本篇是本系列的第二篇:
证书编码格式与后缀名
通常所说的证书指的是X.509公钥证书。
编码格式
常规PEM和DER两种,其中PEM是一种Base64的文本格式,DER是一种二进制格式。
证书后缀名的通常含义
.pem —— 用PEM方式编码的证书文件
.der —— 用DER方式编码的证书文件
.crt —— The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
.cer —— alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
.key —— The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
生成X.509证书
证书生成步骤
一般经历如下步骤:
- 生成密钥对
- 对公钥生成证书请求文件
- 提交证书请求文件给CA,CA对请求文件进行签名生成证书
证书请求文件
生成证书请求文件
执行如下指令,根据已有的私钥生成证书请求文件(CSR):
openssl req -new -key private.key -out server.csr
根据提示设置各属性:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Haidian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example inc
Organizational Unit Name (eg, section) []:Engineering
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:admin@example.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
完成后生成证书请求文件 server.csr。
当然,也可以把参数直接写到命令行中,这样就不用交互式填写各参数
openssl req -new -key private.key -subj "/C=CN/ST=Beijing/L=Haidian/O=Example inc/OU=Engineering/CN=www.example.com/emailAddress=admin@example.com" -out server.csr生成信息更丰富的请求文件
可用-config参数来生成信息更丰富的证书请求文件,指令如下
openssl req -new -config server.cnf -key private.key -out server.csr其中server.cnf文件内容如下:
[ req ]
default_bits = 2048
default_keyfile = private.key
distinguished_name = req_distinguished_name# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstrreq_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2localityName = Locality Name (eg, city)
localityName_default = Beijing0.organizationName = Organization Name (eg, company)
0.organizationName_default = Example inc.organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = EngineeringcommonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = www.example.comemailAddress = Email Address
emailAddress_max = 40
emailAddress_default = admin@example.com[ v3_req ]
nsCertType = server
basicConstraints = critical,CA:false
指定签名算法
在有些系统上,默认的签名算法是SHA-1,如果想换成SHA-256,则可增加-sha256参数,如下
openssl req -new -sha256 -key private.key -out server.csr如果需要用SHA-512,则将参数换成-sha512
查看证书请求文件信息
默认生成的证书请求文件是PEM格式的文本文件,执行如下指令查看其信息
openssl req -in server.csr -noout -text输出内容如下
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = Beijing, L = Haidian, O = Example inc, OU = Engineering, CN = www.example.com, emailAddress = admin@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:87:cb:35:67:c4:98:6f:e3:96:cb:33:fc:db:
bd:61:fd:f2:cb:1e:3e:9c:fd:db:66:12:aa:35:a6:
6a:03:05:01:22:08:9d:51:53:94:98:46:5e:00:2a:
b8:47:76:08:c7:76:ce:04:60:61:9e:97:56:71:a1:
46:87:62:ca:fa:1d:22:65:9d:02:13:ad:3f:82:49:
b6:f5:bf:ac:64:cd:b3:80:fa:b3:04:86:f7:2d:a4:
59:f9:ea:c3:ba:69:b4:4c:d8:b2:1b:d3:3e:42:90:
87:0f:c7:45:1a:9f:e1:fb:41:22:54:d5:f7:0f:c9:
9d:98:6f:1d:73:66:f1:d5:27:15:56:ce:9e:a6:57:
29:70:ba:f1:bc:c5:8d:83:98:26:2b:e2:c8:2b:79:
41:96:70:88:c0:1a:40:b4:b9:ef:c3:11:24:40:10:
f3:6a:80:18:92:dc:3c:4d:ca:ec:19:5a:7f:91:c4:
eb:38:b1:69:48:25:e3:a7:35:ab:c2:36:69:4e:6f:
41:49:db:ab:f7:d9:e2:8c:e7:b1:79:23:02:70:3a:
9a:8d:d5:09:6d:42:3c:1b:32:88:77:9a:e7:dc:0a:
1e:76:de:09:51:e0:33:f0:36:6d:67:f3:b2:be:7f:
2c:03:72:fb:fc:65:a1:42:59:31:c0:e4:5a:ea:66:
a4:97
Exponent: 65537 (0x10001)
Attributes:
(none)
Requested Extensions:
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
10:f7:1e:0f:7a:65:20:b7:f0:2d:42:dc:d1:b3:a5:94:a8:e8:
1a:68:a7:e3:79:4b:b6:a1:2d:76:6c:4a:38:0e:68:cb:77:d0:
de:e6:77:a8:ee:3f:9b:fd:02:14:af:53:1a:16:99:e1:73:62:
96:be:87:d3:17:b3:a6:ed:ab:94:e3:88:20:1d:64:20:f9:95:
35:53:61:6a:eb:11:c6:d2:92:10:67:00:3b:c3:35:ce:67:c3:
d4:c9:07:94:31:0d:dc:d3:61:3f:5b:66:3d:cc:8e:69:32:5f:
ae:23:e9:6b:36:b8:41:a6:67:b2:6e:4c:a7:50:1d:a0:15:12:
a8:10:ce:bf:34:76:29:8b:b8:76:73:6b:7b:f6:fb:9f:60:eb:
39:80:a8:53:45:47:a2:ec:e7:36:47:99:06:59:a9:03:9f:67:
b1:99:76:af:11:59:09:81:33:84:67:c3:c8:9f:f6:62:ef:52:
ef:1f:7c:cd:db:21:92:eb:48:b3:bf:c6:7d:a1:ef:0f:6c:14:
5e:0b:b9:cc:84:92:8d:d9:a4:45:c9:7b:02:5b:df:90:e9:5b:
ac:87:f2:f0:a8:e8:61:3c:55:51:9a:92:77:8e:8c:35:c8:f7:
10:67:75:f3:0b:8b:90:0c:fd:96:67:84:17:1d:a9:8b:4f:34:
e1:6f:16:98
验证请求文件
验证的原理就是核对一遍摘要信息,执行如下指令
openssl req -verify -in server.csr -noout如请求文件验证成功,其输出如下
Certificate request self-signature verify OK
生成证书
生成自签名证书
自签名证书一般用于生成测试用的CA证书.
用前述步骤的证书请求文件生成自签名证书,执行如下指令:
openssl x509 -req -days 3650 -in server.csr -signkey private.key -out server.pem命令输出信息如下:
Certificate request self-signature ok
subject=C = CN, ST = Beijing, L = Haidian, O = Example inc, OU = Engineering, CN = www.example.com, emailAddress = admin@example.com
以上指令就签发了一个有效期为10年的自签名证书。
生成时可以额外指定一些参数,比如序列号,用set_serial指定:
openssl x509 -req -days 3650 -in server.csr -signkey private.key -set_serial 123456 -out server.pem用CA签发证书
进行本节的操作时,需提前做如下准备
- 生成自签名的CA证书,CA私钥和证书对应的文件为ca-private.key和ca.pem。生成CA证书的方法请参考前一节“生成自签名证书”。
- 准备好证书请求文件,对应的文件名为server.csr
用openssl x509指令签发证书
执行如下指令签发证书
openssl x509 -req -days 365 -in server.csr \
-CA ca.pem -CAkey ca-private.key -CAcreateserial -out server.pem命令输出如下:
Certificate request self-signature ok
subject=C = CN, ST = Beijing, L = Haidian, O = Example inc, OU = Engineering, CN = www.example.com, emailAddress = admin@example.com
命令参数 -CAcreateserial会在当前目录下创建一个ca.slr文件来记录序列号,每签发一个证书该文件中记录的序列号会自增,如果该文件已经存在则可以不需要该指令。
用openssl ca指令签发证书
比x509指令要略复杂点,需要做如下准备工作
mkdir ca.db.certs
echo '00' >ca.db.serial
cp /dev/null ca.db.index创建ca.cnf文件,内容如下:
HOME = .
####################################################################
[ ca ]
default_ca = CA_default # The default ca section[ CA_default ]
default_days = 3650 # how long to certify for
#default_crl_days = 30 # how long before next CRL
default_md = sha256 # use public key default MD
#preserve = no # keep passed DN orderingdir = .
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
certificate = $dir/ca.pem
private_key = $dir/ca-private.key
unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subjectx509_extensions = ca_extensions # The extensions to add to the cert
#email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to certpolicy = ca_policy
####################################################################
[ ca_extensions ]subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always, issuer
#basicConstraints = critical, CA:true
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, keyAgreement, keyCertSign, cRLSign
#extendedKeyUsage = 1.3.6.1.5.5.7.3.19####################################################################
[ ca_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
然后执行如下命令签发证书
openssl ca -in server.csr -days 365 -cert ca.pem -keyfile ca-private.key -config ca.cnf -out server-02.pem命令输出如下:
Using configuration from ca.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :ASN.1 12:'Beijing'
localityName :ASN.1 12:'Haidian'
organizationName :ASN.1 12:'Example inc'
organizationalUnitName:ASN.1 12:'Engineering'
commonName :ASN.1 12:'www.example.com'
emailAddress :IA5STRING:'admin@example.com'
Certificate is to be certified until Nov 7 03:16:35 2024 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
用CA校验签发的证书
执行如下指令可校验证书
openssl verify -verbose -CAfile ca.pem server.pem其输出如下
server.pem: OK
证书格式转换
PEM转DER
执行如下指令,可从PEM格式的证书server.pem生成一个DER格式的证书文件server.der
openssl x509 -in server.pem -out server.der -outform DERDER转PEM
执行如下指令
openssl x509 -inform DER -in server.der -out server.pem查看证书内容
查看证书基础信息
执行如下指令
openssl x509 -in server.pem -noout -text输出如下
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
2f:87:04:87:65:c9:14:07:f5:d3:f4:cf:fd:29:a6:af:bc:e2:b6:8e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Beijing, L = Haidian, O = Example inc, OU = Engineering, CN = ca, emailAddress = admin@example.com
Validity
Not Before: Nov 8 02:55:23 2023 GMT
Not After : Nov 7 02:55:23 2024 GMT
Subject: C = CN, ST = Beijing, L = Haidian, O = Example inc, OU = Engineering, CN = www.example.com, emailAddress = admin@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:64:ff:c1:17:d8:79:de:44:ac:c8:38:6e:f9:
a8:58:fa:03:5e:96:28:e1:70:55:d5:4a:ad:b4:cb:
c3:b3:97:8d:e7:77:d1:28:b3:b1:c1:83:36:3f:c7:
b8:1c:74:d4:b6:ae:88:59:63:96:41:3e:e7:2f:1c:
1b:9d:85:cd:e5:bd:20:40:39:aa:97:84:aa:0d:2a:
33:91:f0:c8:cb:e5:cc:c0:17:ab:08:e7:ba:76:20:
82:e6:b9:61:ae:fb:5a:e7:84:eb:7f:eb:dc:65:a0:
c3:de:00:6c:1e:6a:18:a1:d1:33:2f:96:56:f5:b3:
c2:41:c3:34:10:42:b6:2f:87:51:fe:04:52:e5:9d:
c3:46:0f:02:66:15:1c:58:ae:a8:04:09:87:b8:51:
10:f6:73:5c:31:44:94:1f:86:45:75:49:7e:4a:e8:
8b:5c:c2:09:59:c2:d1:c6:16:c1:61:d2:db:af:7a:
e2:2e:e5:65:c9:a8:25:9d:b1:a6:d1:50:51:b9:54:
a9:b1:43:87:7e:1a:e4:02:95:d9:7e:e0:bd:e2:d5:
77:eb:f9:1f:eb:a3:3a:91:3f:4e:1a:e4:39:db:37:
75:8d:7d:3c:30:fd:10:68:3c:b4:ce:b7:71:f4:7e:
31:e4:9b:a3:38:b2:6f:f0:1e:39:84:01:de:92:c7:
5c:5f
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
aa:d6:ce:a3:ec:da:04:30:ad:78:a2:ad:bd:38:b6:05:ae:3a:
2e:e8:7a:2f:fb:73:48:d9:c3:00:f7:15:cf:72:c4:e7:a7:07:
d5:e5:9f:10:4b:ef:5e:73:30:05:d3:c5:e5:d1:e2:ea:df:39:
be:24:4a:59:72:72:bb:01:83:02:4a:4c:8e:c1:4f:d7:12:25:
88:03:db:a6:7d:f2:af:6d:1e:08:1c:f1:bb:5d:f4:7e:18:b7:
96:cd:ed:54:67:8b:e1:3e:e6:a8:77:00:bd:a3:b3:2b:fc:39:
72:70:05:b9:de:d0:e9:52:48:cd:a2:bb:79:fd:ee:86:dd:fe:
ca:1e:74:b7:99:d8:07:ad:f6:eb:1e:37:e8:9a:4b:bc:70:58:
5e:d5:15:39:cd:5b:e9:86:df:f3:59:88:4e:91:9f:38:47:2c:
4b:95:6d:ee:11:7f:35:a8:4e:ed:22:36:f8:f5:c5:a3:56:6e:
fb:e0:8c:98:fe:ff:5c:90:68:9c:c7:fd:28:d2:b7:06:26:df:
d7:52:8d:21:ef:b1:93:33:66:6e:30:2f:ce:14:ce:50:a7:b4:
94:1e:dd:93:68:ff:f6:53:fd:79:a3:1e:55:37:22:49:b9:7f:
7e:36:25:cb:d0:15:f0:01:57:8e:9b:b6:ec:f3:f2:85:fb:08:
95:b9:00:34
如果是DER格式的证书,则可以执行如下指令来查看
openssl x509 -inform DER -in server.der -noout -text查看证书有效期
执行指令
openssl x509 -dates -in server.pem -noout其输出如下
notBefore=Nov 8 02:55:23 2023 GMT
notAfter=Nov 7 02:55:23 2024 GMT
查看证书签发机构
运行指令
openssl x509 -issuer -issuer_hash -in server.der -inform DER -noout其输出如下
issuer=C = CN, ST = Beijing, L = Haidian, O = Example inc, OU = Engineering, CN = ca, emailAddress = admin@example.com
01f557e2
查看证书的Hash
openssl x509 -hash -in server.pem -noout其输出如下
117d7aed
查看证书的摘要
openssl x509 -fingerprint -in server.pem -noout其输出如下
SHA1 Fingerprint=6F:10:61:38:CD:4F:AC:98:15:B0:D5:1F:67:B2:3D:1F:94:F5:40:CC
7555
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
