zoukankan      html  css  js  c++  java

  • 自签证书生成

    之前我们了解了https大致流程,如果不懂请参考我的另一篇文章:白话理解https

    下面介绍自签证书的制作。

    cfssl工具

    工具下载地址:http://pkg.cfssl.org/

    所需工具下载cfssl、cfssl-json、cfssl-certinfo(可选,用来校验证书而已)

    这里我在window上演示一遍:

    CA证书

    准备ca-config.json(根证书配置文件)

    {
    "signing": {
        "default": {
            "expiry": "43800h"
        },
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

    ca-csr.json(根证书请求配置文件)

    注意

    因为自签证书,ca-csr配置里的CN不要以"www"开头,测试过www开头会导致通信失败。

    {
    "CN": "MYCA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        { 
            "C": "CN",
           "ST": "Guangzhou",
           "L": "Guangzhou",
           "O": "组织",
           "OU": "部门"
       }    
    ]
}

    生成CA证书

    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

    服务端证书

    server-csr.json

    hosts为服务端的IP,请根据需要自行补充。

    {
    "CN": "my-server",
    "hosts": [
      "127.0.0.1"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
           "C": "CN",
           "ST": "Guangzhou",
           "L": "Guangzhou",
           "O": "组织",
           "OU": "部门"
        }
    ]
}

    生成服务端证书

    cfssl gencert -ca=ca.pem
-ca-key=ca-key.pem
-config=ca-config.json
-profile=server server-csr.json | cfssljson -bare server

    客户端证书

    客户端证书和服务端证书生成步骤一样,只不过不需要配置host字段。

    client-csr.json

    {
    "CN": "my-client",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
           "C": "CN",
           "ST": "Guangzhou",
           "L": "Guangzhou",
           "O": "组织",
           "OU": "部门"
        }
    ]
}

    生成客户端证书

    cfssl gencert -ca=ca.pem
-ca-key=ca-key.pem
-config=ca-config.json
-profile=client client-csr.json | cfssljson -bare client

    最后会生成以下证书

    .
├── ca.csr
├── ca.pem
├── ca-key.pem
├── client.csr
├── client.pem
├── client-key.pem
├── server.csr
├── server.pem
├── server-key.pem

     openssl工具

    生成CA证书

    # 生成 CA 私钥
openssl genrsa -out ca.key 1024
# X.509 Certificate Signing Request (CSR) Management.
openssl req -new -key ca.key -out ca.csr
# X.509 Certificate Data Management.
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

    在执行第二部时候会出现类似让你填写信息:

    ➜  keys  openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My CA
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

    PS: 当然,你可以事先准备好ca.config, 设置好默认值,然后就可以一步到位(按回车)了。

    比如:

    vi ca.config

    [ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Guangdong
localityName                = Locality Name (eg, city)
localityName_default        = Guangzhou
organizationName            = Organization Name (eg, company)
organizationName_default    = XXXX
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = xxx

    然后再第二部命令多加个-config  ca.config就行

    openssl req 
  -new 
  -sha256 
  -out ca.csr 
  -key ca.key 
  -config ca.conf

    生成公钥和私钥

    # 生成服务器端私钥
openssl genrsa -out server.key 1024
# 生成服务器端公钥
openssl rsa -in server.key -pubout -out server.pem
 
# 生成客户端私钥
openssl genrsa -out client.key 1024
# 生成客户端公钥
openssl rsa -in client.key -pubout -out client.pem

    生成端证书

    # 服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件
openssl req -new -key server.key -out server.csr
# 向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
 
# client 端
openssl req -new -key client.key -out client.csr
# client 端到 CA 签名
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

    PS:.crt转.pem命令

    openssl x509 -in mycert.crt -out mycert.pem -outform PEM

    此时就生成下面的证书了

    .
├── https-client.js
├── https-server.js
└── keys
    ├── ca.crt
    ├── ca.csr
    ├── ca.key
    ├── ca.pem
    ├── ca.srl
    ├── client.crt
    ├── client.csr
    ├── client.key
    ├── client.pem
    ├── server.crt
    ├── server.csr
    ├── server.key
    └── server.pem

    (完)
  • 相关阅读:
    java映射
    java线程的一些方法和特性
    java线程通信
    java多线程同步
    java类对象概述
    JavaScript的对象——灵活与危险
    node.js项目中使用coffeescript的方式汇总
    12.2
    12.1
    11.30
  • 原文地址:https://www.cnblogs.com/wzs5800/p/12778904.html
Copyright © 2011-2022 走看看