证书签名与验证

本文主要介绍用openssl 工具来进行证书的管理

CA私钥与根证书

生成CA的私钥

$ openssl genrsa -out ca.key 1024

然后私钥自签名生成CA的证书

$ openssl req -x509 -new -nodes -key ca.key -subj "/CN=PENGSHIZHU" -days 3650 -out ca.crt

其中-x509表示进行自签名，-nodes表示不对证书进行加密，-subj中CN表示证书的域名，-days表示证书的有效期天数。

证书签名请求

生成服务器的私钥

$ openssl genrsa -out server.key 1024

生成证书签名请求文件

$ openssl req -new -nodes -key server.key -out server.csr -subj "/CN=server.com"

查看证书签名请求文件的内容，看subj的信息是否都正确

$ openssl req -in server.csr -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=server.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cb:e0:09:23:93:23:0e:ae:08:10:23:6e:d5:d4:
                    88:8b:19:ae:68:0c:06:2c:90:2c:a4:03:9e:5f:1f:
                    d5:0c:c9:92:3a:b3:ae:e2:a2:dc:9c:23:ed:7b:5a:
                    9d:b6:8c:f9:4a:64:69:b7:c2:81:bf:d1:39:16:ee:
                    25:43:75:33:af:17:2f:fb:96:f4:b5:41:fe:2a:ea:
                    b2:16:aa:f6:bf:80:79:20:4f:9f:c1:e9:5c:87:50:
                    19:c8:e7:a3:d8:93:3c:60:61:77:10:9e:3c:64:d5:

验证一下该文件内容是否正确（主要是验证文件内容是否被修改过）

$ openssl req -verify -in server.csr
verify OK
-----BEGIN CERTIFICATE REQUEST-----
MIIBVDCBvgIBADAVMRMwEQYDVQQDDApzZXJ2ZXIuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDL4AkjkyMOrggQI27V1IiLGa5oDAYskCykA55fH9UMyZI6
s67iotycI+17Wp22jPlKZGm3woG/0TkW7iVDdTOvFy/7lvS1Qf4q6rIWqva/gHkg
T5/B6VyHUBnI56PYkzxgYXcQnjxk1XITWTbIRHkUsBDfdaOXFxCvvqRF5cIu3wID
AQABoAAwDQYJKoZIhvcNAQELBQADgYEAGgOjg8/L63ENMHh2a6FsF/CAN1l5HnUo
N2e/n8sfnj03OMWA6iYW97pM3MDz+0r67Hdr365RQBFEoNaloUDM1SpyfS/XVB5K
L99OYcjFKUmNYgmq61RQdzscBcBkr8upmL4/s7oaFpG13wejeU61qK4o8lbe2x+Q
Uar7n236Zls=
-----END CERTIFICATE REQUEST-----

签名与验证

CA进行签名：

$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
Signature ok
subject=/CN=server.com
Getting CA Private Key

注意，CA签名时要同时用以ca.key与ca.crt，因为ca.crt中包含了CA的相关信息比如域名CN等；上面的-CAcreateserial表示为该证书创建序列号，用来作为该证书的唯一标识。

使用根证书验证该证书：

$ openssl verify -verbose -CAfile ca.crt server.crt
server.crt: OK

查看证书的内容：

$ openssl x509 -in server.crt -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 13682036317016922791 (0xbde05b8a2fc99aa7)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=PENGSHIZHU
        Validity
            Not Before: Jan 24 15:55:24 2018 GMT
            Not After : Jan 22 15:55:24 2028 GMT
        Subject: CN=server.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cb:e0:09:23:93:23:0e:ae:08:10:23:6e:d5:d4:
                    88:8b:19:ae:68:0c:06:2c:90:2c:a4:03:9e:5f:1f:
                    d5:0c:c9:92:3a:b3:ae:e2:a2:dc:9c:23:ed:7b:5a:
                    9d:b6:8c:f9:4a:64:69:b7:c2:81:bf:d1:39:16:ee:
                    25:43:75:33:af:17:2f:fb:96:f4:b5:41:fe:2a:ea:
                    b2:16:aa:f6:bf:80:79:20:4f:9f:c1:e9:5c:87:50:
                    19:c8:e7:a3:d8:93:3c:60:61:77:10:9e:3c:64:d5:
                    72:13:59:36:c8:44:79:14:b0:10:df:75:a3:97:17:
                    10:af:be:a4:45:e5:c2:2e:df
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         88:29:a0:50:c4:ec:d9:bd:6f:85:57:3e:bb:94:97:4e:ed:43:
         57:10:de:6c:f2:23:5c:82:af:a0:1d:2a:2f:4f:42:af:92:eb:
         e2:d0:b2:32:99:7b:c7:06:88:3b:35:dd:6f:b1:a8:14:00:53:
         20:ed:22:4f:df:ad:b3:e7:8f:5e:55:c9:60:7c:dc:3b:75:95:
         e5:fc:90:b6:9c:d2:fd:61:02:b3:59:55:d1:57:88:a0:2e:49:
         0e:c8:dc:68:fd:46:61:92:93:c1:84:8b:e1:42:99:01:8f:1f:
         39:f8:d7:4f:4b:41:a0:e1:dc:98:13:09:02:76:e5:f1:69:0c:
         26:22
-----BEGIN CERTIFICATE-----
MIIBoTCCAQoCCQC94FuKL8mapzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDDApQ
RU5HU0hJWkhVMB4XDTE4MDEyNDE1NTUyNFoXDTI4MDEyMjE1NTUyNFowFTETMBEG
A1UEAwwKc2VydmVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy+AJ
I5MjDq4IECNu1dSIixmuaAwGLJAspAOeXx/VDMmSOrOu4qLcnCPte1qdtoz5SmRp
t8KBv9E5Fu4lQ3Uzrxcv+5b0tUH+KuqyFqr2v4B5IE+fwelch1AZyOej2JM8YGF3
EJ48ZNVyE1k2yER5FLAQ33WjlxcQr76kReXCLt8CAwEAATANBgkqhkiG9w0BAQUF
AAOBgQCIKaBQxOzZvW+FVz67lJdO7UNXEN5s8iNcgq+gHSovT0Kvkuvi0LIymXvH
Bog7Nd1vsagUAFMg7SJP362z549eVclgfNw7dZXl/JC2nNL9YQKzWVXRV4igLkkO
yNxo/UZhkpPBhIvhQpkBjx85+NdPS0Gg4dyYEwkCduXxaQwmIg==
-----END CERTIFICATE-----

命令汇总

# openssl req

openssl req -new -nodes -key server.key -out server.csr -subj "/CN=server.com"    # 生成证书签名请求文件,-nodes表示不加密
openssl req -in server.csr -text    # 查看证书签名请求文件内容
openssl req -verify -in server.csr    # 验证请求文件

# openssl x509

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt    # 签名
openssl x509 -in server.crt -text    # 查看证书内容
openssl verify -verbose -CAfile ca.crt server.crt # 验证证书

参考

[1] http://www.cnblogs.com/gordon0918/p/5363466.html

[2] https://linux.cn/article-7248-1.html

PreviousRSA加密与解密 NextTLS双向认证

Last updated 5 years ago

Was this helpful?