证书生成工具
- 1,openssl
- 2,jdk自带的keystone
- 3,cfssl
证书中各个字段的含义
- 查看证书的内容openssl x509 -in /etc/pki/CA/cacert.pem -noout -text|egrep -i "issuer|subject|serial|dates"openssl x509 -noout -text -in kubernetes.pemcfssl-certinfo -cert kubernetes.pem
数字证书中主题(Subject)中字段的含义
- 一般的数字证书产品的主题通常含有如下字段:
字段名 | 字段值 |
---|---|
公用名称 (Common Name) | 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名; |
单位名称 (Organization Name) | 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称; |
- 证书申请单位所在地
字段名 | 字段值 |
---|---|
所在城市 (Locality) | 简称:L 字段 |
所在省份 (State/Provice) | 简称:S 字段 |
所在国家 (Country) | 简称:C 字段,只能是国家字母缩写,如中国:CN |
- 其他一些字段
字段名 | 字段值 |
---|---|
电子邮件 (Email) | 简称:E 字段 |
多个姓名字段 | 简称:G 字段 |
介绍 | Description 字段 |
电话号码: | Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888 |
地址: | STREET 字段 |
邮政编码: | PostalCode 字段 |
显示其他内容 | 简称:OU 字段 |
当浏览器使用HTTPS连接到您的服务器时,他们会检查以确保您的SSL证书与地址栏中的主机名称匹配。
==浏览器有三种找到匹配的方法:==
- 1.主机名(在地址栏中)与证书主题(Subject)中的通用名称(Common Name)完全匹配。
- 2.主机名称与通配符通用名称相匹配。例如,www.example.com匹配通用名称* .example.com。
3.主机名 在主题备用名称(SAN: Subject Alternative Name)字段中列出
- 1.The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
- 2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.
3.The host name is listed in the Subject Alternative Name field.
客户端使用服务端返回的信息验证服务器的合法性,包括: 证书是否过期 发型服务器证书的CA是否可靠 返回的公钥是否能正确解开返回证书中的数字签名 服务器证书上的域名是否和服务器的实际域名相匹配 -- 要核对CN或SAN,见上 验证通过后,将继续进行通信,否则,终止通信
HTTPS证书生成原理和部署细节
使用rsa一键生成:openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout java-demo.key -out java-demo.crt国家 省份 城市 公司 部门 名字[root@test52 registry]# openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout docker-registry.key -out docker-registry.crtGenerating a 2048 bit RSA private key............................................+++.....................................................................................................................................................................................+++writing new private key to 'docker-registry.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:Locality Name (eg, city) [Default City]:guangdongOrganization Name (eg, company) [Default Company Ltd]:pp100Organizational Unit Name (eg, section) []:itCommon Name (eg, your name or your server's hostname) []:www.maotai.comEmail Address []:ihorse@foxmail.com
证书格式查看
主要留意:
- Subject中: CN(common name)- X509v3 extensions中: Subject Alternative Name (SAN) - X509v3的扩展X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14 X509v3 Authority Key Identifier: keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8 X509v3 Subject Alternative Name: DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster,
使用xca(一款windows上的ca证书生成器)生成证书请求csr 的时候也会有类似字段,因此要搞清的X509v3的扩展含义
[root@n3 keys]# openssl x509 -noout -text -in kubernetes.pemCertificate: Data: Version: 3 (0x2) Serial Number: 2a:b2:26:a4:7d:9f:b1:21:d8:3a:c0:dc:a7:71:73:3e:66:13:d0:3b Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes Validity Not Before: Dec 23 10:27:00 2017 GMT Not After : Dec 23 10:27:00 2018 GMT Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a7:d3:96:63:5e:17:11:7e:d6:b5:73:15:2a:aa: ea:69:67:48:c3:f1:10:83:03:4d:99:09:88:ec:b7: 27:12:68:20:2b:95:d3:bf:ce:3f:9a:1c:c4:88:31: ad:cf:d2:d9:d1:7c:39:20:f5:4f:d9:e9:8f:28:e2: 44:d0:df:69:29:10:15:da:c3:12:d5:4e:c5:24:a3: 88:b9:ab:0a:93:6b:1a:e5:0b:2d:5a:13:4f:8c:37: 52:fa:33:52:bd:a1:6f:4f:73:00:5a:0e:74:2d:f0: fa:ff:05:80:9d:28:95:e2:bf:64:03:d7:df:f9:df: 10:86:06:af:66:f4:97:d7:d2:82:91:ea:cf:d1:88: e3:9f:6b:a3:0f:a9:0d:b4:73:9a:9c:57:00:f2:2e: f8:50:5f:28:33:7a:87:3a:8d:53:16:09:47:c7:e6: 43:d0:3e:81:57:96:82:41:d4:f2:5a:8f:50:c0:11: 31:3c:2e:80:19:b5:32:74:02:1e:c3:1c:02:79:f3: f3:d0:86:a5:3d:7b:d9:a3:d0:12:d3:97:6d:11:7e: 9c:4e:f3:fe:84:2d:d1:43:10:5f:a7:41:15:1c:3f: d4:3d:5f:e7:f9:80:ec:a7:1d:3f:a1:87:b1:32:b1: 67:d8:c1:55:91:35:cb:a7:ae:10:51:cd:19:ec:c4: 1e:1b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14 X509v3 Authority Key Identifier: keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8 X509v3 Subject Alternative Name: DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption 2c:bd:2c:24:3a:b6:74:61:8d:f2:57:87:71:47:36:f9:28:32: f4:c2:10:3f:35:d2:36:1b:a0:3c:96:9a:98:8a:59:07:00:2f: 3f:ac:83:fd:f1:00:09:aa:4d:72:26:38:88:c9:5e:a3:2f:df: f0:bf:7c:07:39:55:1d:30:dc:87:15:7c:4f:01:9f:5f:74:e0: 78:09:6a:f0:2e:bf:a9:a8:26:86:01:43:8b:49:a3:bf:77:27: a0:ba:77:9a:3d:e6:14:4e:3b:52:e4:35:2f:8b:88:64:4c:ed: 6d:97:cf:8c:21:9d:a5:1c:80:ff:80:f0:d5:18:d0:0c:1e:35: 84:60:55:4d:0e:2c:6c:56:d3:36:d4:0c:63:3e:65:c4:3d:b7: 23:b5:2e:5f:20:5e:43:65:85:2d:87:4c:b6:e9:5d:d3:58:90: d6:fb:b4:1e:1d:23:62:f8:9e:63:22:ad:95:ba:e9:9e:f3:88: 16:f4:f1:da:a2:c1:ef:c4:2f:d3:8d:bb:42:3c:63:8f:20:b9: 6c:9a:90:65:2e:36:4f:b5:f8:ca:75:e2:69:0f:0e:07:99:8c: 01:53:ff:cc:a0:a7:95:33:25:b7:e7:78:33:bc:2f:f8:25:3a: fe:49:4f:55:06:ac:17:c0:f9:d9:89:2f:bb:c9:8f:10:7b:21: 7a:59:3f:08
[root@n3 keys]# cfssl-certinfo -cert kubernetes.pem{ "subject": { "common_name": "kubernetes", "country": "CN", "organization": "k8s", "organizational_unit": "System", "locality": "BeiJing", "province": "BeiJing", "names": [ "CN", "BeiJing", "BeiJing", "k8s", "System", "kubernetes" ] }, "issuer": { "common_name": "kubernetes", "country": "CN", "organization": "k8s", "organizational_unit": "System", "locality": "BeiJing", "province": "BeiJing", "names": [ "CN", "BeiJing", "BeiJing", "k8s", "System", "kubernetes" ] }, "serial_number": "243750511260095960201836502027625859126538784827", "sans": [ "", "", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "127.0.0.1" ], "not_before": "2017-12-23T10:27:00Z", "not_after": "2018-12-23T10:27:00Z", "sigalg": "SHA256WithRSA", "authority_key_id": "6E:45:FB:5F:1F:73:87:3E:C3:C:54:AB:74:95:2A:FB:44:E0:9B:D8", "subject_key_id": "62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14", "pem": "-----BEGIN CERTIFICATE-----\nMIIEcTCCA1mgAwIBAgIUKrImpH2fsSHYOsDcp3FzPmYT0DswDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE3MTIyMzEwMjcwMFoXDTE4MTIyMzEwMjcwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9OWY14XEX7WtXMVKqrq\naWdIw/EQgwNNmQmI7LcnEmggK5XTv84/mhzEiDGtz9LZ0Xw5IPVP2emPKOJE0N9p\nKRAV2sMS1U7FJKOIuasKk2sa5QstWhNPjDdS+jNSvaFvT3MAWg50LfD6/wWAnSiV\n4r9kA9ff+d8QhgavZvSX19KCkerP0Yjjn2ujD6kNtHOanFcA8i74UF8oM3qHOo1T\nFglHx+ZD0D6BV5aCQdTyWo9QwBExPC6AGbUydAIewxwCefPz0IalPXvZo9AS05dt\nEX6cTvP+hC3RQxBfp0EVHD/UPV/n+YDspx0/oYexMrFn2MFVkTXLp64QUc0Z7MQe\nGwIDAQABo4IBFzCCARMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRi6lrcE8Rf1ezb\nE3fa4ZAfyUsQFDAfBgNVHSMEGDAWgBRuRftfH3OHPsMMVKt0lSr7ROCb2DCBkwYD\nVR0RBIGLMIGIggCCAIIKa3ViZXJuZXRlc4ISa3ViZXJuZXRlcy5kZWZhdWx0ghZr\ndWJlcm5ldGVzLmRlZmF1bHQuc3Zjgh5rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNs\ndXN0ZXKCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcEfwAA\nATANBgkqhkiG9w0BAQsFAAOCAQEALL0sJDq2dGGN8leHcUc2+Sgy9MIQPzXSNhug\nPJaamIpZBwAvP6yD/fEACapNciY4iMleoy/f8L98BzlVHTDchxV8TwGfX3TgeAlq\n8C6/qagmhgFDi0mjv3cnoLp3mj3mFE47UuQ1L4uIZEztbZfPjCGdpRyA/4Dw1RjQ\nDB41hGBVTQ4sbFbTNtQMYz5lxD23I7UuXyBeQ2WFLYdMtuld01iQ1vu0Hh0jYvie\nYyKtlbrpnvOIFvTx2qLB78Qv0427QjxjjyC5bJqQZS42T7X4ynXiaQ8OB5mMAVP/\nzKCnlTMlt+d4M7wv+CU6/klPVQasF8D52Ykvu8mPEHshelk/CA==\n-----END CERTIFICATE-----\n"}
生成证书的步骤及openssl命令
第一步,为服务器端和客户端准备公钥、私钥:
# 生成服务器端私钥openssl genrsa -out server.key 1024
# 生成服务器端公钥openssl rsa -in server.key -pubout -out server.pem
# 生成客户端私钥openssl genrsa -out client.key 1024# 生成客户端公钥openssl rsa -in client.key -pubout -out client.pem
第二步,生成 CA 证书:
# 生成 CA 私钥openssl genrsa -out ca.key 1024# X.509 Certificate Signing Request (CSR) Management.openssl req -new -key ca.key -out ca.csr# X.509 Certificate Data Management.openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
第三步,生成服务器端证书和客户端证书:
# 服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件openssl req -new -key server.key -out server.csr# 向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt # client 端openssl req -new -key client.key -out client.csr# client 端到 CA 签名openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt