公私钥、CA证书生成

公私钥、证书生成

本文以Linux系统为例模拟CA生成http服务器的认证证书

http服务器操作

1.生成私钥

使用OpenSSL工具生成服务器私钥key文件

[nginx@nginx-node01 ~]$ openssl genrsa 1024 >> $HOSTNAME.key  
Generating RSA private key, 1024 bit long modulus
.................++++++
...........................++++++
e is 65537 (0x10001)
[nginx@nginx-node01 ~]$ ls
nginx-node01.key

2.生成证书预签csr文件

[nginx@nginx-node01 ~]$ openssl req -new -key $HOSTNAME.key -out $HOSTNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kov
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:www.kov.com
Email Address []:sys@kov.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[nginx@nginx-node01 ~]$ ls
nginx-node01.csr  nginx-node01.key

CA服务器操作

1.创建所需要的文件

touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号  

2.生成CA私钥

[root@ca ~]# hostname
ca
[root@ca ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048

3. CA生成自签证书

[root@ca private]# openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kov
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:xx.kov.com
Email Address []:xx@kov.com

4.CA签署证书

将http服务器证书预签csr文件发给CA,由CA对服务器的预签文件csr进行签署,最后得到最终证书文件crt。(默认国家,省,公司名称三项必须和CA一致)

[root@ca private]# openssl ca -in /root/nginx-node01.csr -out /etc/pki/CA/certs/nginx-node01.crt -days 365    
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 13 15:31:40 2020 GMT
            Not After : Jul 13 15:31:40 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = henan
            organizationName          = kov
            organizationalUnitName    = Dev
            commonName                = www.kov.com
            emailAddress              = sys@kov.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:DB:3C:4E:6D:0E:BD:5A:78:2D:F2:86:62:CD:B3:03:45:F1:AB:F3
            X509v3 Authority Key Identifier: 
                keyid:DF:B4:69:95:C5:71:44:EE:0B:9C:2E:CB:1C:CD:37:E3:0E:FD:AC:E8

Certificate is to be certified until Jul 13 15:31:40 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

5.验证私钥、证书是否匹配

验证ca签署的http服务器证书文件nginx-node01.crt和http服务器私钥nginx-node01.key是否匹配

openssl rsa  -noout -modulus -in nginx-node01.key |openssl md5
openssl x509 -noout -modulus -in nginx-node01.crt |openssl md5

配置Nginx验证https

参考《Nginx配置4 Https配置》

补充

CA签署指定域名证书

生成证书签署扩展文件

[root@ca CA]# cat kov.ext 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName

[ SubjectAlternativeName ]
DNS.1=kov.com
DNS.2=www.kov.com

重新签署证书

[root@ca ~]# openssl x509 -req -in /root/nginx-node01.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out nginx-node01.crt -days 3650 -sha256 -extfile  kov.ext
posted @ 2020-07-14 23:18  ElfCafe  阅读(896)  评论(0编辑  收藏  举报