文章目录
openssl用到的子命令
- req - PKCS#10 certificate request and certificate generating utility
- x509 - Certificate display and signing utility
- genrsa - generate an RSA private key
- ecparam - EC parameter manipulation and generation
- rsa - RSA key processing tool
- ca - sample minimal CA application
- verify - Utility to verify certificates
openssl用户手册
https://www.openssl.org/docs/man1.1.1/man1/
简单易用的SSL证书制作手册
https://www.digicert.com/kb/ssl-support/openssl-quick-reference-guide.htm
ECDSA加密方式
openssl ecparam -list_curves
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
RSA加密方式
使用哪种方式对秘钥进行加密
openssl genrsa help
usage: genrsa [args] [numbits]
-des encrypt the generated key with DES in cbc mode
-des3 encrypt the generated key with DES in ede cbc mode (168 bit key)
-idea encrypt the generated key with IDEA in cbc mode
-seed
encrypt PEM output with cbc seed
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
1 生成秘钥
为什么要生产秘钥?
所谓的RSA和ECDSA对应秘钥套件那个部分?
# ECDSA
https://www.openssl.org/docs/man1.1.1/man1/ecparam.html
openssl ecparam -name secp521r1 -genkey -noout -out father.ecdsa.key
openssl ecparam -name prime256v1 -genkey -noout -out father.ecdsa.prime256v1.key
# RSA
https://www.openssl.org/docs/man1.1.1/man1/genrsa.html
# 不加密内容
openssl genrsa -out father.rsa.1024.key 1024
# 使用des3加密内容
openssl genrsa -des3 -out father.rsa.1024.key 1024
openssl genrsa -des3 -out father.rsa.4096.key 4096
# DH
https://www.openssl.org/docs/man1.1.1/man1/dhparam.html
秘钥内容包含了公钥的部分
openssl rsa -in father.rsa.4096.key -text -noout
Enter pass phrase for father.rsa.4096.key:
Private-Key: (4096 bit)
modulus:
...
publicExponent: 65537 (0x10001)
privateExponent:
...
prime1:
...
prime2:
...
exponent1:
...
exponent2:
...
coefficient:
...
2 生成根证书crt
https://www.openssl.org/docs/man1.1.1/man1/req.html
# ECDSA
openssl req -new -x509 -days 3650 -key father.ecdsa.key -out father.ecdsa.complicate.crt
# RSA
openssl req -new -x509 -days 3650 -key father.rsa.4096.key -out father.rsa.complicate.crt
更快捷的方法,不需要填写哪些烦人的字段
openssl req -new -x509 -days 3650 -key father.ecdsa.key -out father.ecdsa.command.crt -subj "/C=CN/ST=GD/L=GZ/O=Justin Company, Inc./OU=IT/CN=justin.com"
3 检查根证书信息crt
https://www.openssl.org/docs/man1.1.1/man1/x509.html
openssl x509 -in father.ecdsa.complicate.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13123089639795006486 (0xb61e947f8f971c16)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=CN, ST=GD, L=GZ, O=justin, OU=justin, CN=justin.com
Validity
Not Before: Apr 19 12:14:58 2021 GMT
Not After : Apr 17 12:14:58 2031 GMT
Subject: C=CN, ST=GD, L=GZ, O=justin, OU=justin, CN=justin.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
...
ASN1 OID: secp521r1
X509v3 extensions:
X509v3 Subject Key Identifier:
D6:58:BD:FA:76:3B:03:F8:4F:C0:79:83:F0:58:4A:7A:B8:06:93:E3
X509v3 Authority Key Identifier:
keyid:D6:58:BD:FA:76:3B:03:F8:4F:C0:79:83:F0:58:4A:7A:B8:06:93:E3
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
...
4 生成子证书秘钥Key
这里要区分RSA和ECDSA,因为RSA的秘钥默认都需要密码加密,但可以通过重新输出免除密码,但这种方式也会带来安全风险。
# ECDSA
openssl ecparam -name secp521r1 -genkey -noout -out son.ecdsa.key
# RSA,需要输入密码
openssl genrsa -des3 -out son.rsa.4096.key 4096
Generating RSA private key, 4096 bit long modulus
......++
......................................................................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for son.rsa.4096.key:
Verifying - Enter pass phrase for son.rsa.4096.key:
# RSA秘钥转为不需要密码的秘钥
openssl rsa -in son.rsa.4096.key -out son.rsa.4096.unsecure.key
Enter pass phrase for son.rsa.4096.key:
writing RSA key
5 生成子证书请求CSR
生成子证书请求,RSA和ECDSA没有什么区别。但需要注意请求是需要带上域名的选型
# ECDSA
openssl req -config openssl.cnf -extensions v3_req -new -sha256 -utf8 -key son.ecdsa.key -out son.ecdsa.csr
# RSA
openssl req -config openssl.cnf -extensions v3_req -new -sha256 -utf8 -key son.rsa.4096.unsecure.key -out son.rsa.4096.csr
-config openssl.cnf -extensions v3_req 使用这个配置文件的这个部分,以此内容覆盖原配置文件
openssl.cnf添加访问域名
复制配置
cp /etc/pki/tls/openssl.cnf ./
修改配置
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names # 新增
[ alt_names ] # 域名写在这个小节中
DNS.1 = a.justin.com
DNS.2 = b.justin.com
DNS.3 = newdomain.justin.com
DNS.4 = infomation.justin.com
DNS.5 = hello.justin.com
DNS.6 = special.person.justin.com
这种增加域名subjectAltName在叫做SAN
SAN(Subject Alternative Name) 是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书,可以扩展此证书支持的域名,使得一个证书可以支持多个不同域名的解析。
Creating and signing an SSL cert with alternative names
6 生成子证书
index/serial文件新增
对于自签名的证书,这两个文件是必需的
touch /etc/pki/CA/index.txt
# 序列号,只能递增
echo "1000" > /etc/pki/CA/serial
CSR/父证书/父key生成子证书
openssl ca -config openssl.cnf -extfile openssl.cnf -extensions v3_req -in son.ecdsa.csr -out son.ecdsa.crt -cert father.ecdsa.complicate.crt -keyfile father.ecdsa.key -days 365
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Apr 19 12:57:08 2021 GMT
Not After : Apr 19 12:57:08 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = GD
organizationName = justin
organizationalUnitName = justin
commonName = *justin.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:a.justin.com, DNS:b.justin.com, DNS:newdomain.justin.com, DNS:infomation.justin.com, DNS:hello.justin.com, DNS:special.person.justin.com
Certificate is to be certified until Apr 19 12:57:08 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7 验证
根证书与子证书关系
# ECDSA
openssl verify -CAfile father.ecdsa.complicate.crt son.ecdsa.crt
son.ecdsa.crt: OK
# RSA
openssl verify -CAfile father.rsa.complicate.crt son.rsa.crt
son.rsa.crt: OK
ECDSA内容检查
openssl x509 -in son.ecdsa.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000) # 留意这里serial,是文件设定的
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=CN, ST=GD, L=GZ, O=justin, OU=justin, CN=justin.com
Validity
Not Before: Apr 19 12:57:08 2021 GMT
Not After : Apr 19 12:57:08 2022 GMT
Subject: C=CN, ST=GD, O=justin, OU=justin, CN=*justin.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
...
ASN1 OID: secp521r1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:a.justin.com, DNS:b.justin.com, DNS:newdomain.justin.com, DNS:infomation.justin.com, DNS:hello.justin.com, DNS:special.person.justin.com
Signature Algorithm: ecdsa-with-SHA256
...
RSA内容检查
openssl x509 -in son.rsa.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001) # 留意这里serial,递增了1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=GD, L=GZ, O=justin, OU=justin, CN=justin
Validity
Not Before: Apr 19 13:28:38 2021 GMT
Not After : Apr 19 13:28:38 2022 GMT
Subject: C=CN, ST=GD, O=justin, OU=justin, CN=justin
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:a.justin.com, DNS:b.justin.com, DNS:newdomain.justin.com, DNS:infomation.justin.com, DNS:hello.justin.com, DNS:special.person.justin.com
Signature Algorithm: sha256WithRSAEncryption
...
其他
证书链结构
-----BEGIN CERTIFICATE-----
网站证书
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 中间证书机构
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA 根证书机构
-----END CERTIFICATE-----
查看JDK支持的证书
cd $JAVA_HOME/lib/security
keytool -list -keystore cacerts
# 文件内容是证书的fingerprint
The default password of the keystore is: changeit. For Java-8 or lower version use the command, cd $JAVA_HOME/jre/lib/security
# 获取服务器证书的fingerprint
openssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
20万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
