公私钥、证书生成
本文以Linux系统为例模拟CA生成http服务器的认证证书
http服务器操作
1.生成私钥
使用OpenSSL工具生成服务器私钥key文件
[nginx@nginx-node01 ~]$ openssl genrsa 1024 >> $HOSTNAME.key
Generating RSA private key, 1024 bit long modulus
.................++++++
...........................++++++
e is 65537 (0x10001)
[nginx@nginx-node01 ~]$ ls
nginx-node01.key
2.生成证书预签csr文件
[nginx@nginx-node01 ~]$ openssl req -new -key $HOSTNAME.key -out $HOSTNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kov
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:www.kov.com
Email Address []:sys@kov.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[nginx@nginx-node01 ~]$ ls
nginx-node01.csr nginx-node01.key
CA服务器操作
1.创建所需要的文件
touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号
2.生成CA私钥
[root@ca ~]# hostname
ca
[root@ca ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
3. CA生成自签证书
[root@ca private]# openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kov
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:xx.kov.com
Email Address []:xx@kov.com
4.CA签署证书
将http服务器证书预签csr文件发给CA,由CA对服务器的预签文件csr进行签署,最后得到最终证书文件crt。(默认国家,省,公司名称三项必须和CA一致)
[root@ca private]# openssl ca -in /root/nginx-node01.csr -out /etc/pki/CA/certs/nginx-node01.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 13 15:31:40 2020 GMT
Not After : Jul 13 15:31:40 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = kov
organizationalUnitName = Dev
commonName = www.kov.com
emailAddress = sys@kov.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
81:DB:3C:4E:6D:0E:BD:5A:78:2D:F2:86:62:CD:B3:03:45:F1:AB:F3
X509v3 Authority Key Identifier:
keyid:DF:B4:69:95:C5:71:44:EE:0B:9C:2E:CB:1C:CD:37:E3:0E:FD:AC:E8
Certificate is to be certified until Jul 13 15:31:40 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5.验证私钥、证书是否匹配
验证ca签署的http服务器证书文件nginx-node01.crt和http服务器私钥nginx-node01.key是否匹配
openssl rsa -noout -modulus -in nginx-node01.key |openssl md5
openssl x509 -noout -modulus -in nginx-node01.crt |openssl md5
配置Nginx验证https
补充
CA签署指定域名证书
生成证书签署扩展文件
[root@ca CA]# cat kov.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
DNS.1=kov.com
DNS.2=www.kov.com
重新签署证书
[root@ca ~]# openssl x509 -req -in /root/nginx-node01.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out nginx-node01.crt -days 3650 -sha256 -extfile kov.ext