openssl及数字证书制作

各种数字证书区别

证书文件有两种编码:二进制编码或者BASE64编码,具体有一下几种:

.cer/.crt/.der(DER-encoded
certificate):用于存放证书,它是2进制形式存放的,不含私钥。
.pem(PEM-encoded message):跟crt/cer的区别是它以BASE64编码来表示。
.pfx/p12(PKCS#12 Personal Information
Exchange):用于存放个人证书/私钥,他通常包含保护密码,2进制方式.
.p1(PKCS#10 Certification Request):证书请求.
.p7r(PKCS#7 cert request response):CA对证书请求的回复,只用于导入.
.p7b(PKCS#7 cert request response):以树状展示证书链(certificate
chain),支持单个或多个证书,不含私钥。

TBS and thumbprint

On a digital certificate, fields such as common name, country code,
organization, and e-mail make up what is called the TBS (To Be Signed)
Certificate Sequence. This is
the information used on a certificate to calculate the hash value when signed by
GlobalSign or any other certificate authority. Two other certificate fields,
signatureAlgorithm and signatureValue, assist in the validation of your digital
certificate. Signature Algorithm specifies the hash algorithm used to calculate
the hash, and signature Value is the calculated hash of the TBS Certificate
sequence. With this information available, operating systems, browsers, and
other software can verify the integrity of the vetted information on your
certificate.

Why is the thumbprint of my SHA-256 certificate SHA-1?

Where signature Value is the hash of the TBS Certificate sequence, the
thumbprint is the hash of the entire certificate in binary DER format; it
is not actually part of the certificate. The thumbprint is calculated by the
operating system
; Windows uses SHA-1 by default regardless of the signature
algorithm on the certificate.

openssl 制作证书

1.制作根(CA)证书

a.) $ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out ca.key
#生成ca rsa key

($ openssl genrsa -des3 -out ca.key 2048 #生成ca rsa key; $ openssl rsa -in
ca.key -out ca.key #去除key密码保护)

b.) $ openssl req -new -key ca.key -out ca.csr
#根据私钥生成证书申请,这里的cn(issuer)不要跟server/client的相同。

c.) $ openssl x509 -req -in ca.csr -out ca.pem -signkey ca.key -days 36500
-sha256 #用私钥对证书申请进行签名生成自签名证书

2.制作x509客户证书

a.)$ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out
server.key #生成server rsa key

($ openssl genrsa -des3 -out server.key 2048;$ openssl rsa -in server.key -out
server.key #去除key密码保护)

b.) $ openssl req -new -key server.key -out server.csr
#根据私钥生成证书申请,这里的cn(issue to) 一般为server
name,不能跟CA的cn相同,否则client不能验证server 的cert。

c.) $ openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -out server.pem
-CAcreateserial -days 36500
#用CA的证书生成用户证书,可以为任何证书申请生成证书。

3.转换x509证书为包含private key的PKCS#12证书;

$ openssl pkcs12 -export -out sqlserver.pfx -inkey server.key -in server.pem
-certfile ca.pem

4.查看证书/证书申请

$ openssl x509 -noout -text -in server.pem

$ openssl req -noout -text -in server.csr

$ openssl rsa -noout -text -in server.key

5.合并key和cert

# cat server.pem server.key > server_key.pem

6.模拟client/server ssl连接

$ openssl s_server -accept 636 -cert server.pem -key server.key -www

$ openssl s_client -connect localhost:636 -showcerts

7.生成base64 key

$ openssl rand -base64 12 #生成12字节长的随机base64编码(12x8/6=16个base64字符)

你可能感兴趣的:(Linux,security)