【PKI技术之自签名证书】

最新推荐文章于 2024-07-25 11:31:48 发布

死猪屁得

最新推荐文章于 2024-07-25 11:31:48 发布

阅读量206

点赞数 1

文章标签： ssl https 网络协议

本文链接：https://blog.csdn.net/weixin_55953614/article/details/127427083

版权

PKI (Public Key Infrastructure)

作用

通过加密技术和数字签名保证信息的安全

组成

公钥加密技术-数字证书，CA、RA

信息安全的三要素/四要素

机密性
完整性
身份验证/操作的不可否认性

哪些IT领域用到了PKI

SSL/HTTPS
IPsecVPN
部分远程访问VPN

公钥加密技术

作用
- 实现对信息的加密，数字签名的安全保障
加密算法
- 对称加密算法
  - 加解密的密钥一致
  - DES、3DES、AES
  - 缺点
    - 对称密钥容易在协商过程中丢失、被窃听
- 非对称加密算法
  - 通信双方各自产生一对公钥
  - 双方各自交换公钥
  - 公钥和私钥互为加解密关系
  - 公私角不可互相逆推
  - RSA、DH
  - 总结
    - 使用对方的公钥加密完成机密性
    - 使用hash算法完成对数据的完整性(摘要)
    - 使用自己的私钥对摘要加密完成身份验证(数字签名)

证书

证书是用来保证公钥的合法性的
证书格式遵循X.509标准
数字证书包含的信息
- 使用者的公钥
- 使用者的标识信息
- 有效日期
- 颁发者标识信息
- 颁发者的数字签名
数字证书由权威公正的第三方机构即CA签发
- CA是证书颁发机构

生成自签名证书(openssl)

[root@orcale ca]# openssl genrsa -des3 -out ca.key 2048 #生成私钥
Generating RSA private key, 2048 bit long modulus
...................+++
...........................................+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:       #输入密码
Verifying - Enter pass phrase for ca.key:    #确认密码
[root@orcale ca]# openssl req -x509 -key ca.key -out ca.crt -days 365 #生成自签名证书(CA根证书)，包含公钥等信息
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:chn
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:yn
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@orcale ca]# ll
总用量 8
-rw-r--r-- 1 root root 1253 10月 20 14:04 ca.crt
-rw-r--r-- 1 root root 1751 10月 20 13:58 ca.key
[root@orcale ca]# openssl x509 -in ca.crt -text -noout #查看证书的信息
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f9:60:e5:98:f4:d3:ef:4e
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=cn, ST=yn, L=Default City, O=Default Company Ltd
        Validity
            Not Before: Oct 20 06:04:53 2022 GMT
            Not After : Oct 20 06:04:53 2023 GMT
        Subject: C=cn, ST=yn, L=Default City, O=Default Company Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
......
[root@orcale mykey]# openssl genrsa -out my.com.key 2048 #生成私钥
Generating RSA private key, 2048 bit long modulus
...............................................................................................................................................................................................+++
............................................................................+++
e is 65537 (0x10001)
[root@orcale mykey]# openssl genrsa -out my.com.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................................................................................................................................................................+++
............................................................................+++
e is 65537 (0x10001)
[root@orcale mykey]# openssl req -new -key my.com.key -out my.com.csr  #生成证书请求文件(包含公钥)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:yn
Locality Name (eg, city) [Default City]:km
Organization Name (eg, company) [Default Company Ltd]:brbg
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:my.com
Email Address []:xx@xx

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@orcale mykey]# openssl req -text -noout -verify -in my.com.csr #查看证书请求文件内容
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=cn, ST=yn, L=km, O=brbg, OU=it, CN=my.com/emailAddress=xx@xx
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
[root@orcale mykey]# openssl x509 -req -in my.com.csr  -CA ../ca/ca.crt  -CAkey ../ca/ca.key  -set_serial 01 -out my.com.crt -days 365 #根据证书请求文件向CA根证书申请证书
Signature ok
subject=/C=cn/ST=yn/L=km/O=brbg/OU=it/CN=my.com/emailAddress=xx@xx
Getting CA Private Key
Enter pass phrase for ../ca/ca.key:
[root@orcale mykey]# ll
总用量 12
-rw-r--r-- 1 root root 1164 10月 20 14:34 my.com.crt
-rw-r--r-- 1 root root 1009 10月 20 14:25 my.com.csr
-rw-r--r-- 1 root root 1675 10月 20 14:23 my.com.key
[root@orcale mykey]#
[root@orcale mykey]# openssl x509 -in my.com.crt  -text -noout #查看证书相关信息
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=cn, ST=yn, L=Default City, O=Default Company Ltd
        Validity
            Not Before: Oct 20 06:34:24 2022 GMT
            Not After : Oct 20 06:34:24 2023 GMT
        Subject: C=cn, ST=yn, L=km, O=brbg, OU=it,  CN=my.com/emailAddress=xx@xx
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus: