证书签名与验证
本文主要介绍用openssl 工具来进行证书的管理
CA私钥与根证书
生成CA的私钥
$ openssl genrsa -out ca.key 1024然后私钥自签名生成CA的证书
$ openssl req -x509 -new -nodes -key ca.key -subj "/CN=PENGSHIZHU" -days 3650 -out ca.crt其中-x509表示进行自签名,-nodes表示不对证书进行加密,-subj中CN表示证书的域名,-days表示证书的有效期天数。
证书签名请求
生成服务器的私钥
$ openssl genrsa -out server.key 1024生成证书签名请求文件
$ openssl req -new -nodes -key server.key -out server.csr -subj "/CN=server.com"查看证书签名请求文件的内容,看subj的信息是否都正确
$ openssl req -in server.csr -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=server.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:cb:e0:09:23:93:23:0e:ae:08:10:23:6e:d5:d4:
88:8b:19:ae:68:0c:06:2c:90:2c:a4:03:9e:5f:1f:
d5:0c:c9:92:3a:b3:ae:e2:a2:dc:9c:23:ed:7b:5a:
9d:b6:8c:f9:4a:64:69:b7:c2:81:bf:d1:39:16:ee:
25:43:75:33:af:17:2f:fb:96:f4:b5:41:fe:2a:ea:
b2:16:aa:f6:bf:80:79:20:4f:9f:c1:e9:5c:87:50:
19:c8:e7:a3:d8:93:3c:60:61:77:10:9e:3c:64:d5:
72:13:59:36:c8:44:79:14:b0:10:df:75:a3:97:17:
10:af:be:a4:45:e5:c2:2e:df
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
1a:03:a3:83:cf:cb:eb:71:0d:30:78:76:6b:a1:6c:17:f0:80:
37:59:79:1e:75:28:37:67:bf:9f:cb:1f:9e:3d:37:38:c5:80:
ea:26:16:f7:ba:4c:dc:c0:f3:fb:4a:fa:ec:77:6b:df:ae:51:
40:11:44:a0:d6:a5:a1:40:cc:d5:2a:72:7d:2f:d7:54:1e:4a:
2f:df:4e:61:c8:c5:29:49:8d:62:09:aa:eb:54:50:77:3b:1c:
05:c0:64:af:cb:a9:98:be:3f:b3:ba:1a:16:91:b5:df:07:a3:
79:4e:b5:a8:ae:28:f2:56:de:db:1f:90:51:aa:fb:9f:6d:fa:
66:5b
-----BEGIN CERTIFICATE REQUEST-----
MIIBVDCBvgIBADAVMRMwEQYDVQQDDApzZXJ2ZXIuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDL4AkjkyMOrggQI27V1IiLGa5oDAYskCykA55fH9UMyZI6
s67iotycI+17Wp22jPlKZGm3woG/0TkW7iVDdTOvFy/7lvS1Qf4q6rIWqva/gHkg
T5/B6VyHUBnI56PYkzxgYXcQnjxk1XITWTbIRHkUsBDfdaOXFxCvvqRF5cIu3wID
AQABoAAwDQYJKoZIhvcNAQELBQADgYEAGgOjg8/L63ENMHh2a6FsF/CAN1l5HnUo
N2e/n8sfnj03OMWA6iYW97pM3MDz+0r67Hdr365RQBFEoNaloUDM1SpyfS/XVB5K
L99OYcjFKUmNYgmq61RQdzscBcBkr8upmL4/s7oaFpG13wejeU61qK4o8lbe2x+Q
Uar7n236Zls=
-----END CERTIFICATE REQUEST-----验证一下该文件内容是否正确(主要是验证文件内容是否被修改过)
$ openssl req -verify -in server.csr
verify OK
-----BEGIN CERTIFICATE REQUEST-----
MIIBVDCBvgIBADAVMRMwEQYDVQQDDApzZXJ2ZXIuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDL4AkjkyMOrggQI27V1IiLGa5oDAYskCykA55fH9UMyZI6
s67iotycI+17Wp22jPlKZGm3woG/0TkW7iVDdTOvFy/7lvS1Qf4q6rIWqva/gHkg
T5/B6VyHUBnI56PYkzxgYXcQnjxk1XITWTbIRHkUsBDfdaOXFxCvvqRF5cIu3wID
AQABoAAwDQYJKoZIhvcNAQELBQADgYEAGgOjg8/L63ENMHh2a6FsF/CAN1l5HnUo
N2e/n8sfnj03OMWA6iYW97pM3MDz+0r67Hdr365RQBFEoNaloUDM1SpyfS/XVB5K
L99OYcjFKUmNYgmq61RQdzscBcBkr8upmL4/s7oaFpG13wejeU61qK4o8lbe2x+Q
Uar7n236Zls=
-----END CERTIFICATE REQUEST-----签名与验证
CA进行签名:
$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
Signature ok
subject=/CN=server.com
Getting CA Private Key注意,CA签名时要同时用以ca.key与ca.crt,因为ca.crt中包含了CA的相关信息比如域名CN等;上面的-CAcreateserial表示为该证书创建序列号,用来作为该证书的唯一标识。
使用根证书验证该证书:
$ openssl verify -verbose -CAfile ca.crt server.crt
server.crt: OK查看证书的内容:
$ openssl x509 -in server.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13682036317016922791 (0xbde05b8a2fc99aa7)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=PENGSHIZHU
Validity
Not Before: Jan 24 15:55:24 2018 GMT
Not After : Jan 22 15:55:24 2028 GMT
Subject: CN=server.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:cb:e0:09:23:93:23:0e:ae:08:10:23:6e:d5:d4:
88:8b:19:ae:68:0c:06:2c:90:2c:a4:03:9e:5f:1f:
d5:0c:c9:92:3a:b3:ae:e2:a2:dc:9c:23:ed:7b:5a:
9d:b6:8c:f9:4a:64:69:b7:c2:81:bf:d1:39:16:ee:
25:43:75:33:af:17:2f:fb:96:f4:b5:41:fe:2a:ea:
b2:16:aa:f6:bf:80:79:20:4f:9f:c1:e9:5c:87:50:
19:c8:e7:a3:d8:93:3c:60:61:77:10:9e:3c:64:d5:
72:13:59:36:c8:44:79:14:b0:10:df:75:a3:97:17:
10:af:be:a4:45:e5:c2:2e:df
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
88:29:a0:50:c4:ec:d9:bd:6f:85:57:3e:bb:94:97:4e:ed:43:
57:10:de:6c:f2:23:5c:82:af:a0:1d:2a:2f:4f:42:af:92:eb:
e2:d0:b2:32:99:7b:c7:06:88:3b:35:dd:6f:b1:a8:14:00:53:
20:ed:22:4f:df:ad:b3:e7:8f:5e:55:c9:60:7c:dc:3b:75:95:
e5:fc:90:b6:9c:d2:fd:61:02:b3:59:55:d1:57:88:a0:2e:49:
0e:c8:dc:68:fd:46:61:92:93:c1:84:8b:e1:42:99:01:8f:1f:
39:f8:d7:4f:4b:41:a0:e1:dc:98:13:09:02:76:e5:f1:69:0c:
26:22
-----BEGIN CERTIFICATE-----
MIIBoTCCAQoCCQC94FuKL8mapzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDDApQ
RU5HU0hJWkhVMB4XDTE4MDEyNDE1NTUyNFoXDTI4MDEyMjE1NTUyNFowFTETMBEG
A1UEAwwKc2VydmVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy+AJ
I5MjDq4IECNu1dSIixmuaAwGLJAspAOeXx/VDMmSOrOu4qLcnCPte1qdtoz5SmRp
t8KBv9E5Fu4lQ3Uzrxcv+5b0tUH+KuqyFqr2v4B5IE+fwelch1AZyOej2JM8YGF3
EJ48ZNVyE1k2yER5FLAQ33WjlxcQr76kReXCLt8CAwEAATANBgkqhkiG9w0BAQUF
AAOBgQCIKaBQxOzZvW+FVz67lJdO7UNXEN5s8iNcgq+gHSovT0Kvkuvi0LIymXvH
Bog7Nd1vsagUAFMg7SJP362z549eVclgfNw7dZXl/JC2nNL9YQKzWVXRV4igLkkO
yNxo/UZhkpPBhIvhQpkBjx85+NdPS0Gg4dyYEwkCduXxaQwmIg==
-----END CERTIFICATE-----命令汇总
# openssl req
openssl req -new -nodes -key server.key -out server.csr -subj "/CN=server.com" # 生成证书签名请求文件,-nodes表示不加密
openssl req -in server.csr -text # 查看证书签名请求文件内容
openssl req -verify -in server.csr # 验证请求文件
# openssl x509
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt # 签名
openssl x509 -in server.crt -text # 查看证书内容
openssl verify -verbose -CAfile ca.crt server.crt # 验证证书参考
Last updated
Was this helpful?