1.X509证书链
x509证书一般会用到三类文件,key,csr,crt。
Key是私用密钥,openssl格式,通常是rsa算法。
csr是证书请求文件,用于申请证书。在制作csr文件的时候,必须使用自己的私钥来签署申请,还可以设定一个密钥。
crt是CA认证后的证书文件(windows下面的csr,其实是crt),签署人用自己的key给你签署的凭证。
2.openssl文件说明
.key格式:私有的密钥
.csr格式:证书签名请求(证书请求文件),含有公钥信息,certificate signing request的缩写
.crt格式:证书文件,certificate的缩写
.crl格式:证书吊销列表,Certificate Revocation List的缩写
.pem格式:用于导出,导入证书时候的证书的格式,有证书开头,结尾的格式
3.openssl命令含义
-aes256 使用AES算法(256为密钥)对产生的私钥加密。可选算法包括DES,DESede,IDEA和AES。 -key 密钥 -new 表示新的请求。 -out 输出路径 -subj 指定用户信息 ca 签发证书命令 genrsa 产生RSA密钥命令 pkcs12 PKCS#12编码格式证书命令。 rand 随机数命令 req 产生证书签发申请命令 x509 签发X.509格式证书命令。 -CAcreateserial表示创建CA证书序列号 -CAkey 表示CA证书密钥 -CAserial 表示CA证书序列号文件 -CA 表示CA证书 -cert 表示证书文件 -clcerts 表示仅导出客户证书。 -days 表示有效天数 -export 表示导出证书。 -extensions 表示按OpenSSL配置文件v3_ca项添加扩展。 -extensions 表示按OpenSSL配置文件v3_req项添加扩展。 -inkey 表示输入文件 -in 表示输入文件 -keyfile 表示根证书密钥文件 -req 表示证书输入请求。 -sha1 表示证书摘要算法,这里为SHA1算法。 -signkey 表示自签名密钥
4.CA根证书生成步骤
生成CA私钥(.key)-->生成CA证书请求(.csr)-->自签名得到CA根证书(.crt)(CA给自已颁发的证书)。
在实际的软件开发工作中,往往服务器就采用这种自签名的方式,因为毕竟找第三方签名机构是要给钱的,也是需要花时间的
生成CA私钥(.key)
genrsa -out caKey.pem 2048
caKey.pem
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA9Dyqksrn0pSeu9fb4YR1K7pe7Iwu0Y3FOGT4qtMI4VIwgP9L EuLtvZAPckn6dURRZ/3QOvuDauGBaMdhAfB3vez1KaHHILO5roanSJ0kOlHrWmtP uG/Kcu91eWfdJtEkh5lOOg3qLJhp6rMn29Kuffefp8/5qsniWF9OiJDRSP6Foawc WZOS44ZwZnUD9c62Vt9LO0JbJq18IclTZjN09rYx4xu6iCVR9WKpQYmNmMVrTiv6 lo4t3Sueg2PQ9pNBpOieOxMMD8OKduY7uCk0Pp5KbCvY1xvFu9H6lcNrgAW5q/jX LAtDK7M8oL6aTaogw/f7WjU48whiB7WCfsrXbwIDAQABAoIBADUJ16D5H07Dp5Tz U3St5yQP3P1Rk/k96E5O3xF5srv7tTzOM+duEGLSHgibuCAvLd5/Z/DnHargPdIb Oh3Jsrcz9imMUEnxvakA5OMH/Q4NLCb+ltlerYA4MDKlM4lycZRg3nQNAYWds6Kc NVOvdOU2GR3ANF+6Z8T5LXzKtig7cP6nRd350GngUx6H10adXqcxSEYY23dLJ2HZ EHWe4RlXremNOWEsRc2Q/vJWad2AkdSuLBvoF+rQF+kejjXxL2qpTbvDO7uix3Mp oPDbpbLzf+SF4Mr3oPr/3uLgKc8p/aKrja1HCFYr3fpuv6GHHxU2Iha6GQ4CyGjZ dmQjxgECgYEA+7rMo4nkI439mLf47Dz/DBxUCTkMZ38hfI6DwRkIoeNz/1ygpVjf 4eA/Di+PCEy/B6A83fDgq+ugyP2qkG5uzMTo828u6eQoBMGHcJm5AGTMr4gPtZnD dXsYVbGZiZ9usJnIVKLA+mh+8tnhumXYuWCs8oNdXoLELNIUflPBaOECgYEA+GFT 81IQvbGeMaPtPQUjm8GrEdAc4ocM0EknmTt6tm9XXT3l8tI1oItNsAUTMjIUN0Ny eriY3GevVgETDvLtiKoF2QqdV92j0CRxSGl43NDgFoBtM8XmRdg82RP0stVw9Y+B hRyPZlAB/fi2IMzJenLibliRDtEK9rDrI5Touk8CgYEA4XnqfrmuXaJ7emWfU4s3 MFPXegNddv7KsdS9cyLHNqqTZjJDupcmwh2onT5AMcD8gwomOu3dcGC4Pg/ozUH9 gPEHb7UxIlM4/TmT5Wnr6cxgAwIugA1gpEREAc34purlrM2yQQ0fKaybuU8r/1fm jfVoNDkyUstyiGsL7DN9VEECgYEAgm4htqG+ts6CAxFRMHz1YQKHgfgmYvKGUQ5J ZBcu7oRzfTxW93dZv+/HIQrZNL/Fi+u4PyeW5g7wrRotVulMwTp/jaUcURrLvi6U 6nCwjkyFkGtqbQicTssp0NjA4/RfuCPe4PbJevHCygqEIZ9IoiuYKlgJ/JzbxAXN xMaam9MCgYAi79ozPjROpNks5wpRI73G+2DChTM84JndNeER4jVIk0S94m+tQcfD jLkJ2LRvZpWeeMMrjGq3QQjFDT2Hqv2gF+BipR9rHWp3pv+Sjc5Bq77gNZ+jFTqE 4KXjO79x9OngM0m/+TMqXCf8ePvTUPk0/H+erIKLC2PK8UPLasvRdQ== -----END RSA PRIVATE KEY-----
生成CA证书请求(.csr)(内含公钥)
req -new -key caKey.pem -out ca.csr
自定义区域
Country Name (2 letter code) [XX]:CN----------------------------------- 证书持有者所在国家
State or Province Name (full name) []:BJ------------------------------- 证书持有者所在州或省份(可省略不填)
Locality Name (eg, city) []:BJ----------------------------------------- 证书持有者所在城市(可省略不填)
Organization Name (eg, company) []:NH---------------------------------- 证书持有者所属组织或公司Organizational Unit Name (eg, section) []:.---------------------------- 证书持有者所属部门(可省略不填)
Common Name (eg, your name or your server's hostname) []:ceshi.com----- 域名
Email Address []:------------------------------------------------------ 邮箱(可省略不填)
challenge password:............................................................自定义密码
An optional company name:.............................................可选公司名称
ca.csr
-----BEGIN CERTIFICATE REQUEST----- MIICijCCAXICAQAwRTELMAkGA1UEBhMCQ04xEzARBgNVBAgMClNvbWUtU3RhdGUx ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAPQ8qpLK59KUnrvX2+GEdSu6XuyMLtGNxThk+KrT COFSMID/SxLi7b2QD3JJ+nVEUWf90Dr7g2rhgWjHYQHwd73s9SmhxyCzua6Gp0id JDpR61prT7hvynLvdXln3SbRJIeZTjoN6iyYaeqzJ9vSrn33n6fP+arJ4lhfToiQ 0Uj+haGsHFmTkuOGcGZ1A/XOtlbfSztCWyatfCHJU2YzdPa2MeMbuoglUfViqUGJ jZjFa04r+paOLd0rnoNj0PaTQaTonjsTDA/DinbmO7gpND6eSmwr2NcbxbvR+pXD a4AFuav41ywLQyuzPKC+mk2qIMP3+1o1OPMIYge1gn7K128CAwEAAaAAMA0GCSqG SIb3DQEBCwUAA4IBAQDn8pKtnWO+M+ONJVc5Z8B/L966mPoAtN3Ho5kk3PdunWkX fiy+t6+G/GnzJxLTgUGaXxto9WKSh9EK5JFIq/TMae39ujugu7LulJ+WZEdEtZko bem7l1fP7V4KkhY2UiQ3SXCkrqTQcPS1fMnEvOMVSXD+iwjfNxDwYLGj6DJoHgl/ jGubvwjo7zem5982QGCpehF5irSVmqFuei/aJvTpFjajzB5YR6DVJfrBzNLDogdw 6oURr4B9ZvUfzHG/bMxoHvjXH7ewHXKxdOsiZmtVr5AogkbbHnbUU13JEGFvRGPK 3wbB3qMcQhUi/zXWZfMMuKs+PTMWsfJP05Mav368 -----END CERTIFICATE REQUEST-----
自签名得到CA根证书(.crt)
x509 -req -in ca.csr -out ca-cert.pem -signkey caKey.pem -days 365
ca-cert.pem
-----BEGIN CERTIFICATE----- MIIDBjCCAe4CCQD53nWx6Q9IWDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJD TjETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 cyBQdHkgTHRkMB4XDTE4MDkzMDAxMzEyNVoXDTE5MDkzMDAxMzEyNVowRTELMAkG A1UEBhMCQ04xEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB APQ8qpLK59KUnrvX2+GEdSu6XuyMLtGNxThk+KrTCOFSMID/SxLi7b2QD3JJ+nVE UWf90Dr7g2rhgWjHYQHwd73s9SmhxyCzua6Gp0idJDpR61prT7hvynLvdXln3SbR JIeZTjoN6iyYaeqzJ9vSrn33n6fP+arJ4lhfToiQ0Uj+haGsHFmTkuOGcGZ1A/XO tlbfSztCWyatfCHJU2YzdPa2MeMbuoglUfViqUGJjZjFa04r+paOLd0rnoNj0PaT QaTonjsTDA/DinbmO7gpND6eSmwr2NcbxbvR+pXDa4AFuav41ywLQyuzPKC+mk2q IMP3+1o1OPMIYge1gn7K128CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA3tEb1w6u n0J/999VhQv4rv/p1BWPnyB4HF2CRT97KmlsbIk4ZOzEPWRSjs1OZdy00FnxoNT/ P6n7J+pM4OzisraSfx9vwp3AJ3JuDPKy+w2JbZM4alDpb1VUVt6YWVx1efIy55XO UaLnRIYhCQSX13Dp7PpJK0IBBukkBwnySuvS4LXJnVciXALGK/Ox7VIZtoy5wJVK NP1wWq2N3Yoh9DqBM6pL2XJ3CWfYqB97GBh55miamuhRKxT2WuH5GUHR4OCNb742 nn+VPP1uVBS+mPnBp2yhTvD6/I/WOSeL5q59frzpbYf457Xle8PUvqaR7SEF2jkF uE87Cspbqu7vqg== -----END CERTIFICATE-----
ca-cert.srl
9520AAFC8A0CE22D
将证书导出成浏览器支持的.p12格式(.p12)
pkcs12 -export -clcerts -in ca-cert.pem -inkey caKey.pem -out ca.p12
ca.p12
5.用户证书生成步骤
一般说的生成用户证书分两种,客户端证书和服务端证书,除了名称不一样步骤命令完全一样一样的。
生成私钥(.key)-->生成证书请求(.csr)-->用CA根证书签名得到证书(.crt)
生成私钥
genrsa -out serverKey.pem 2048
serverKey.pem
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAwSmZyj5ZLsg4j5CG65LKS3Vfl+pATB28MkpQsDsRGAoTcX0E WzV+Yvvyn4pp1t6oppSu8GBN6cD5oNcmJ4GC2CGTyfjRxieoUI/Pijx3mqMyCwXA VyKm6GKpD7hNBaOmlNx4KkcmD+XJ2++fLWOBvpwKyr63hY6lwKMBWCFmvZ+iqe8K gnW574cFC2A43xlxNv1svis+euYJiJsYwAGfZFL2FfFrZCknbyrC8pNcG5hghlnF gmRzeieSy9qetM9baN+DFh3mWH98qqg37WiuE64EkXbj27UPEQOO+K1OBDHv03mK tb/vxDzShCk3VI+Iyp7nwgBlahhSjV30KCUztwIDAQABAoIBAA97iyUnzDQwvj/b oMTfFjHoLYpar16qf3w0crU9dshLfnV5RNEev4ulkDPzfzpGzJPVlRQVVAlpe1jG BfviqJ80SclFlWLhqN8UN9lnsVqGvCsgAeO6FlDIH67v4dSS4nZKGaOh4k4h6AUl 9sdHk424qjDICqO85FJFfoUW4EpQjqtUZDHX2ZageMxEQnlDmfx/XGYGqc8+vsEy 0/gsi+0D90IruQvHhVFx/TDd7JUVKtmQwc68bb5CzVZp8tSXZB1YKiTL8h8u0Mx+ K6PytJktTJvspYajq9j7Ly1jI8t8T39F4xP2+VFuaye6/BceoNrZkwdOOw8PKysQ /xBryfkCgYEA5BT4UXobsLWa9FzDP3T/+vpJZB3bRFJ/dlO/vFn23Bs1bJPChSid NI6mNEvL0Qe72NEbXvuF41FPFi33oSycRPlD+rYOP7ZDLXISC4jkBSIBBz4HvFoZ bVdOM4UdhkiDm4AKJifYDBW3qlb8clND75ZGYClKMgye9z3vk4S8wPMCgYEA2M5r Evv4mHsskX+6bBvgrKsRqCmkWAYpj1v2QQKM+bG0NaFsMju2x/4iFVwEDJBKrCAW hJJb7rf/7qTXeirc8K4SLSWf6F6k/bkAmiLOznmZmpRu1whMnC/KHDcqKSu3Jq6x /sGPtzdtTCKLRgw5ttw2ttNf+Os690vqDuQV0y0CgYEAorvzkO624xYwQToOdTBd lA0QYEaNM+pI13xZyWHHKLShIZ8royafQ+ij3ZxXCAWkmcZY6SQ9GzvgWcribDUQ KoZPYoqTEBJTTBGfnmtFhgQFB83SZylCCynHuiq4Lh9/B2wL0b2MANNeAEOgS1Ht nvxxqhrLvXoT0gR286I5qtECgYByYRwuLM6vKzSNIlSommCC19F95VI1ujKM1lhp Xb4gMTdAoAPj0IsSoak7mYrtUeaDPn6CvHBR1bLpJQAlDJ35P+yI8vOU9PGYhdSi fMCcP5zg53Q+b7tzHudC0XulstFyT/HJ1DZM06oO456Uevir1yvqckOMoBVAyEUY TA6TlQKBgQDKRFnPfdgvrx8nKj678OYvItodho98JFxqmSXOxqm+qpH3L2TGDbR6 gKg74QbC6yLeIhEDNoThTo8m1UeOzl6hBZjshgtx4N2oDayITVq1J4oOXRuZAOvx UDRp0X880S8Q2dix1beGUhP8OAv/dhu2Arr3as3LrKciUBisvMaEDA== -----END RSA PRIVATE KEY-----
生成证书请求文件
req -new -key serverKey.pem -out server.csr
server.csr
-----BEGIN CERTIFICATE REQUEST----- MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMEpmco+WS7IOI+QhuuSykt1X5fqQEwdvDJKULA7 ERgKE3F9BFs1fmL78p+KadbeqKaUrvBgTenA+aDXJieBgtghk8n40cYnqFCPz4o8 d5qjMgsFwFcipuhiqQ+4TQWjppTceCpHJg/lydvvny1jgb6cCsq+t4WOpcCjAVgh Zr2foqnvCoJ1ue+HBQtgON8ZcTb9bL4rPnrmCYibGMABn2RS9hXxa2QpJ28qwvKT XBuYYIZZxYJkc3onksvanrTPW2jfgxYd5lh/fKqoN+1orhOuBJF249u1DxEDjvit TgQx79N5irW/78Q80oQpN1SPiMqe58IAZWoYUo1d9CglM7cCAwEAAaAAMA0GCSqG SIb3DQEBCwUAA4IBAQC5v/WEYk14a4oVmzsvVAYgQ9XYoCI7WOCiaYwc98IyzvS3 fjVzZLbN76Z3QiEg73CIdDXqQHX/EbKxa1yIULYaqP4YrRKNapffwGyP0JRJtQRZ Q4qbUxK7sCnpKmBukiLWRhgP1UUdS7ReWTDrPE3w+xlADWaRkLkoxA1Q15A0/8+r mxR9MqYQrYcOwmLH2FXfV3CwY4GdrswlX0ynvSuAkXgK7CzugaurcOjrGgyDxWtf fvyL2dQi/+OulGgEmQPZ4kQDOKM0wdW1sYZLtQ+/axH6WFl55s5/qIgnymmF4rlD U0BCRPwk35iSdBQhxs2BjDtW2jDEYY5R3ZSDJG4a -----END CERTIFICATE REQUEST-----
使用 CA 证书及CA密钥 对请求签发证书进行签发,生成 x509证书
x509 -req -in server.csr -out server-cert.pem -signkey serverKey.pem -CA ca-cert.pem -CAkey caKey.pem -CAcreateserial -days 365
server-cert.pem
