[svc]证书各个字段的含义

证书生成工具

  • 1,openssl
  • 2,jdk自带的keystone
  • 3,cfssl

证书中各个字段的含义

- 查看证书的内容
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text|egrep -i "issuer|subject|serial|dates"
openssl x509  -noout -text -in  kubernetes.pem
cfssl-certinfo -cert kubernetes.pem

数字证书中主题(Subject)中字段的含义

  • 一般的数字证书产品的主题通常含有如下字段:
字段名 字段值
公用名称 (Common Name) 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名;
单位名称 (Organization Name) 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称;
  • 证书申请单位所在地
字段名 字段值
所在城市 (Locality)| 简称:L 字段 
所在省份 (State/Provice)| 简称:S 字段 
所在国家 (Country)| 简称:C 字段,只能是国家字母缩写,如中国:CN 
  • 其他一些字段
字段名 字段值
电子邮件 (Email)| 简称:E 字段 
多个姓名字段    | 简称:G 字段 
介绍            | Description 字段 
电话号码:|Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888 
地址:|STREET  字段 
邮政编码: |PostalCode 字段 
显示其他内容| 简称:OU 字段

浏览器如何验证证书

当浏览器使用HTTPS连接到您的服务器时,他们会检查以确保您的SSL证书与地址栏中的主机名称匹配。

浏览器有三种找到匹配的方法:

  • 1.主机名(在地址栏中)与证书主题(Subject)中的通用名称(Common Name)完全匹配。

  • 2.主机名称与通配符通用名称相匹配。例如,www.example.com匹配通用名称* .example.com。

  • 3.主机名主题备用名称(SAN: Subject Alternative Name)字段中列出

  • 1.The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.

  • 2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.

  • 3.The host name is listed in the Subject Alternative Name field.

参考

客户端使用服务端返回的信息验证服务器的合法性,包括:

    证书是否过期
    发型服务器证书的CA是否可靠
    返回的公钥是否能正确解开返回证书中的数字签名
    服务器证书上的域名是否和服务器的实际域名相匹配  -- 要核对CN或SAN,见上
    验证通过后,将继续进行通信,否则,终止通信

HTTPS证书生成原理和部署细节

使用rsa一键生成:
openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout java-demo.key -out java-demo.crt

国家 省份 城市 公司 部门 名字
[root@test52 registry]# openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout docker-registry.key -out docker-registry.crt
Generating a 2048 bit RSA private key
............................................+++
.....................................................................................................................................................................................+++
writing new private key to 'docker-registry.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN


State or Province Name (full name) []:Locality Name (eg, city) [Default City]:guangdong
Organization Name (eg, company) [Default Company Ltd]:pp100
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.maotai.com
Email Address []:ihorse@foxmail.com

证书格式查看

主要留意:

- Subject中: CN(common name)
- X509v3 extensions中: Subject Alternative Name (SAN) 

- X509v3的扩展
X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
    X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Subject Key Identifier: 
        62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14
    X509v3 Authority Key Identifier: 
        keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8

    X509v3 Subject Alternative Name: 
        DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, 

使用xca(一款windows上的ca证书生成器)生成证书请求csr 的时候也会有类似字段,因此要搞清的X509v3的扩展含义

[root@n3 keys]# openssl x509  -noout -text -in  kubernetes.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2a:b2:26:a4:7d:9f:b1:21:d8:3a:c0:dc:a7:71:73:3e:66:13:d0:3b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
        Validity
            Not Before: Dec 23 10:27:00 2017 GMT
            Not After : Dec 23 10:27:00 2018 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a7:d3:96:63:5e:17:11:7e:d6:b5:73:15:2a:aa:
                    ea:69:67:48:c3:f1:10:83:03:4d:99:09:88:ec:b7:
                    27:12:68:20:2b:95:d3:bf:ce:3f:9a:1c:c4:88:31:
                    ad:cf:d2:d9:d1:7c:39:20:f5:4f:d9:e9:8f:28:e2:
                    44:d0:df:69:29:10:15:da:c3:12:d5:4e:c5:24:a3:
                    88:b9:ab:0a:93:6b:1a:e5:0b:2d:5a:13:4f:8c:37:
                    52:fa:33:52:bd:a1:6f:4f:73:00:5a:0e:74:2d:f0:
                    fa:ff:05:80:9d:28:95:e2:bf:64:03:d7:df:f9:df:
                    10:86:06:af:66:f4:97:d7:d2:82:91:ea:cf:d1:88:
                    e3:9f:6b:a3:0f:a9:0d:b4:73:9a:9c:57:00:f2:2e:
                    f8:50:5f:28:33:7a:87:3a:8d:53:16:09:47:c7:e6:
                    43:d0:3e:81:57:96:82:41:d4:f2:5a:8f:50:c0:11:
                    31:3c:2e:80:19:b5:32:74:02:1e:c3:1c:02:79:f3:
                    f3:d0:86:a5:3d:7b:d9:a3:d0:12:d3:97:6d:11:7e:
                    9c:4e:f3:fe:84:2d:d1:43:10:5f:a7:41:15:1c:3f:
                    d4:3d:5f:e7:f9:80:ec:a7:1d:3f:a1:87:b1:32:b1:
                    67:d8:c1:55:91:35:cb:a7:ae:10:51:cd:19:ec:c4:
                    1e:1b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14
            X509v3 Authority Key Identifier: 
                keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8

            X509v3 Subject Alternative Name: 
                DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         2c:bd:2c:24:3a:b6:74:61:8d:f2:57:87:71:47:36:f9:28:32:
         f4:c2:10:3f:35:d2:36:1b:a0:3c:96:9a:98:8a:59:07:00:2f:
         3f:ac:83:fd:f1:00:09:aa:4d:72:26:38:88:c9:5e:a3:2f:df:
         f0:bf:7c:07:39:55:1d:30:dc:87:15:7c:4f:01:9f:5f:74:e0:
         78:09:6a:f0:2e:bf:a9:a8:26:86:01:43:8b:49:a3:bf:77:27:
         a0:ba:77:9a:3d:e6:14:4e:3b:52:e4:35:2f:8b:88:64:4c:ed:
         6d:97:cf:8c:21:9d:a5:1c:80:ff:80:f0:d5:18:d0:0c:1e:35:
         84:60:55:4d:0e:2c:6c:56:d3:36:d4:0c:63:3e:65:c4:3d:b7:
         23:b5:2e:5f:20:5e:43:65:85:2d:87:4c:b6:e9:5d:d3:58:90:
         d6:fb:b4:1e:1d:23:62:f8:9e:63:22:ad:95:ba:e9:9e:f3:88:
         16:f4:f1:da:a2:c1:ef:c4:2f:d3:8d:bb:42:3c:63:8f:20:b9:
         6c:9a:90:65:2e:36:4f:b5:f8:ca:75:e2:69:0f:0e:07:99:8c:
         01:53:ff:cc:a0:a7:95:33:25:b7:e7:78:33:bc:2f:f8:25:3a:
         fe:49:4f:55:06:ac:17:c0:f9:d9:89:2f:bb:c9:8f:10:7b:21:
         7a:59:3f:08

[root@n3 keys]# cfssl-certinfo -cert kubernetes.pem
{
  "subject": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "issuer": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "serial_number": "243750511260095960201836502027625859126538784827",
  "sans": [
    "",
    "",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local",
    "127.0.0.1"
  ],
  "not_before": "2017-12-23T10:27:00Z",
  "not_after": "2018-12-23T10:27:00Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "6E:45:FB:5F:1F:73:87:3E:C3:C:54:AB:74:95:2A:FB:44:E0:9B:D8",
  "subject_key_id": "62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIEcTCCA1mgAwIBAgIUKrImpH2fsSHYOsDcp3FzPmYT0DswDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE3MTIyMzEwMjcwMFoXDTE4MTIyMzEwMjcwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9OWY14XEX7WtXMVKqrq\naWdIw/EQgwNNmQmI7LcnEmggK5XTv84/mhzEiDGtz9LZ0Xw5IPVP2emPKOJE0N9p\nKRAV2sMS1U7FJKOIuasKk2sa5QstWhNPjDdS+jNSvaFvT3MAWg50LfD6/wWAnSiV\n4r9kA9ff+d8QhgavZvSX19KCkerP0Yjjn2ujD6kNtHOanFcA8i74UF8oM3qHOo1T\nFglHx+ZD0D6BV5aCQdTyWo9QwBExPC6AGbUydAIewxwCefPz0IalPXvZo9AS05dt\nEX6cTvP+hC3RQxBfp0EVHD/UPV/n+YDspx0/oYexMrFn2MFVkTXLp64QUc0Z7MQe\nGwIDAQABo4IBFzCCARMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRi6lrcE8Rf1ezb\nE3fa4ZAfyUsQFDAfBgNVHSMEGDAWgBRuRftfH3OHPsMMVKt0lSr7ROCb2DCBkwYD\nVR0RBIGLMIGIggCCAIIKa3ViZXJuZXRlc4ISa3ViZXJuZXRlcy5kZWZhdWx0ghZr\ndWJlcm5ldGVzLmRlZmF1bHQuc3Zjgh5rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNs\ndXN0ZXKCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcEfwAA\nATANBgkqhkiG9w0BAQsFAAOCAQEALL0sJDq2dGGN8leHcUc2+Sgy9MIQPzXSNhug\nPJaamIpZBwAvP6yD/fEACapNciY4iMleoy/f8L98BzlVHTDchxV8TwGfX3TgeAlq\n8C6/qagmhgFDi0mjv3cnoLp3mj3mFE47UuQ1L4uIZEztbZfPjCGdpRyA/4Dw1RjQ\nDB41hGBVTQ4sbFbTNtQMYz5lxD23I7UuXyBeQ2WFLYdMtuld01iQ1vu0Hh0jYvie\nYyKtlbrpnvOIFvTx2qLB78Qv0427QjxjjyC5bJqQZS42T7X4ynXiaQ8OB5mMAVP/\nzKCnlTMlt+d4M7wv+CU6/klPVQasF8D52Ykvu8mPEHshelk/CA==\n-----END CERTIFICATE-----\n"
}

生成证书的步骤及openssl命令

第一步,为服务器端和客户端准备公钥、私钥:

# 生成服务器端私钥
openssl genrsa -out server.key 1024
# 生成服务器端公钥
openssl rsa -in server.key -pubout -out server.pem
# 生成客户端私钥
openssl genrsa -out client.key 1024
# 生成客户端公钥
openssl rsa -in client.key -pubout -out client.pem

第二步,生成 CA 证书:

# 生成 CA 私钥
openssl genrsa -out ca.key 1024
# X.509 Certificate Signing Request (CSR) Management.
openssl req -new -key ca.key -out ca.csr
# X.509 Certificate Data Management.
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

第三步,生成服务器端证书和客户端证书:

# 服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件
openssl req -new -key server.key -out server.csr
# 向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
 
# client 端
openssl req -new -key client.key -out client.csr
# client 端到 CA 签名
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
posted @ 2017-12-22 14:00  _毛台  阅读(34107)  评论(0编辑  收藏  举报