博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
[svc]证书各个字段的含义
阅读量:5941 次
发布时间:2019-06-19

本文共 10729 字,大约阅读时间需要 35 分钟。

证书生成工具

  • 1,openssl
  • 2,jdk自带的keystone
  • 3,cfssl

证书中各个字段的含义

806469-20171223181551740-384479588.png

- 查看证书的内容openssl x509 -in /etc/pki/CA/cacert.pem -noout -text|egrep -i "issuer|subject|serial|dates"openssl x509  -noout -text -in  kubernetes.pemcfssl-certinfo -cert kubernetes.pem

数字证书中主题(Subject)中字段的含义

  • 一般的数字证书产品的主题通常含有如下字段:
字段名 字段值
公用名称 (Common Name) 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名;
单位名称 (Organization Name) 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称;
  • 证书申请单位所在地
字段名 字段值
所在城市 (Locality) 简称:L 字段
所在省份 (State/Provice) 简称:S 字段
所在国家 (Country) 简称:C 字段,只能是国家字母缩写,如中国:CN
  • 其他一些字段
字段名 字段值
电子邮件 (Email) 简称:E 字段
多个姓名字段 简称:G 字段
介绍 Description 字段
电话号码: Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888
地址: STREET 字段
邮政编码: PostalCode 字段
显示其他内容 简称:OU 字段

9e792b8fgy1fmpi6irf8ej20hh0g4ndb.jpg

当浏览器使用HTTPS连接到您的服务器时,他们会检查以确保您的SSL证书与地址栏中的主机名称匹配。

==浏览器有三种找到匹配的方法:==

  • 1.主机名(在地址栏中)与证书主题(Subject)中的通用名称(Common Name)完全匹配。
  • 2.主机名称与通配符通用名称相匹配。例如,www.example.com匹配通用名称* .example.com。
  • 3.主机名主题备用名称(SAN: Subject Alternative Name)字段中列出

  • 1.The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
  • 2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.
  • 3.The host name is listed in the Subject Alternative Name field.

客户端使用服务端返回的信息验证服务器的合法性,包括:    证书是否过期    发型服务器证书的CA是否可靠    返回的公钥是否能正确解开返回证书中的数字签名    服务器证书上的域名是否和服务器的实际域名相匹配  -- 要核对CN或SAN,见上    验证通过后,将继续进行通信,否则,终止通信

HTTPS证书生成原理和部署细节

使用rsa一键生成:openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout java-demo.key -out java-demo.crt国家 省份 城市 公司 部门 名字[root@test52 registry]# openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout docker-registry.key -out docker-registry.crtGenerating a 2048 bit RSA private key............................................+++.....................................................................................................................................................................................+++writing new private key to 'docker-registry.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:Locality Name (eg, city) [Default City]:guangdongOrganization Name (eg, company) [Default Company Ltd]:pp100Organizational Unit Name (eg, section) []:itCommon Name (eg, your name or your server's hostname) []:www.maotai.comEmail Address []:ihorse@foxmail.com

证书格式查看

主要留意:

- Subject中: CN(common name)- X509v3 extensions中: Subject Alternative Name (SAN) - X509v3的扩展X509v3 extensions:    X509v3 Key Usage: critical        Digital Signature, Key Encipherment    X509v3 Extended Key Usage:         TLS Web Server Authentication, TLS Web Client Authentication    X509v3 Basic Constraints: critical        CA:FALSE    X509v3 Subject Key Identifier:         62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14    X509v3 Authority Key Identifier:         keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8    X509v3 Subject Alternative Name:         DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster,

使用xca(一款windows上的ca证书生成器)生成证书请求csr 的时候也会有类似字段,因此要搞清的X509v3的扩展含义

806469-20171223184247240-845923192.png

806469-20171223184241693-1553327310.png

806469-20171223184233662-885025055.png

[root@n3 keys]# openssl x509  -noout -text -in  kubernetes.pemCertificate:    Data:        Version: 3 (0x2)        Serial Number:            2a:b2:26:a4:7d:9f:b1:21:d8:3a:c0:dc:a7:71:73:3e:66:13:d0:3b    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes        Validity            Not Before: Dec 23 10:27:00 2017 GMT            Not After : Dec 23 10:27:00 2018 GMT        Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:                    00:a7:d3:96:63:5e:17:11:7e:d6:b5:73:15:2a:aa:                    ea:69:67:48:c3:f1:10:83:03:4d:99:09:88:ec:b7:                    27:12:68:20:2b:95:d3:bf:ce:3f:9a:1c:c4:88:31:                    ad:cf:d2:d9:d1:7c:39:20:f5:4f:d9:e9:8f:28:e2:                    44:d0:df:69:29:10:15:da:c3:12:d5:4e:c5:24:a3:                    88:b9:ab:0a:93:6b:1a:e5:0b:2d:5a:13:4f:8c:37:                    52:fa:33:52:bd:a1:6f:4f:73:00:5a:0e:74:2d:f0:                    fa:ff:05:80:9d:28:95:e2:bf:64:03:d7:df:f9:df:                    10:86:06:af:66:f4:97:d7:d2:82:91:ea:cf:d1:88:                    e3:9f:6b:a3:0f:a9:0d:b4:73:9a:9c:57:00:f2:2e:                    f8:50:5f:28:33:7a:87:3a:8d:53:16:09:47:c7:e6:                    43:d0:3e:81:57:96:82:41:d4:f2:5a:8f:50:c0:11:                    31:3c:2e:80:19:b5:32:74:02:1e:c3:1c:02:79:f3:                    f3:d0:86:a5:3d:7b:d9:a3:d0:12:d3:97:6d:11:7e:                    9c:4e:f3:fe:84:2d:d1:43:10:5f:a7:41:15:1c:3f:                    d4:3d:5f:e7:f9:80:ec:a7:1d:3f:a1:87:b1:32:b1:                    67:d8:c1:55:91:35:cb:a7:ae:10:51:cd:19:ec:c4:                    1e:1b                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Key Usage: critical                Digital Signature, Key Encipherment            X509v3 Extended Key Usage:                 TLS Web Server Authentication, TLS Web Client Authentication            X509v3 Basic Constraints: critical                CA:FALSE            X509v3 Subject Key Identifier:                 62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14            X509v3 Authority Key Identifier:                 keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8            X509v3 Subject Alternative Name:                 DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1    Signature Algorithm: sha256WithRSAEncryption         2c:bd:2c:24:3a:b6:74:61:8d:f2:57:87:71:47:36:f9:28:32:         f4:c2:10:3f:35:d2:36:1b:a0:3c:96:9a:98:8a:59:07:00:2f:         3f:ac:83:fd:f1:00:09:aa:4d:72:26:38:88:c9:5e:a3:2f:df:         f0:bf:7c:07:39:55:1d:30:dc:87:15:7c:4f:01:9f:5f:74:e0:         78:09:6a:f0:2e:bf:a9:a8:26:86:01:43:8b:49:a3:bf:77:27:         a0:ba:77:9a:3d:e6:14:4e:3b:52:e4:35:2f:8b:88:64:4c:ed:         6d:97:cf:8c:21:9d:a5:1c:80:ff:80:f0:d5:18:d0:0c:1e:35:         84:60:55:4d:0e:2c:6c:56:d3:36:d4:0c:63:3e:65:c4:3d:b7:         23:b5:2e:5f:20:5e:43:65:85:2d:87:4c:b6:e9:5d:d3:58:90:         d6:fb:b4:1e:1d:23:62:f8:9e:63:22:ad:95:ba:e9:9e:f3:88:         16:f4:f1:da:a2:c1:ef:c4:2f:d3:8d:bb:42:3c:63:8f:20:b9:         6c:9a:90:65:2e:36:4f:b5:f8:ca:75:e2:69:0f:0e:07:99:8c:         01:53:ff:cc:a0:a7:95:33:25:b7:e7:78:33:bc:2f:f8:25:3a:         fe:49:4f:55:06:ac:17:c0:f9:d9:89:2f:bb:c9:8f:10:7b:21:         7a:59:3f:08
[root@n3 keys]# cfssl-certinfo -cert kubernetes.pem{  "subject": {    "common_name": "kubernetes",    "country": "CN",    "organization": "k8s",    "organizational_unit": "System",    "locality": "BeiJing",    "province": "BeiJing",    "names": [      "CN",      "BeiJing",      "BeiJing",      "k8s",      "System",      "kubernetes"    ]  },  "issuer": {    "common_name": "kubernetes",    "country": "CN",    "organization": "k8s",    "organizational_unit": "System",    "locality": "BeiJing",    "province": "BeiJing",    "names": [      "CN",      "BeiJing",      "BeiJing",      "k8s",      "System",      "kubernetes"    ]  },  "serial_number": "243750511260095960201836502027625859126538784827",  "sans": [    "",    "",    "kubernetes",    "kubernetes.default",    "kubernetes.default.svc",    "kubernetes.default.svc.cluster",    "kubernetes.default.svc.cluster.local",    "127.0.0.1"  ],  "not_before": "2017-12-23T10:27:00Z",  "not_after": "2018-12-23T10:27:00Z",  "sigalg": "SHA256WithRSA",  "authority_key_id": "6E:45:FB:5F:1F:73:87:3E:C3:C:54:AB:74:95:2A:FB:44:E0:9B:D8",  "subject_key_id": "62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14",  "pem": "-----BEGIN CERTIFICATE-----\nMIIEcTCCA1mgAwIBAgIUKrImpH2fsSHYOsDcp3FzPmYT0DswDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE3MTIyMzEwMjcwMFoXDTE4MTIyMzEwMjcwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9OWY14XEX7WtXMVKqrq\naWdIw/EQgwNNmQmI7LcnEmggK5XTv84/mhzEiDGtz9LZ0Xw5IPVP2emPKOJE0N9p\nKRAV2sMS1U7FJKOIuasKk2sa5QstWhNPjDdS+jNSvaFvT3MAWg50LfD6/wWAnSiV\n4r9kA9ff+d8QhgavZvSX19KCkerP0Yjjn2ujD6kNtHOanFcA8i74UF8oM3qHOo1T\nFglHx+ZD0D6BV5aCQdTyWo9QwBExPC6AGbUydAIewxwCefPz0IalPXvZo9AS05dt\nEX6cTvP+hC3RQxBfp0EVHD/UPV/n+YDspx0/oYexMrFn2MFVkTXLp64QUc0Z7MQe\nGwIDAQABo4IBFzCCARMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRi6lrcE8Rf1ezb\nE3fa4ZAfyUsQFDAfBgNVHSMEGDAWgBRuRftfH3OHPsMMVKt0lSr7ROCb2DCBkwYD\nVR0RBIGLMIGIggCCAIIKa3ViZXJuZXRlc4ISa3ViZXJuZXRlcy5kZWZhdWx0ghZr\ndWJlcm5ldGVzLmRlZmF1bHQuc3Zjgh5rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNs\ndXN0ZXKCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcEfwAA\nATANBgkqhkiG9w0BAQsFAAOCAQEALL0sJDq2dGGN8leHcUc2+Sgy9MIQPzXSNhug\nPJaamIpZBwAvP6yD/fEACapNciY4iMleoy/f8L98BzlVHTDchxV8TwGfX3TgeAlq\n8C6/qagmhgFDi0mjv3cnoLp3mj3mFE47UuQ1L4uIZEztbZfPjCGdpRyA/4Dw1RjQ\nDB41hGBVTQ4sbFbTNtQMYz5lxD23I7UuXyBeQ2WFLYdMtuld01iQ1vu0Hh0jYvie\nYyKtlbrpnvOIFvTx2qLB78Qv0427QjxjjyC5bJqQZS42T7X4ynXiaQ8OB5mMAVP/\nzKCnlTMlt+d4M7wv+CU6/klPVQasF8D52Ykvu8mPEHshelk/CA==\n-----END CERTIFICATE-----\n"}

生成证书的步骤及openssl命令

第一步,为服务器端和客户端准备公钥、私钥:

# 生成服务器端私钥openssl genrsa -out server.key 1024
# 生成服务器端公钥openssl rsa -in server.key -pubout -out server.pem
# 生成客户端私钥openssl genrsa -out client.key 1024# 生成客户端公钥openssl rsa -in client.key -pubout -out client.pem

第二步,生成 CA 证书:

# 生成 CA 私钥openssl genrsa -out ca.key 1024# X.509 Certificate Signing Request (CSR) Management.openssl req -new -key ca.key -out ca.csr# X.509 Certificate Data Management.openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

第三步,生成服务器端证书和客户端证书:

# 服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件openssl req -new -key server.key -out server.csr# 向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt # client 端openssl req -new -key client.key -out client.csr# client 端到 CA 签名openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

转载地址:http://zqmtx.baihongyu.com/

你可能感兴趣的文章
以安全之名:俄罗斯强制所有消息应用留后门
查看>>
《VMware、Citrix和Microsoft虚拟化技术详解与应用实践》一1.1 虚拟化概述
查看>>
英国拟在其国内建立一套互联网过滤网
查看>>
加大力度改革 成都公安提高服务金融安防建设能力
查看>>
从创业到成功,SaaS巨头Salesforce靠的是这七大秘诀
查看>>
CJIS安全政策:企业如何确保FIPS合规性?
查看>>
对云计算的忽视是 银行的战略失误
查看>>
80个招聘求职网站整理,不管招聘or求职,看这个就够了!
查看>>
城市WiFi好看还应该好用
查看>>
从全球最大光伏展看中国光伏行业:火爆的背后是什么?
查看>>
通过数据挖掘组织营销潜力的三个重要途径
查看>>
世界银行拨款2293万美元支持印度并网屋顶太阳能
查看>>
中国电信制定物联网策略:规模市场自主经营 长尾市场集成
查看>>
希捷撤离 硬盘的那些风花雪月记忆
查看>>
人工智能数据中心
查看>>
QA请勿忘初心
查看>>
协作与大数据构建新型打假模式
查看>>
崛起的中国服务器市场迎来旺盛的SPEC测试需求
查看>>
7月17日云栖精选夜读:深度 | 两个案例,掌握AI在大数据领域的前沿应用
查看>>
蚂蚁财富联手百会CRM全面升级金融服务
查看>>