公私鑰、證書生成
本文以Linux系統為例模擬CA生成http服務器的認證證書
http服務器操作
1.生成私鑰
使用OpenSSL工具生成服務器私鑰key文件
[nginx@nginx-node01 ~]$ openssl genrsa 1024 >> $HOSTNAME.key
Generating RSA private key, 1024 bit long modulus
.................++++++
...........................++++++
e is 65537 (0x10001)
[nginx@nginx-node01 ~]$ ls
nginx-node01.key
2.生成證書預簽csr文件
[nginx@nginx-node01 ~]$ openssl req -new -key $HOSTNAME.key -out $HOSTNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kov
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:www.kov.com
Email Address []:sys@kov.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[nginx@nginx-node01 ~]$ ls
nginx-node01.csr nginx-node01.key
CA服務器操作
1.創建所需要的文件
touch /etc/pki/CA/index.txt 生成證書索引數據庫文件
echo 01 > /etc/pki/CA/serial 指定第一個頒發證書的序列號
2.生成CA私鑰
[root@ca ~]# hostname
ca
[root@ca ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
3. CA生成自簽證書
[root@ca private]# openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kov
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:xx.kov.com
Email Address []:xx@kov.com
4.CA簽署證書
將http服務器證書預簽csr文件發給CA,由CA對服務器的預簽文件csr進行簽署,最后得到最終證書文件crt。(默認國家,省,公司名稱三項必須和CA一致)
[root@ca private]# openssl ca -in /root/nginx-node01.csr -out /etc/pki/CA/certs/nginx-node01.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 13 15:31:40 2020 GMT
Not After : Jul 13 15:31:40 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = kov
organizationalUnitName = Dev
commonName = www.kov.com
emailAddress = sys@kov.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
81:DB:3C:4E:6D:0E:BD:5A:78:2D:F2:86:62:CD:B3:03:45:F1:AB:F3
X509v3 Authority Key Identifier:
keyid:DF:B4:69:95:C5:71:44:EE:0B:9C:2E:CB:1C:CD:37:E3:0E:FD:AC:E8
Certificate is to be certified until Jul 13 15:31:40 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5.驗證私鑰、證書是否匹配
驗證ca簽署的http服務器證書文件nginx-node01.crt和http服務器私鑰nginx-node01.key是否匹配
openssl rsa -noout -modulus -in nginx-node01.key |openssl md5
openssl x509 -noout -modulus -in nginx-node01.crt |openssl md5
配置Nginx驗證https
補充
CA簽署指定域名證書
生成證書簽署擴展文件
[root@ca CA]# cat kov.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
DNS.1=kov.com
DNS.2=www.kov.com
重新簽署證書
[root@ca ~]# openssl x509 -req -in /root/nginx-node01.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out nginx-node01.crt -days 3650 -sha256 -extfile kov.ext