list -rfc -keystore <file> -storepass changeit
keytool -list -rfc -keystore <file> -storepass changeit -alias server-cert
keytool -list -rfc -keystore <file> -storepass changeit -alias server-cert > server-cert.pem
keytool -list -rfc -keystore <file> -storepass changeit -alias server-cert |openssl x509 -noout -text
提取私钥:jks 不能直接提取私钥:需要转换成pkcs12再提取:
keytool -v importkeystore \
-srckeystore <keystore.jks> -srcstoretype jks -srcstorepass changeit -alias server-cert \
-destkeystore <keystore.p12> -deststoretype PKCS12 -deststorepass 12345678 -destalias server-cert -destkeypass 12345678 -nopromt
导出证书
openssl pkcs12 -in keystore.p12 -passin pass:12345678 -nokeys -out server-cert.cert
导出私钥
openssl pkcs12 -in keystore.p12 -passin pass:12345678 -nocertc -out server.key