OPENSSL与私有CA搭建

最新推荐文章于 2022-12-26 21:39:08 发布
最新推荐文章于 2022-12-26 21:39:08 发布
阅读量953 收藏
点赞数
分类专栏: WEB安全 文章标签: openssl ssl https
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_43853965/article/details/103877215
版权

本文是实操,旨在理解:

对称加密、非对称加密、散列的具体实现;
CA的整个工作过程;
数字证书到底包含哪些内容。

本文也是我的上一篇《对称加密、非对称加密、散列算法与PKI》的具体实现,如果对本文涉及的对称加密、非对称加密、散列算法不太理解,可以先看看我的那篇通俗讲解。

一、Openssl常用命令:

帮助:
	# openssl ?	# 查看openssl的命令及子命令
	# man enc	# 可以直接查看子命令帮助

加密:
	# openssl enc -des3 -e -salt -in /lee/sh/test.sh -out /lee/sh/test.sh.des3
		-des3:指定加密算法,可以在openssl ?中查看支持的加密算法
		-e:加密,缺省参数
		-salt:加盐
		-in:输入文件,也就是要加密的文件
		-out:输出文件,也就是加密后的密文
	enter des-ede3-cbc encryption password:	# 输入加密密码
	Verifying - enter des-ede3-cbc encryption password:	#确认输入加密密码

解密:
	# openssl enc -des3 -d -salt -in /lee/sh/test.sh.des3 -out /lee/sh/test1.sh
		-d:解密
	enter des-ede3-cbc decryption password:

散列:
	# md5sum /lee/sh/test.sh	# 用MD5散列
	590c2fdc61a76337dd2e1df91a217a27  /lee/sh/test.sh
	# sha1sum /lee/sh/test.sh	# SHA1散列
	40554fd040b5a54821280603a67e5c07818aff65  /lee/sh/test.sh
	# openssl dgst -sha1 /lee/sh/test.sh	# 用openssl命令进行SHA1散列
	SHA1(/lee/sh/test.sh)= 40554fd040b5a54821280603a67e5c07818aff65
	# openssl dgst -md5 /lee/sh/test.sh	# 用openssl命令进行MD5散列
	MD5(/lee/sh/test.sh)= 590c2fdc61a76337dd2e1df91a217a27
	# openssl dgst -?	# 这样可以输出支持的命令
	unknown option '-?'
	options are
	-c              to output the digest with separating colons
	-r              to output the digest in coreutils format
	-d              to output debug info
	-hex            output as hex dump
	-binary         output in binary form
	-hmac arg       set the HMAC key to arg
	-non-fips-allow allow use of non FIPS digest
	-sign   file    sign digest using private key in file
	-verify file    verify a signature using public key in file
	-prverify file  verify a signature using private key in file
	-keyform arg    key file format (PEM or ENGINE)
	-out filename   output to filename rather than stdout
	-signature file signature to verify
	-sigopt nm:v    signature parameter
	-hmac key       create hashed MAC with key
	-mac algorithm  create MAC (not neccessarily HMAC)
	-macopt nm:v    MAC algorithm parameters or key
	-engine e       use engine e, possibly a hardware device.
	-md4            to use the md4 message digest algorithm
	-md5            to use the md5 message digest algorithm
	-ripemd160      to use the ripemd160 message digest algorithm
	-sha            to use the sha message digest algorithm
	-sha1           to use the sha1 message digest algorithm
	-sha224         to use the sha224 message digest algorithm
	-sha256         to use the sha256 message digest algorithm
	-sha384         to use the sha384 message digest algorithm
	-sha512         to use the sha512 message digest algorithm
	-whirlpool      to use the whirlpool message digest algorithm

生成密码串(散列值):
	# openssl passwd -?	# 详细帮助还是查看man
	Usage: passwd [options] [passwords]
	where options are
	-crypt             standard Unix password algorithm (default)
	-1                 MD5-based password algorithm	# MD5算法
	-apr1              MD5-based password algorithm, Apache variant
	-salt string       use provided salt
	-in file           read passwords from file
	-stdin             read passwords from stdin
	-noverify          never verify when reading password from terminal
	-quiet             no warnings
	-table             format output as table
	-reverse           switch table columns
	但是,passwd本身是一个操作系统命令,用man查看的是操作系统那个passwd的帮助,于是whatis一下:
	# whatis passwd
	sslpasswd (1ssl)     - compute password hashes	# 可以看出是sslpasswd
	passwd (1)           - update user's authentication tokens
	passwd (5)           - password file
	# man sslpasswd	# 这样就可以查看了
	# openssl passwd -1	# 使用MD5算法计算密码的(字符串)的散列值
	Password: 
	Verifying - Password: 
	$1$VAehBGE.$vSHYjZqz4O3xLXgqaWTL70
	注意:这个命令时默认加盐的,所以多次执行同一个密码串所得到的结果都会不同
	# openssl passwd -1 -salt VAehBGE.	# 指定salt值
	Password: 
	$1$VAehBGE.$vSHYjZqz4O3xLXgqaWTL70	# 相同的salt结果输出一样了

生成非对称密钥:
	# openssl genrsa	# 生成RSA私钥
	Generating RSA private key, 2048 bit long modulus
	...........+++
	........................+++
	e is 65537 (0x10001)
	-----BEGIN RSA PRIVATE KEY-----
	MIIEpQIBAAKCAQEA9armbPLhXtJc70Ktvw0JJEZtWaA6MtWGjL6sr51WGhrC2wcu
	XVdrQlpWXWxFjO7zlwfIs2Oo9+6LmQdmRbqlt0Jmh0RG9XxB51cKR1s8c71k/u2A
	Jm6Ccg8wsxLgBVKrpFB9bZ7WsLAJ7n61mkJul49Vp/uIuGX+3HEgmgoOWObw6xiC
	tMSR9c5ksobz3oI6R9ccwpOfcXBWUzVo2fc+KnuKyM1saR8HXrHBPpoyP6DT2GOv
	CyLjw1l1c4jPKO6PC2CJMyM4q6EuTow/j8y+X2vCVPzferYRixH8b96HGisxqD2f
	UxK1H3RPOCk8L/NiWyE2L5950FgDxUB1gRXANwIDAQABAoIBABg0S1mmoG/QOBnW
	rvmo1iK90Z5H/BPwF76cNrViwg32XwZncbj+mPHDpsizlzKohFV4Dd0mz4oF9bkR
	EpGCLzucDi/7mSYspO2fFMMtCQq6OU4opjyjHLUSLBEopevAVmrtBz6arLphzciy
	sT/OlcjW9XCEhtbsLa0YdEbZAMrfXKdpR88CX8zIKn5ZTG2BO6vP6tfLrSVPM/Rl
	5dJVLFkB4cgoZKLYDzllYPn9YerUFJnl1H+2ky/skEWf+jDoIw+zVQPhUn/kdBpU
	gFEbp60FvJK5iRx81fK0liOhZHFefNGsiSSqPVVvP7qRmqgCamZYqfQdRujzZ4Io
	sW4Q5FECgYEA/iTMjxSnE3x5d8jzR/s5rotEq08XlfVlkAYSxFOje0lOtdlX/OJv
	02+4lf0btEOHPcdCbHIuhx6zMlx2TPaXcfgMvowKe+/bfcX76VldhQxj/xJvXzVx
	acCYY2fRZc69GPsXR+PHANMjI4AZWoDeGYaqxEtMafSQnFiagatyx1kCgYEA93ZA
	kHUDBHlpkg+bQLrlimMGqXGj4m7TasW/PTxEWe1WbgKuN9o7grGdnAlhKDhdAi9S
	4eCNzKA4CTK8Zx9WH6izgq9oushDSofTgzozuPXiJ2PFxDl0nGQLvg2UrgzzBmSK
	0GO0Il7tkkDKfZdApFgqyWbA7CrShs1rF9fsYg8CgYEA00kau5Vq9btVbO2mvGAz
	a1YjZ9ygei6DGkLCVXBHiNbAVlT0XqyOVZUbO68q2ioOBKFlKq2e2vz988+FFqUn
	8TtMtRnOGY2myCDSNwTxyAwuEkBsURYoTMguqO4F24MOGPefOkg3CQt/uiLkcSaT
	/1rDG+CSDcCifSj4gvdbvDkCgYEAorch6xrVuhpvfXg/mMeL6XwFxGMR5PEEmT+f
	6Q74zrzNyRaAIf+gg+ZwgUp1lTHCjo45jIbQFo3/aqTu10v2oGiYaMUYM0E9ZgN7
	49zgZ61eYJItV0KEV9U9F2HssqmXH0v7Lt1wc+1Bf5qUyxIqkiXbNIUZM/FQbw0h
	bxMuvqcCgYEA8JMQHjmx9NCUAH9ShHrrqO4qw9NCvAteShx0D/AbQALP5L56QfWQ
	L0h31nNpL1E2AHAME/ZcWQzeHhrPY0+gOklBRG+mQS2MNOD31bZNUgh6LF20s4M/
	1Qb1srzf9qKbhD2PG3PSSuj1UuFGT/al/L3QOnv4+ewXgL/Iyl7HAgs=
	-----END RSA PRIVATE KEY-----
	# openssl genrsa -out /lee/my.key	# 生成RSA私钥同时输出
	# openssl rsa -in /lee/my.key -pubout	# 查看私钥的公钥
	writing RSA key
	-----BEGIN PUBLIC KEY-----
	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9armbPLhXtJc70Ktvw0J
	JEZtWaA6MtWGjL6sr51WGhrC2wcuXVdrQlpWXWxFjO7zlwfIs2Oo9+6LmQdmRbql
	t0Jmh0RG9XxB51cKR1s8c71k/u2AJm6Ccg8wsxLgBVKrpFB9bZ7WsLAJ7n61mkJu
	l49Vp/uIuGX+3HEgmgoOWObw6xiCtMSR9c5ksobz3oI6R9ccwpOfcXBWUzVo2fc+
	KnuKyM1saR8HXrHBPpoyP6DT2GOvCyLjw1l1c4jPKO6PC2CJMyM4q6EuTow/j8y+
	X2vCVPzferYRixH8b96HGisxqD2fUxK1H3RPOCk8L/NiWyE2L5950FgDxUB1gRXA
	NwIDAQAB
	-----END PUBLIC KEY-----
	# openssl rsa -in /lee/my.key -pubout -out /lee/mypub.key	# 输出私钥的公钥
	
证书格式转换:
	将cer和pfx文件转换成pem格式的文件
		# openssl pkcs12 -in xxx.pfx -nodes -out xxx.pem
		# openssl x509 -inform der -in xxx.cer -out xxx.pem -outform pem
	从pfx中提取密钥对
		# openssl pkcs12 -in longsys.com123456.pfx -nocerts -nodes -out longsys.key
	从密钥对中提取私钥(头部格式:-----BEGIN RSA PRIVATE KEY-----)
		# openssl rsa -in longsys.key -out longsys_private.pem
	从密钥对提取公钥(头部格式:-----BEGIN RSA PUBLIC KEY-----)
		# openssl rsa -in longsys.key -RSAPublicKey_out -out longsys_public.pem	#也可以从私钥中提取,结果一样
	从密钥对提取公钥(头部格式:-----BEGIN PUBLIC KEY-----)
		# openssl rsa -in longsys.key -pubout -out mypub.key	#同样也可以从私钥中提取

二、配置CA:

1):查看并修改CA配置文件:
	# cat /etc/pki/tls/openssl.cnf	# 主要的是下面的内容
	####################################################################
	[ ca ]
	default_ca	= CA_default		# The default ca section

	####################################################################
	[ CA_default ]

	dir		= /etc/pki/CA		# Where everything is kept	# 默认主工作目录
	certs		= $dir/certs		# Where the issued certs are kept	# 客户端证书保存目录
	crl_dir		= $dir/crl		# Where the issued crl are kept	# 证书撤销列表位置
	database	= $dir/index.txt	# database index file.	# 发放的证书列表,默认是没有这个文件的,需要自己创建
	#unique_subject	= no			# Set to 'no' to allow creation of
						# several ctificates with same subject.
	new_certs_dir	= $dir/newcerts		# default place for new certs.	# 新生成的证书

	certificate	= $dir/cacert.pem 	# The CA certificate	# CA自己的证书(自签署证书)
	serial		= $dir/serial 		# The current serial number	# 序号,默认是没有这个文件的,需要自己创建
	crlnumber	= $dir/crlnumber	# the current crl number
						# must be commented out to leave a V1 CRL
	crl		= $dir/crl.pem 		# The current CRL
	private_key	= $dir/private/cakey.pem# The private key	# CA的私钥存放位置
	RANDFILE	= $dir/private/.rand	# private random number file

	x509_extensions	= usr_cert		# The extentions to add to the cert

	# Comment out the following two lines for the "traditional"
	# (and highly broken) format.
	name_opt 	= ca_default		# Subject Name options
	cert_opt 	= ca_default		# Certificate field options

	# Extension copying option: use with caution.
	# copy_extensions = copy

	# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
	# so this is commented out by default to leave a V1 CRL.
	# crlnumber must also be commented out to leave a V1 CRL.
	# crl_extensions	= crl_ext

	default_days	= 365			# how long to certify for	# 证书默认有效期
	default_crl_days= 30			# how long before next CRL
	default_md	= sha256		# use SHA-256 by default
	preserve	= no			# keep passed DN ordering

2):生成一个CA自己的非对称私钥:
	# openssl genrsa -out /etc/pki/CA/private/cakey.pem

3):生成自签署证书:
	# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
		-new:新建
		-x509:指定自签署证书
		-key:指定非对称秘钥(私钥)
		-out:输出文件
		-days:证书有效期
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [XX]:CN
	State or Province Name (full name) []:GuangDong      
	Locality Name (eg, city) [Default City]:ShenZhen
	Organization Name (eg, company) [Default Company Ltd]:test
	Organizational Unit Name (eg, section) []:test
	Common Name (eg, your name or your server's hostname) []:ca.test.com
	Email Address []:admin@test.com
	# openssl x509 -text -in cacert.pem	# 查看证书信息
	Certificate:
		Data:
			Version: 3 (0x2)
			Serial Number:
				ae:af:f9:0e:f3:0e:96:bd
		Signature Algorithm: sha256WithRSAEncryption
			Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=test, OU=test, CN=ca.test.com/emailAddress=admin@test.com
			Validity
				Not Before: Feb  3 07:38:39 2018 GMT
				Not After : Mar  5 07:38:39 2018 GMT
			Subject: C=CN, ST=GuangDong, L=ShenZhen, O=test, OU=test, CN=ca.test.com/emailAddress=admin@test.com
			Subject Public Key Info:
				Public Key Algorithm: rsaEncryption
					Public-Key: (2048 bit)
					Modulus:
						00:c3:91:60:ee:17:d2:14:36:75:1c:d3:95:ac:43:
						69:5c:f0:7f:a6:00:cb:7f:b2:45:5c:1e:0a:da:a9:
						ba:82:37:7f:36:9c:49:c3:2a:23:2e:b1:fa:78:87:
						aa:a5:cc:91:2f:55:0f:e5:dd:de:e8:07:46:61:9e:
						c3:dd:33:12:a1:98:f2:cb:62:00:45:1d:54:89:cb:
						28:cb:4f:b4:eb:46:df:df:ca:5b:94:81:64:c0:4f:
						fe:91:23:a0:33:cf:b8:05:27:63:cc:d2:87:c0:42:
						30:d7:1f:d6:e0:3d:61:61:6d:46:2a:99:63:b3:7f:
						70:6a:f8:96:5f:9e:f6:b6:9f:8e:44:09:cc:eb:3e:
						ac:e0:d0:97:5e:43:9a:8d:b2:f9:18:08:73:7f:39:
						d9:9b:a5:b2:4e:c7:25:93:ce:a6:ee:36:bc:22:e9:
						08:8b:17:c0:5e:af:ff:c6:ce:ea:0b:f5:a6:d3:bc:
						f7:77:76:48:f1:57:25:56:88:6b:73:bf:65:44:59:
						aa:a4:94:cd:d5:7c:4a:ca:fd:77:19:8e:42:62:3a:
						d3:4c:7c:b3:2d:73:ac:1c:70:4b:a5:26:cf:62:c0:
						2f:e0:c3:06:eb:37:6e:1d:7b:df:53:08:09:bf:e0:
						6d:d8:ee:95:6d:1f:d9:df:3e:11:8b:e0:3d:0e:7b:
						94:0f
					Exponent: 65537 (0x10001)
			X509v3 extensions:
				X509v3 Subject Key Identifier: 
					30:2F:BF:46:D3:E2:89:32:F3:76:D8:59:72:E5:06:79:65:E3:FF:2B
				X509v3 Authority Key Identifier: 
					keyid:30:2F:BF:46:D3:E2:89:32:F3:76:D8:59:72:E5:06:79:65:E3:FF:2B

				X509v3 Basic Constraints: 
					CA:TRUE
		Signature Algorithm: sha256WithRSAEncryption
			 c0:d5:cc:e8:65:34:82:b5:99:f5:5d:e9:6d:43:42:c1:8c:01:
			 0c:09:34:df:d0:46:ca:01:7c:9b:f8:a1:08:e4:99:b1:5c:ef:
			 eb:6d:2d:d5:82:fa:3f:10:c9:96:ac:35:3a:1a:de:a7:37:69:
			 9d:20:d3:4f:19:3b:29:e8:e1:4a:7e:29:cd:5f:a1:81:f5:3e:
			 5d:c4:55:e6:e5:5d:c5:87:bd:4f:45:d0:3c:2c:5a:60:9b:2e:
			 79:23:0d:fa:80:bf:80:83:f2:09:ce:6f:94:5c:c6:21:53:f7:
			 58:8e:cf:8d:88:7e:c1:57:38:a3:1c:e5:02:16:af:56:51:04:
			 9e:ad:54:e4:70:1f:76:d9:bf:1d:38:95:e4:94:91:6d:36:87:
			 c4:fa:75:3d:87:53:c9:10:8d:46:81:34:44:e3:53:12:cf:31:
			 ca:10:48:14:c0:6f:d3:7a:3a:62:3f:04:90:f7:00:d6:c0:ce:
			 ea:2f:44:ad:70:36:58:20:04:f9:2a:98:b4:af:fe:b4:67:35:
			 1d:3b:3e:ea:ba:e4:70:8b:56:f4:d5:bd:61:05:d4:30:23:64:
			 c9:54:cd:96:bf:86:dd:38:41:6a:b1:4e:8d:72:ce:79:b7:fa:
			 51:53:c5:08:e2:d6:2f:43:b0:39:d4:c3:3c:84:b6:83:23:60:
			 4b:c0:9e:9d
	-----BEGIN CERTIFICATE-----
	MIID4zCCAsugAwIBAgIJAK6v+Q7zDpa9MA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
	VQQGEwJDTjESMBAGA1UECAwJR3VhbmdEb25nMREwDwYDVQQHDAhTaGVuWmhlbjEN
	MAsGA1UECgwEdGVzdDENMAsGA1UECwwEdGVzdDEUMBIGA1UEAwwLY2EudGVzdC5j
	b20xHTAbBgkqhkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMB4XDTE4MDIwMzA3Mzgz
	OVoXDTE4MDMwNTA3MzgzOVowgYcxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFu
	Z0RvbmcxETAPBgNVBAcMCFNoZW5aaGVuMQ0wCwYDVQQKDAR0ZXN0MQ0wCwYDVQQL
	DAR0ZXN0MRQwEgYDVQQDDAtjYS50ZXN0LmNvbTEdMBsGCSqGSIb3DQEJARYOYWRt
	aW5AdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDkWDu
	F9IUNnUc05WsQ2lc8H+mAMt/skVcHgraqbqCN382nEnDKiMusfp4h6qlzJEvVQ/l
	3d7oB0ZhnsPdMxKhmPLLYgBFHVSJyyjLT7TrRt/fyluUgWTAT/6RI6Azz7gFJ2PM
	0ofAQjDXH9bgPWFhbUYqmWOzf3Bq+JZfnva2n45ECczrPqzg0JdeQ5qNsvkYCHN/
	OdmbpbJOxyWTzqbuNrwi6QiLF8Ber//GzuoL9abTvPd3dkjxVyVWiGtzv2VEWaqk
	lM3VfErK/XcZjkJiOtNMfLMtc6wccEulJs9iwC/gwwbrN24de99TCAm/4G3Y7pVt
	H9nfPhGL4D0Oe5QPAgMBAAGjUDBOMB0GA1UdDgQWBBQwL79G0+KJMvN22Fly5QZ5
	ZeP/KzAfBgNVHSMEGDAWgBQwL79G0+KJMvN22Fly5QZ5ZeP/KzAMBgNVHRMEBTAD
	AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDA1czoZTSCtZn1XeltQ0LBjAEMCTTf0EbK
	AXyb+KEI5JmxXO/rbS3Vgvo/EMmWrDU6Gt6nN2mdINNPGTsp6OFKfinNX6GB9T5d
	xFXm5V3Fh71PRdA8LFpgmy55Iw36gL+Ag/IJzm+UXMYhU/dYjs+NiH7BVzijHOUC
	Fq9WUQSerVTkcB922b8dOJXklJFtNofE+nU9h1PJEI1GgTRE41MSzzHKEEgUwG/T
	ejpiPwSQ9wDWwM7qL0StcDZYIAT5Kpi0r/60ZzUdOz7quuRwi1b01b1hBdQwI2TJ
	VM2Wv4bdOEFqsU6Ncs55t/pRU8UI4tYvQ7A51MM8hLaDI2BLwJ6d
	-----END CERTIFICATE-----

4):创建CA工作目录下的必要文件
	# touch /etc/pki/CA/index.txt	# 创建证书发放列表文件
	# touch /etc/pki/CA/serial	# 创建序号文件
	# echo "01" > /etc/pki/CA/serial	# 写入起始序号

三、向CA申请证书:

1):生成一个自己的非对称密钥
	# openssl genrsa -out /lee/my.key

2):申请证书(在这里私有CA申请流程就是一个证书生成的步骤了)
	# openssl req -new -key /lee/my.key -out /lee/my.crt	# 注意这里没有-x509的选项了,-x509代表的是自签署
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [XX]:CN
	State or Province Name (full name) []:GuangDong
	Locality Name (eg, city) [Default City]:ShenZhen
	Organization Name (eg, company) [Default Company Ltd]:test
	Organizational Unit Name (eg, section) []:test
	Common Name (eg, your name or your server's hostname) []:www.test.com
	Email Address []:www@test.com

	Please enter the following 'extra' attributes
	to be sent with your certificate request
	A challenge password []:
	An optional company name []:

四:CA签署证书:

1)签署
	# openssl ca -in /lee/my.crt -out www.test.com.crt
	Using configuration from /etc/pki/tls/openssl.cnf
	Check that the request matches the signature
	Signature ok
	Certificate Details:
			Serial Number: 1 (0x1)
			Validity
				Not Before: Feb  3 08:29:30 2018 GMT
				Not After : Feb  3 08:29:30 2019 GMT
			Subject:
				countryName               = CN
				stateOrProvinceName       = GuangDong
				organizationName          = test
				organizationalUnitName    = test
				commonName                = www.test.com
				emailAddress              = www@test.com
			X509v3 extensions:
				X509v3 Basic Constraints: 
					CA:FALSE
				Netscape Comment: 
					OpenSSL Generated Certificate
				X509v3 Subject Key Identifier: 
					36:1E:30:68:9A:42:75:DE:EA:BE:F3:FF:EB:3C:26:5F:5B:30:4B:30
				X509v3 Authority Key Identifier: 
					keyid:30:2F:BF:46:D3:E2:89:32:F3:76:D8:59:72:E5:06:79:65:E3:FF:2B

	Certificate is to be certified until Feb  3 08:29:30 2019 GMT (365 days)
	Sign the certificate? [y/n]:y


	1 out of 1 certificate requests certified, commit? [y/n]y   
	Write out database with 1 new entries
	Data Base Updated
2)查看颁发列表:
	[root@localhost CA]# cat index.txt	# 查看下证书颁发列表,发现已经有了一条信息,”01“就是从刚才的serial中继承来的
	V	190203082930Z		01	unknown	/C=CN/ST=GuangDong/O=test/OU=test/CN=www.test.com/emailAddress=www@test.com
沙漠网管
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
俄语网站大全
若是凉夜已成梦
03-20 24万+
俄文网站大全发表日期:2008年1月21日 已经有447位读者读过此文转帖一些俄文网站,当然不排除一些网址可能已经打不开了,朋友们可以有选择的浏览! 俄文网址 搜索引擎 语言、文学 http://www.weblist.ru 汉俄通 http://www.het.cn http://www.rambler.ru/ 俄语库 http://rucool.top
OpenSSL 使用openssl工具搭建私有CA
海阔天空
05-19 8979
SSL(安全套接层)是为网络通讯提供安全及数据完整性的一种安全协议,TLS(SSL的继承版本)与SSL在传输层对网络连接进行加密。SSL用以保障在数据传输的安全利用数据加密技术,可确保数据在网络上之传输过程中不会被窃取和监听。功能:机密性,认证,完整性,重放保护两阶段协议,分为握手阶段和应用阶段握手阶段(协商阶段):客户端和服务器端认证对方身份(依赖于PKI体系,利用数字证书进行身份认证),并协商...
Linux 常用的压缩和解压操作
Disany的博客
05-25 397
# 压缩 tar -czvf test.tar.gz test # 解压 tar -xzvf test.tar.gz test 常用参数 -c :压缩文件(create) -x :解开压缩文件 -t :查看 tar 里的文件 -z :是否需要用 gzip 压缩 -j :是否需要用 bzip2 压缩 -v :压缩的过程中显示文件 -f :使用档名(位置放在最后一个) 扩展 #加密压缩 tar -czvf - file | openssl des3 -pbkdf2 -k password -out fil
PBKDF2实现
Tanyboye的博客
03-18 8927
PBKDF2简介常见的加密算法,如MD5,此类算法为单向的,无法通过逆向破解,但由于技术的不断进步,可以通过字典和暴力破解。后来人们通过加盐来增加密码的安全性,但彩虹表的出现让这种方式也变得不安全。以至于出现了现在的PBKDF2算法。PBKDF2算法通过多次hash来对密码进行加密。原理是通过password和salt进行hash,然后将结果作为salt在与password进行hash,多次重复此...
使用OpenSSL实现CA证书的搭建过程
Eumenides_s的博客
09-20 7757
个人博客地址:http://www.pojun.tech/ 欢迎访问什么是CA   CA,Catificate Authority,通俗的理解就是一种认证机制。它的作用就是提供证书(也就是服务端证书,由域名,公司信息,序列号,签名信息等等组成)来加强客户端与服务器端访问信息的安全性,同时提供证书的发放等相关工作。国内的大部分互联网公司都在国际CA机构申请了CA证书,并且在用户进行访问的时候,对用
linux故障处理命令,linux故障处理
weixin_29763641的博客
05-01 202
导读作为linux运维,多多少少会碰见这样那样的问题或故障,从中总结经验,查找问题,汇总并分析故障的原因,这是一个Linux运维工程师良好的习惯。1.修改移动等待时间修改/etc/default/grub文件,再timeout中修改时间重新编译grub.cfg文件:grub2-mkconfig2.加密grub生成加密密码:grub2-mkpasswd-pbkdf2/etc/grub.d/00_he...
openssl实现私有CA
wangshuai0703的博客
12-26 183
openssl实现私有CA
私有CA搭建并应用于Tomcat、Springboot.docx
12-17
此时,通过搭建私有CA,可以更高效地管理和分发证书,使得每个服务只需信任CA即可,简化了配置流程。 以下是如何搭建私有CA并应用于Tomcat和Springboot的步骤: 1. **创建CA中心**: 在一个专门的服务器(如...
数字证书实战经验-Openssl自建CA中心及签发证书
10-24
本实战经验主要关注如何使用OpenSSL这一开源库来建立自己的证书颁发机构(CA)中心,并签发不同级别的证书。 首先,让我们详细解释一下这个过程。`root-ca.cnf`、`intermediate-ca.cnf`和`index.cnf`是配置文件,...
使用 OpenSSL 创建生成CA 证书服务器客户端证书及密钥
01-16
客户端证书的创建步骤与服务器相同,只是需要额外创建客户端私钥和证书请求,并由CA签署: ```shell # 生成客户端私钥 openssl genrsa -out client.key 2048 # 创建客户端证书请求 openssl req -new -key client....
openssl原理与操作.pdf
最新发布
01-24
`openssl x509` 命令用于处理 X.509 证书,`openssl ca` 用于操作证书颁发机构 (CA)。 4. **SSL/TLS 协议**: OpenSSL 实现了 SSLv2、SSLv3、TLSv1.x 协议,用于在客户端和服务器之间建立安全连接。这些协议通过...
ca.zip_CA_ca openssl
09-24
小型CA系统前些天在网上看到了一些关于OPENSSL的介绍,觉得很有意思,于是做了一个程序,基本实现了数字证书的制作、SSL安全通讯、加解密操作等功能,秉承OPENSSL开放的原则,拿出来共享,主要实现写在了两个DLL中。...
mysql数据库备份和还原
Jepson的博客
10-17 955
mysql备份命令 在控制台中执行以下命令: mysqldump -u 用户名 -p -d 数据库名 -t 表名 > 盘符:\路径\文件名.sql 注意:这里的 -d 和 -t 能够省略。 示例: 备份数据库mydb_test,里面有很多数据库表,如下图: 这里将 mydb_test 库备份到 /tmp/mydb.sql 中,在控制台执行以下命令: mysqldump -u root ...
###openssl 详解#####
zzhongcy的专栏
03-24 2万+
SSL记录协议中的MAC(摘要算法) MAC算法(MD5或SHA-1) `ssl的消息已经是加密的了,为何还要MAC,难道还有人会修改消息吗?如果怕有人修改消息,加一个摘要不就可以了吗?为何还要mac呢?这是怕有人离线攻击,我们可以信任协议本身,但是却不能信任加密算法,特别是ecb加密算法。 MAC = HASH [shared-key,
openssl ca签发证书
来说意义非凡3
03-05 811
参数选项如下:[root@localhost 2]# openssl ca -help unknown option -help usage: ca args -verbose - Talk alot while doing things -config file - A config file -name arg - The particular CA d...
at91 uart driver for vxworks
weixin_34209406的博客
09-17 180
/* at91UART.c - AT91RM9200 serial driver */      /* Copyright 2003-2004 Coordinate Co., Ltd. */   /* Copyright 1984-2002 Wind River Systems, Inc. */      /*  modification history  -------...
MAC OS下使用OpenSSL生成私钥和公钥的方法
郁闷的郁的博客
07-30 679
genrsa -out rsa_private_key.pem 1024 //私钥 pkcs8 -topk8 -nocrypt -inform PEM -in rsa_private_key.pem -outform PEM outform //私钥pkcs8格式(java用) rsa -in rsa_private_key.pem -pubout -out rs...
OpenSSL之十:对称加密算法指令
wzfgd的博客
11-23 2983
对称加密算法指令
Python安全之使用Python进行MD5解密
热门推荐
weixin_43853965的博客
12-29 3万+
使用Python进行MD5解密使用Python进行MD5解密1. 代码:2. 使用: 使用Python进行MD5解密 我们在实际工作中经常会遇到拿到了MD5值,希望得到明文的情况。比如我们在使用BURP进行密码破解后,却苦于不知道对应密码表的明文是什么。当然你可以根据密码表或者用户名表的数量去推算,但这显然太LOW了。下面这段小程序可以快速帮你从密码表中找到对应的明文。也可以作为日常的MD5解密之...
使用OpenSSL创建私有CA及证书安全实践
创建私有证书颁发机构(CA)是 OpenSSL 的一个重要应用,这对于个人、开发团队或小型组织来说,能够提供一种自定义的安全解决方案。 在创建私有CA的过程中,OpenSSL 提供了一套完整的命令行工具,尽管操作相对复杂...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值