小皮博客 | Xiaopi's Blog

112-【pki体系及安全策略】1-openssl及各类证书详解

发表于 | 4,009 字 需要阅读: 46 分钟 | 分类于

PKI(公钥基础设施)是一个包括硬件、软件、人员、策略和规程的集合,用来实现基于公钥密码体制的密钥和证书的产生、管理、存储、分发和撤销等功能。
本专题将系统的讲解整个体系。

基本术语

之后专门写一个章节来解释吧。

详解

生成及查看rsa密钥

  • openssl: 一个开源组织,配套做了一套开源的工具,囊括了主要的加密算法及周边的内容
  1. 下面的命令生成了一个“私钥密钥对”,这个key里面包含了公钥和私钥。

    openssl genpkey -algorithm rsa -out rsa_demo_001.key

  1. 直接查看文件内容

    vim rsa_demo_001.key 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
-----BEGIN PRIVATE KEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDc+fOnG1mzB7v8
qHONlgXjqPtdZ30Dso+xvwLwv+U4sAtqsuIZdqMYaoU71BNcSx/fIYo/ArtlkPfr
Qg4QlGNflyB9ylcxKmAhgdt/5QrIPc6Pswkxaw4EVQhSsmw6gecx7fZxaE2Y+F6M
TI8paTFy0c25OiztB1RLs39nBzQr7o1OA3opng3jO5XiTsgMQP1rVkjz3EZiduga
AA7Xy5XVmisrZTL8pPaX50PjgBdF2GQ7FubJr6DU7Tr9sP6lXqSoIWnQ9IouDbLU
4v4z7MXevIPMixsTkRfG4Qn0T86j4wtSvh/e255z42fkZCiMRjTMVmXFOb/0JCc7
poashZYTAgMBAAECggEBAIqXHVBuH+jf7e/9elOPhuwM3HHtaQO7ptG02dRCljHi
f5aQ0Ktls86paBxo2yekWj3oXDs+rGd773GWQRn25whZ0V/zWpIUYKxDNHZXIVcL
JJUNlbNv0B+5cPnku2pKdMTk2Q6xexF4nFvj3Fn9hqzbluoX6XtTgHPmBP6KDxeJ
YBdRlCke3Y3yMeo44LiiogMUIe1E7DVCzhn1GRFN8HHRMHFLmwJQLcr+wnOkjvz+
6MYKuAcHriqihykNfS7DXruqfrWTuipTX3OcaemFYbeuu+KdtCOuiHszTnLml7/W
7OO51qCXvJrHf6ibnPBoXWrgFt9It0+fWV3ICx0EzpkCgYEA/WMfCHO4YM2UJYPw
QnkK1fibCP1FfX5ZGnC0m5q4M6mBW5pBeoLyonkpTGsqOgbLZjDTsqaHAyo3GAyK
QZIHF51ruH5EfnLDTntUFZZ9CoTrWAea8ZYFke9x5zdBN5ssCQMYmLQVR3c4UvzY
tsaJXL2LhBjErbCjdcRqWfehPt8CgYEA30FGKzPLg2M46cX/CWfEandLvTeZuLPk
FXflrifGaPgDJbaSMHT+O0/WAUVVCC4xBjSkidVem39YlUhuGB/2lhwlvi17zHCS
tawaJofNy7MaP/JYPN02iyGIcxNTBaH5wLFAVD+X81To2cwzcr5vruZkk+lcGTsi
UQhpxCCo800CgYEAlDE5gB710Z/KKhq9FJNoM/Ye7iX6U0fm4uDRsEPPwV88aY+R
Bg65yy4jai8u1hsNMGoUFeLxCXfSGv2SioDWJwiJbLBkbLO/6BGW/r0xykosviJM
i0hbX5tzuW+Gc/gLzAWEiCKiY1almVuJf3Qj+BpfE1XNCWxKXWEPdiiupG8CgYEA
xf7TxjjXQpzauqj4OFUo4usN5q/Kyv3vSALfVYa89hcOY4H5QLRhTCTPvKzKbsjY
fZJuYjczAmD8JNjpmseuHw6zgmhAJN2pnykUwBssrn0WyKObEc92Mgn5Q2Vd+d7e
6r/IN292yT0CjTYGYrr1vX1isbMCFPZWxtrZQjFc5PkCgYEA81fd5J8ZAWp+FCSV
N2T5JNW7sbPAVMmtQYslxHsrzcbI1zWTM/gLVJU5KYmjJKFcu7GefqD0tPqVzJOI
/xaeYOtPaUtY+UnleOrLMex5XftiajZ+eny2EgdbOXN9mhSnOLtYsAOFHHsNOKmK
6xW4E2PEiRq/6CfhvcOXqfgF110=
-----END PRIVATE KEY-----
  1. 查看其中的公钥和私钥。

    openssl rsa -in rsa_demo_001.key -text

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
Private-Key: (2048 bit)
modulus:
    00:dc:f9:f3:a7:1b:59:b3:07:bb:fc:a8:73:8d:96:
    05:e3:a8:fb:5d:67:7d:03:b2:8f:b1:bf:02:f0:bf:
    e5:38:b0:0b:6a:b2:e2:19:76:a3:18:6a:85:3b:d4:
    13:5c:4b:1f:df:21:8a:3f:02:bb:65:90:f7:eb:42:
    0e:10:94:63:5f:97:20:7d:ca:57:31:2a:60:21:81:
    db:7f:e5:0a:c8:3d:ce:8f:b3:09:31:6b:0e:04:55:
    08:52:b2:6c:3a:81:e7:31:ed:f6:71:68:4d:98:f8:
    5e:8c:4c:8f:29:69:31:72:d1:cd:b9:3a:2c:ed:07:
    54:4b:b3:7f:67:07:34:2b:ee:8d:4e:03:7a:29:9e:
    0d:e3:3b:95:e2:4e:c8:0c:40:fd:6b:56:48:f3:dc:
    46:62:76:e8:1a:00:0e:d7:cb:95:d5:9a:2b:2b:65:
    32:fc:a4:f6:97:e7:43:e3:80:17:45:d8:64:3b:16:
    e6:c9:af:a0:d4:ed:3a:fd:b0:fe:a5:5e:a4:a8:21:
    69:d0:f4:8a:2e:0d:b2:d4:e2:fe:33:ec:c5:de:bc:
    83:cc:8b:1b:13:91:17:c6:e1:09:f4:4f:ce:a3:e3:
    0b:52:be:1f:de:db:9e:73:e3:67:e4:64:28:8c:46:
    34:cc:56:65:c5:39:bf:f4:24:27:3b:a6:86:ac:85:
    96:13
publicExponent: 65537 (0x10001)
privateExponent:
    00:8a:97:1d:50:6e:1f:e8:df:ed:ef:fd:7a:53:8f:
    86:ec:0c:dc:71:ed:69:03:bb:a6:d1:b4:d9:d4:42:
    96:31:e2:7f:96:90:d0:ab:65:b3:ce:a9:68:1c:68:
    db:27:a4:5a:3d:e8:5c:3b:3e:ac:67:7b:ef:71:96:
    41:19:f6:e7:08:59:d1:5f:f3:5a:92:14:60:ac:43:
    34:76:57:21:57:0b:24:95:0d:95:b3:6f:d0:1f:b9:
    70:f9:e4:bb:6a:4a:74:c4:e4:d9:0e:b1:7b:11:78:
    9c:5b:e3:dc:59:fd:86:ac:db:96:ea:17:e9:7b:53:
    80:73:e6:04:fe:8a:0f:17:89:60:17:51:94:29:1e:
    dd:8d:f2:31:ea:38:e0:b8:a2:a2:03:14:21:ed:44:
    ec:35:42:ce:19:f5:19:11:4d:f0:71:d1:30:71:4b:
    9b:02:50:2d:ca:fe:c2:73:a4:8e:fc:fe:e8:c6:0a:
    b8:07:07:ae:2a:a2:87:29:0d:7d:2e:c3:5e:bb:aa:
    7e:b5:93:ba:2a:53:5f:73:9c:69:e9:85:61:b7:ae:
    bb:e2:9d:b4:23:ae:88:7b:33:4e:72:e6:97:bf:d6:
    ec:e3:b9:d6:a0:97:bc:9a:c7:7f:a8:9b:9c:f0:68:
    5d:6a:e0:16:df:48:b7:4f:9f:59:5d:c8:0b:1d:04:
    ce:99
prime1:
    00:fd:63:1f:08:73:b8:60:cd:94:25:83:f0:42:79:
    0a:d5:f8:9b:08:fd:45:7d:7e:59:1a:70:b4:9b:9a:
    b8:33:a9:81:5b:9a:41:7a:82:f2:a2:79:29:4c:6b:
    2a:3a:06:cb:66:30:d3:b2:a6:87:03:2a:37:18:0c:
    8a:41:92:07:17:9d:6b:b8:7e:44:7e:72:c3:4e:7b:
    54:15:96:7d:0a:84:eb:58:07:9a:f1:96:05:91:ef:
    71:e7:37:41:37:9b:2c:09:03:18:98:b4:15:47:77:
    38:52:fc:d8:b6:c6:89:5c:bd:8b:84:18:c4:ad:b0:
    a3:75:c4:6a:59:f7:a1:3e:df
prime2:
    00:df:41:46:2b:33:cb:83:63:38:e9:c5:ff:09:67:
    c4:6a:77:4b:bd:37:99:b8:b3:e4:15:77:e5:ae:27:
    c6:68:f8:03:25:b6:92:30:74:fe:3b:4f:d6:01:45:
    55:08:2e:31:06:34:a4:89:d5:5e:9b:7f:58:95:48:
    6e:18:1f:f6:96:1c:25:be:2d:7b:cc:70:92:b5:ac:
    1a:26:87:cd:cb:b3:1a:3f:f2:58:3c:dd:36:8b:21:
    88:73:13:53:05:a1:f9:c0:b1:40:54:3f:97:f3:54:
    e8:d9:cc:33:72:be:6f:ae:e6:64:93:e9:5c:19:3b:
    22:51:08:69:c4:20:a8:f3:4d
exponent1:
    00:94:31:39:80:1e:f5:d1:9f:ca:2a:1a:bd:14:93:
    68:33:f6:1e:ee:25:fa:53:47:e6:e2:e0:d1:b0:43:
    cf:c1:5f:3c:69:8f:91:06:0e:b9:cb:2e:23:6a:2f:
    2e:d6:1b:0d:30:6a:14:15:e2:f1:09:77:d2:1a:fd:
    92:8a:80:d6:27:08:89:6c:b0:64:6c:b3:bf:e8:11:
    96:fe:bd:31:ca:4a:2c:be:22:4c:8b:48:5b:5f:9b:
    73:b9:6f:86:73:f8:0b:cc:05:84:88:22:a2:63:56:
    a5:99:5b:89:7f:74:23:f8:1a:5f:13:55:cd:09:6c:
    4a:5d:61:0f:76:28:ae:a4:6f
exponent2:
    00:c5:fe:d3:c6:38:d7:42:9c:da:ba:a8:f8:38:55:
    28:e2:eb:0d:e6:af:ca:ca:fd:ef:48:02:df:55:86:
    bc:f6:17:0e:63:81:f9:40:b4:61:4c:24:cf:bc:ac:
    ca:6e:c8:d8:7d:92:6e:62:37:33:02:60:fc:24:d8:
    e9:9a:c7:ae:1f:0e:b3:82:68:40:24:dd:a9:9f:29:
    14:c0:1b:2c:ae:7d:16:c8:a3:9b:11:cf:76:32:09:
    f9:43:65:5d:f9:de:de:ea:bf:c8:37:6f:76:c9:3d:
    02:8d:36:06:62:ba:f5:bd:7d:62:b1:b3:02:14:f6:
    56:c6:da:d9:42:31:5c:e4:f9
coefficient:
    00:f3:57:dd:e4:9f:19:01:6a:7e:14:24:95:37:64:
    f9:24:d5:bb:b1:b3:c0:54:c9:ad:41:8b:25:c4:7b:
    2b:cd:c6:c8:d7:35:93:33:f8:0b:54:95:39:29:89:
    a3:24:a1:5c:bb:b1:9e:7e:a0:f4:b4:fa:95:cc:93:
    88:ff:16:9e:60:eb:4f:69:4b:58:f9:49:e5:78:ea:
    cb:31:ec:79:5d:fb:62:6a:36:7e:7a:7c:b6:12:07:
    5b:39:73:7d:9a:14:a7:38:bb:58:b0:03:85:1c:7b:
    0d:38:a9:8a:eb:15:b8:13:63:c4:89:1a:bf:e8:27:
    e1:bd:c3:97:a9:f8:05:d7:5d
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEA3PnzpxtZswe7/KhzjZYF46j7XWd9A7KPsb8C8L/lOLALarLi
GXajGGqFO9QTXEsf3yGKPwK7ZZD360IOEJRjX5cgfcpXMSpgIYHbf+UKyD3Oj7MJ
MWsOBFUIUrJsOoHnMe32cWhNmPhejEyPKWkxctHNuTos7QdUS7N/Zwc0K+6NTgN6
KZ4N4zuV4k7IDED9a1ZI89xGYnboGgAO18uV1ZorK2Uy/KT2l+dD44AXRdhkOxbm
ya+g1O06/bD+pV6kqCFp0PSKLg2y1OL+M+zF3ryDzIsbE5EXxuEJ9E/Oo+MLUr4f
3tuec+Nn5GQojEY0zFZlxTm/9CQnO6aGrIWWEwIDAQABAoIBAQCKlx1Qbh/o3+3v
/XpTj4bsDNxx7WkDu6bRtNnUQpYx4n+WkNCrZbPOqWgcaNsnpFo96Fw7Pqxne+9x
lkEZ9ucIWdFf81qSFGCsQzR2VyFXCySVDZWzb9AfuXD55LtqSnTE5NkOsXsReJxb
49xZ/Yas25bqF+l7U4Bz5gT+ig8XiWAXUZQpHt2N8jHqOOC4oqIDFCHtROw1Qs4Z
9RkRTfBx0TBxS5sCUC3K/sJzpI78/ujGCrgHB64qoocpDX0uw167qn61k7oqU19z
nGnphWG3rrvinbQjroh7M05y5pe/1uzjudagl7yax3+om5zwaF1q4BbfSLdPn1ld
yAsdBM6ZAoGBAP1jHwhzuGDNlCWD8EJ5CtX4mwj9RX1+WRpwtJuauDOpgVuaQXqC
8qJ5KUxrKjoGy2Yw07KmhwMqNxgMikGSBxeda7h+RH5yw057VBWWfQqE61gHmvGW
BZHvcec3QTebLAkDGJi0FUd3OFL82LbGiVy9i4QYxK2wo3XEaln3oT7fAoGBAN9B
Riszy4NjOOnF/wlnxGp3S703mbiz5BV35a4nxmj4AyW2kjB0/jtP1gFFVQguMQY0
pInVXpt/WJVIbhgf9pYcJb4te8xwkrWsGiaHzcuzGj/yWDzdNoshiHMTUwWh+cCx
QFQ/l/NU6NnMM3K+b67mZJPpXBk7IlEIacQgqPNNAoGBAJQxOYAe9dGfyioavRST
aDP2Hu4l+lNH5uLg0bBDz8FfPGmPkQYOucsuI2ovLtYbDTBqFBXi8Ql30hr9koqA
1icIiWywZGyzv+gRlv69McpKLL4iTItIW1+bc7lvhnP4C8wFhIgiomNWpZlbiX90
I/gaXxNVzQlsSl1hD3YorqRvAoGBAMX+08Y410Kc2rqo+DhVKOLrDeavysr970gC
31WGvPYXDmOB+UC0YUwkz7ysym7I2H2SbmI3MwJg/CTY6ZrHrh8Os4JoQCTdqZ8p
FMAbLK59FsijmxHPdjIJ+UNlXfne3uq/yDdvdsk9Ao02BmK69b19YrGzAhT2Vsba
2UIxXOT5AoGBAPNX3eSfGQFqfhQklTdk+STVu7GzwFTJrUGLJcR7K83GyNc1kzP4
C1SVOSmJoyShXLuxnn6g9LT6lcyTiP8WnmDrT2lLWPlJ5XjqyzHseV37Ymo2fnp8
thIHWzlzfZoUpzi7WLADhRx7DTipiusVuBNjxIkav+gn4b3Dl6n4Bddd
-----END RSA PRIVATE KEY-----
  1. 提取其中的公钥

    openssl rsa -pubout -in rsa_demo_001.key

1
2
3
4
5
6
7
8
9
10
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PnzpxtZswe7/KhzjZYF
46j7XWd9A7KPsb8C8L/lOLALarLiGXajGGqFO9QTXEsf3yGKPwK7ZZD360IOEJRj
X5cgfcpXMSpgIYHbf+UKyD3Oj7MJMWsOBFUIUrJsOoHnMe32cWhNmPhejEyPKWkx
ctHNuTos7QdUS7N/Zwc0K+6NTgN6KZ4N4zuV4k7IDED9a1ZI89xGYnboGgAO18uV
1ZorK2Uy/KT2l+dD44AXRdhkOxbmya+g1O06/bD+pV6kqCFp0PSKLg2y1OL+M+zF
3ryDzIsbE5EXxuEJ9E/Oo+MLUr4f3tuec+Nn5GQojEY0zFZlxTm/9CQnO6aGrIWW
EwIDAQAB
-----END PUBLIC KEY-----
  1. 写入公钥到文件里面,指定了-out就不会再输出到控制台。

    openssl rsa -pubout -in rsa_demo_001.key -out rsa_demo_001.pub.key

使用密钥加密解密文件

  1. 生成一个数据文件

    echo “{“data”:[{“6544242”:[121.40541199401648,32.95890201633851]}]}” > data.json

  2. 使用公钥对文件进行加密操作。

    openssl rsautl -encrypt -in data.json -inkey rsa_demo_001.pub.key -pubin -out data-encrypt.json

此时获得的文件 data-encrypt.json是加密后的文件,不可被直接理解了。一般在传输过程中,会对这个二进制流转码成hex或者base64。

  1. 在2的基础上,使用私钥文件进行解密。

    openssl rsautl -decrypt -in data-encrypt.json -inkey rsa_demo_001.key

  2. 重要: 在实际操作过程中,我们一般会把私钥保存,把公钥发出去,这样通过公钥加密的内容,只有接收者可以看到。实际上、私钥加密的内容,公钥可以解密。但是因为私钥中已经包含了公钥,所以如果私钥文件发出去,就失去了非对称加密的意义了。私钥加密的场景,其实是验证,私钥签名的内容,可以用公钥验证是这个私钥签名的。

  3. 私钥“签名”(也是加密),公钥验证签名(也是解密)。

    openssl rsautl -sign -in data.json -inkey rsa_demo_001.key -out data-sign.json

openssl rsautl -verify -in data-sign.json -inkey rsa_demo_001.pub.key -pubin

可以看出,其实和上面的过程是类似的,只是定义不同。从数学上来说没有区别。加密的中间文件可能会不一样。

证书

密钥虽然已经有了,但是上面没有任何组织或者个人的标识,那么如何才能通过证书本身来标志组织或者持有者的身份呢。当你拿到这个公钥之后,怎么知道这个公钥是这个组织所有的,而不是被偷梁换柱之后的?

所以我们有证书: 公钥信息+额外的附加信息(所属实体,采取的加密算法等)=证书。扩展名一般为crt。(cert)

证书的获得

  1. 自行通过密钥对生成证书。

    openssl genpkey -algorithm rsa -out rsa_for_cert.key # 和前面的证书章节一样。

  2. 基于这个私钥生成一个CSR(证书签名请求)。

    采用私钥生成一个CSR,过程中需要输入一些信息,这些信息都是公开的
    openssl req -new -key rsa_for_cert.key -out server.csr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:TIANJIN
Locality Name (eg, city) []:HEPING
Organization Name (eg, company) []:hugerfuture
Organizational Unit Name (eg, section) []:IT Corp
Common Name (eg, fully qualified host name) []:IT 
Email Address []:shengling@hugerfuture.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:!@#$1234QWER
  1. 文件生成了,我们查看一下。

    openssl req -in server.csr -text -noout

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CN, ST=TIANJIN, L=HEPING, O=hugerfuture, OU=IT Corp, CN=IT /emailAddress=shengling@hugerfuture.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9d:fe:64:ce:c2:db:69:35:7c:59:e4:b7:84:ac:
                    8e:9b:af:a3:c3:f5:48:78:cd:b3:c9:1a:de:78:a2:
                    47:92:50:2e:8d:c1:3c:75:d6:22:a2:ce:07:98:f5:
                    ce:cc:48:76:fb:40:4b:3d:ef:65:f2:21:09:a6:65:
                    a4:45:86:c5:5c:1b:01:a9:55:75:1d:76:e8:8f:0c:
                    6b:02:7b:d6:3f:55:39:60:99:fd:48:d3:99:fd:25:
                    74:83:7e:33:41:02:2a:59:df:e3:63:29:5c:77:d4:
                    f8:5c:8a:03:53:3e:b5:d9:06:1a:2c:ea:d7:4c:9f:
                    0e:fa:b9:f2:e4:3a:7f:a3:81:7f:78:70:a1:84:e6:
                    b9:d4:a5:4c:23:e8:30:c0:fe:cb:db:46:87:bd:0d:
                    c6:8c:5a:b6:d7:88:05:ba:0d:27:1c:10:74:8c:cf:
                    83:ee:3c:0d:44:71:aa:b1:89:98:a0:21:57:d9:3e:
                    e8:ec:e8:d8:4d:65:77:a7:1e:4c:30:fd:4e:ae:3d:
                    14:a1:f0:eb:39:45:0f:1b:a7:50:99:b1:66:5f:a3:
                    45:88:a6:61:62:9b:89:fd:28:5e:d3:88:1f:18:38:
                    90:4c:6f:d7:45:40:90:ba:dd:d6:5b:ce:d5:8c:ad:
                    eb:32:26:89:46:0c:7b:10:50:4e:9d:b4:9a:96:28:
                    be:07
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :unable to print attribute
    Signature Algorithm: sha256WithRSAEncryption
         93:46:f3:0c:69:16:32:e6:d5:a4:be:2d:09:6c:23:12:e8:4a:
         a5:62:db:e8:bd:ab:14:1b:5a:4e:17:d3:18:d2:cc:f0:e8:d2:
         a5:61:62:aa:93:e6:4e:44:f9:45:d7:6a:7f:22:5a:6c:d9:0b:
         61:31:26:75:03:78:75:73:b1:8d:47:12:08:53:e9:93:a9:63:
         62:e0:2f:f1:7d:fa:67:b4:1b:d3:02:20:63:3f:87:14:1d:66:
         85:49:7e:29:d6:ac:e1:f5:d9:fb:35:d0:6e:91:87:9b:f0:37:
         10:65:b4:ea:eb:b3:79:27:9f:43:1c:42:f3:04:64:c7:7b:b0:
         f7:25:c7:92:47:86:ee:b2:cf:3b:a1:2c:99:6d:3c:e4:3f:cf:
         52:15:01:08:f8:0e:89:54:c2:ee:78:96:f9:f3:00:45:40:bc:
         df:c5:3d:01:eb:0a:29:d5:80:8d:89:0a:11:07:7e:ce:93:09:
         bc:eb:1e:56:70:20:b0:fa:29:b8:f5:62:db:76:32:51:33:ea:
         3c:e5:7e:ea:6f:4b:da:67:0b:c8:cc:9b:53:d9:8e:4d:0b:8e:
         2e:f8:e4:ef:db:d6:6f:28:58:e9:66:76:84:63:7e:0f:35:24:
         87:58:df:15:95:a2:ba:5f:78:ac:61:ff:21:6f:51:66:a5:d7:
         f9:f4:a4:b4

  1. 我们可以把这个证书发给CA机构,让他们认证。CA认证过的(签名)的证书,是可以被主流浏览器直接识别的。唯一的问题是要收钱。

  2. 自己充当CA来注册一下。并且这里是把自己当做root证书来自签名。(而浏览器里面是预埋了各个CA机构的公钥,可以来验证是不是由这个CA机构签发的证书,因为公钥可以verify私钥sign的内容)。

    openssl x509 -req -days 365 -in server.csr -signkey rsa_for_cert.key -out my-cert.crt 

1
2
3
Signature ok
subject=/C=CN/ST=TIANJIN/L=HEPING/O=hugerfuture/OU=IT Corp/CN=IT /emailAddress=shengling@hugerfuture.com
Getting Private key
  1. 查看证书相关信息

    openssl x509 -in my-cert.crt -text

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 16079925940232298387 (0xdf275f7292229f93)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=TIANJIN, L=HEPING, O=hugerfuture, OU=IT Corp, CN=IT /emailAddress=shengling@hugerfuture.com
        Validity
            Not Before: Nov  3 08:48:50 2020 GMT
            Not After : Nov  3 08:48:50 2021 GMT
        Subject: C=CN, ST=TIANJIN, L=HEPING, O=hugerfuture, OU=IT Corp, CN=IT /emailAddress=shengling@hugerfuture.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9d:fe:64:ce:c2:db:69:35:7c:59:e4:b7:84:ac:
                    8e:9b:af:a3:c3:f5:48:78:cd:b3:c9:1a:de:78:a2:
                    47:92:50:2e:8d:c1:3c:75:d6:22:a2:ce:07:98:f5:
                    ce:cc:48:76:fb:40:4b:3d:ef:65:f2:21:09:a6:65:
                    a4:45:86:c5:5c:1b:01:a9:55:75:1d:76:e8:8f:0c:
                    6b:02:7b:d6:3f:55:39:60:99:fd:48:d3:99:fd:25:
                    74:83:7e:33:41:02:2a:59:df:e3:63:29:5c:77:d4:
                    f8:5c:8a:03:53:3e:b5:d9:06:1a:2c:ea:d7:4c:9f:
                    0e:fa:b9:f2:e4:3a:7f:a3:81:7f:78:70:a1:84:e6:
                    b9:d4:a5:4c:23:e8:30:c0:fe:cb:db:46:87:bd:0d:
                    c6:8c:5a:b6:d7:88:05:ba:0d:27:1c:10:74:8c:cf:
                    83:ee:3c:0d:44:71:aa:b1:89:98:a0:21:57:d9:3e:
                    e8:ec:e8:d8:4d:65:77:a7:1e:4c:30:fd:4e:ae:3d:
                    14:a1:f0:eb:39:45:0f:1b:a7:50:99:b1:66:5f:a3:
                    45:88:a6:61:62:9b:89:fd:28:5e:d3:88:1f:18:38:
                    90:4c:6f:d7:45:40:90:ba:dd:d6:5b:ce:d5:8c:ad:
                    eb:32:26:89:46:0c:7b:10:50:4e:9d:b4:9a:96:28:
                    be:07
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         26:08:e9:54:20:6d:11:6c:b7:fe:4b:67:9a:d5:27:6b:f1:89:
         70:2e:fd:58:7d:9f:83:a5:c6:f6:13:6f:76:94:02:cd:e7:a2:
         cf:2a:73:6c:75:52:87:69:2c:f7:2f:1f:57:05:dc:b2:72:ca:
         8a:16:07:65:1b:ba:7b:85:a1:0b:44:99:20:bc:e6:28:2e:bf:
         8e:a1:f8:82:82:66:2e:56:5e:28:65:ff:81:fe:3c:51:99:74:
         d0:c8:87:f5:31:cc:59:a6:dd:d3:8b:ad:dd:0c:27:99:53:85:
         13:db:ef:3b:18:67:e1:61:e2:8c:e6:de:2b:32:a8:b9:64:73:
         5b:c3:c5:c1:4c:7e:08:30:1c:6d:bf:09:f5:ca:86:15:44:8f:
         38:01:57:92:bf:2a:6b:07:a3:b6:d9:08:65:a1:2b:a4:d3:7d:
         71:76:0e:8b:e3:09:f2:c9:2b:36:3b:ed:44:ac:d2:4b:39:f8:
         7d:a5:e6:8e:82:be:ba:cc:fb:7c:53:96:8e:a5:18:95:02:43:
         9d:39:e4:52:a4:a5:49:21:1c:38:88:99:ab:45:1d:cb:1d:2f:
         85:32:e0:e8:64:97:f3:7c:f9:04:c8:fc:8d:2b:1b:61:aa:36:
         e7:11:f0:dd:4f:c8:3a:ec:4f:29:46:16:65:00:27:2f:61:58:
         7b:46:3c:1d
-----BEGIN CERTIFICATE-----
MIIDnjCCAoYCCQDfJ19ykiKfkzANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB1RJQU5KSU4xDzANBgNVBAcMBkhFUElORzEUMBIGA1UECgwL
aHVnZXJmdXR1cmUxEDAOBgNVBAsMB0lUIENvcnAxDDAKBgNVBAMMA0lUIDEoMCYG
CSqGSIb3DQEJARYZc2hlbmdsaW5nQGh1Z2VyZnV0dXJlLmNvbTAeFw0yMDExMDMw
ODQ4NTBaFw0yMTExMDMwODQ4NTBaMIGQMQswCQYDVQQGEwJDTjEQMA4GA1UECAwH
VElBTkpJTjEPMA0GA1UEBwwGSEVQSU5HMRQwEgYDVQQKDAtodWdlcmZ1dHVyZTEQ
MA4GA1UECwwHSVQgQ29ycDEMMAoGA1UEAwwDSVQgMSgwJgYJKoZIhvcNAQkBFhlz
aGVuZ2xpbmdAaHVnZXJmdXR1cmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAnf5kzsLbaTV8WeS3hKyOm6+jw/VIeM2zyRreeKJHklAujcE8ddYi
os4HmPXOzEh2+0BLPe9l8iEJpmWkRYbFXBsBqVV1HXbojwxrAnvWP1U5YJn9SNOZ
/SV0g34zQQIqWd/jYylcd9T4XIoDUz612QYaLOrXTJ8O+rny5Dp/o4F/eHChhOa5
1KVMI+gwwP7L20aHvQ3GjFq214gFug0nHBB0jM+D7jwNRHGqsYmYoCFX2T7o7OjY
TWV3px5MMP1Orj0UofDrOUUPG6dQmbFmX6NFiKZhYpuJ/She04gfGDiQTG/XRUCQ
ut3WW87VjK3rMiaJRgx7EFBOnbSalii+BwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
AQAmCOlUIG0RbLf+S2ea1Sdr8YlwLv1YfZ+Dpcb2E292lALN56LPKnNsdVKHaSz3
Lx9XBdyycsqKFgdlG7p7haELRJkgvOYoLr+OofiCgmYuVl4oZf+B/jxRmXTQyIf1
McxZpt3Ti63dDCeZU4UT2+87GGfhYeKM5t4rMqi5ZHNbw8XBTH4IMBxtvwn1yoYV
RI84AVeSvyprB6O22QhloSuk031xdg6L4wnyySs2O+1ErNJLOfh9peaOgr66zPt8
U5aOpRiVAkOdOeRSpKVJIRw4iJmrRR3LHS+FMuDoZJfzfPkEyPyNKxthqjbnEfDd
T8g67E8pRhZlACcvYVh7Rjwd
-----END CERTIFICATE-----

版权声明

本文标题:112-【pki体系及安全策略】1-openssl及各类证书详解

文章作者:盛领

发布时间:2020年11月03日 - 22:54:50

原始链接:http://blog.xiaoyuyu.net/post/45c4089e.html

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

如您有任何商业合作或者授权方面的协商,请给我留言:sunsetxiao@126.com

盛领 wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!