openssl req(生成证书请求和自建CA)
伪命令req大致有3个功能:生成证书请求文件、验证证书请求文件和创建根CA。由于openssl req命令选项较多,所以先各举几个例子,再集中给出openssl req的选项说明。若已熟悉openssl req和证书请求相关知识,可直接跳至后文查看openssl req选项整理,若不熟悉,建议从前向后一步一步阅读。
首先说明下生成证书请求需要什么:申请者需要将自己的信息及其公钥放入证书请求中。但在实际操作过程中,所需要提供的是私钥而非公钥,因为它会自动从私钥中提取公钥。另外,还需要将提供的数据进行数字签名(使用单向加密),保证该证书请求文件的完整性和一致性,防止他人盗取后进行篡改,例如黑客将为www.baidu.com所申请的证书请求文件中的公司名改成对方的公司名称,如果能够篡改成功,则签署该证书请求时,所颁发的证书信息中将变成他人信息。
所以第一步就是先创建出私钥pri_key.pem。其实私钥文件是非必需的,因为openssl req在需要它的时候会自动创建在特定的路径下,此处为了举例说明,所以创建它。
[root@docker-03 ~]# openssl genrsa -out pri_key.pem Generating RSA private key, 2048 bit long modulus ...............+++ ...................................................................+++ e is 65537 (0x10001)
(1).根据私钥pri_key.pem生成一个新的证书请求文件。其中"-new"表示新生成一个新的证书请求文件,"-key"指定私钥文件,"-out"指定输出文件,此处输出文件即为证书请求文件。
[root@docker-03 ~]# openssl req -new -key pri_key.pem -out req1.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SX Locality Name (eg, city) [Default City]:TY Organization Name (eg, company) [Default Company Ltd]:ZDC Organizational Unit Name (eg, section) []:ZDC Common Name (eg, your name or your server's hostname) []:www.ljj.com Email Address []: Please enter the following 'extra' attributes # 下面两项几乎不用考虑,留空即可 to be sent with your certificate request A challenge password []: An optional company name []:
在敲下回车键后,默认会进入交互模式让你提供你个人的信息,需要注意的是,如果某些信息不想填可以选择使用默认值,也可以选择留空不填,直接回车将选择使用默认值,输入点"."将表示该信息项留空。但某些项是必填项,否则未来证书签署时将失败。如"Common Name",它表示的是为哪个域名、子域名或哪个主机申请证书,未来证书请求被签署后将只能应用于"Common Name"所指定的地址。具体哪些必填项还需要看所使用的配置文件(默认的配置文件为/etc/pki/tls/openssl.cnf)中的定义,此处暂且不讨论配置相关内容,仅提供Common Name即可。
除了"-new"选项,使用"-newkey"选项也能创建证书请求文件,此处暂不举例说明"-newkey"的用法,后文会有示例。
(2).查看证书请求文件内容。
现在已经生成了一个新的证书请求文件req1.csr。查看下该证书请求文件的内容。
[root@docker-03 ~]# cat req1.csr -----BEGIN CERTIFICATE REQUEST----- # 证书请求的内容 MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNYMQswCQYDVQQH DAJUWTEMMAoGA1UECgwDWkRDMQwwCgYDVQQLDANaREMxFDASBgNVBAMMC3d3dy5s amouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArGRPjH9bmuO+ LbbyldlrQsrsSyPRvW7xb+YFHHQ52hXhPOZcJjcs4JkK4Xywmlh5apioeA5vRhp1 92JpOJQmf3rV0kTc1dCF5HWyYojsCXrTMnpGMbNLlnyf0lW46g4gTPGIGyKmRLs2 /W51jAMTcN5Ws8bD6lzCO2BU3KTukJ7fr+uTtKVxmbuDOYYN7lI+3jsF4khheeTt V3m5GMLNOnLrydsqdUclIGCZs81wPGN/DrLR6ctFkwoNle9ZOdXS59KNY58m3a0L rWqRSPI+ux3WFQSiJ0gSZ4jQz93PB9sMFZXkbOko+YZnOSHbeiPOaYT+Z+WEL6GF vJyeS5TcZwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBADoURaL81mOYG4L02Cu4 q1Y5C2YOHXDZMVSDaLT3RbEHHHrPYvbWSrlF4MrySsV2XjIM3thYx0MaXfhfjB/e n13a5AvCxceydvcGUjO3Qtn5xKvkWLPXl9E3oR1NEjsr6iRqLKooQvnJdntaURs0 9X27hmSpp8arCsShz00Ih4F5zat8LwuEKQaBQd+sVGRDNraBGxxZjLoNO1LLUYmd esrU0Ub3DI2qzVDZRb5aOSRcdr4LE34qFcLFlucUY55qCSINIJXs1daeBsyiMXb1 icp1WDhavJ41z7IW0gfOLWhJVhkSskRNB4eNXUCGQ/TGv8L3+XXucvbtgYDzA5ds fPs= -----END CERTIFICATE REQUEST-----
更具体的可以使用openssl req命令查看。命令如下,其中"-in"选项指定的是证书请求文件。
[root@docker-03 ~]# openssl req -in req1.csr # 证书请求的内容 -----BEGIN CERTIFICATE REQUEST----- MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNYMQswCQYDVQQH DAJUWTEMMAoGA1UECgwDWkRDMQwwCgYDVQQLDANaREMxFDASBgNVBAMMC3d3dy5s amouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArGRPjH9bmuO+ LbbyldlrQsrsSyPRvW7xb+YFHHQ52hXhPOZcJjcs4JkK4Xywmlh5apioeA5vRhp1 92JpOJQmf3rV0kTc1dCF5HWyYojsCXrTMnpGMbNLlnyf0lW46g4gTPGIGyKmRLs2 /W51jAMTcN5Ws8bD6lzCO2BU3KTukJ7fr+uTtKVxmbuDOYYN7lI+3jsF4khheeTt V3m5GMLNOnLrydsqdUclIGCZs81wPGN/DrLR6ctFkwoNle9ZOdXS59KNY58m3a0L rWqRSPI+ux3WFQSiJ0gSZ4jQz93PB9sMFZXkbOko+YZnOSHbeiPOaYT+Z+WEL6GF vJyeS5TcZwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBADoURaL81mOYG4L02Cu4 q1Y5C2YOHXDZMVSDaLT3RbEHHHrPYvbWSrlF4MrySsV2XjIM3thYx0MaXfhfjB/e n13a5AvCxceydvcGUjO3Qtn5xKvkWLPXl9E3oR1NEjsr6iRqLKooQvnJdntaURs0 9X27hmSpp8arCsShz00Ih4F5zat8LwuEKQaBQd+sVGRDNraBGxxZjLoNO1LLUYmd esrU0Ub3DI2qzVDZRb5aOSRcdr4LE34qFcLFlucUY55qCSINIJXs1daeBsyiMXb1 icp1WDhavJ41z7IW0gfOLWhJVhkSskRNB4eNXUCGQ/TGv8L3+XXucvbtgYDzA5ds fPs= -----END CERTIFICATE REQUEST-----
查看请求文件时,可以结合其他几个选项输出特定的内容。"-text"选项表示以文本格式输出证书请求文件的内容。
[root@docker-03 ~]# openssl req -in req1.csr -text Certificate Request: # 此为证书请求文件头 Data: Version: 0 (0x0) Subject: C=CN, ST=SX, L=TY, O=ZDC, OU=ZDC, CN=www.ljj.com # 此为提供的个人信息,注意左侧标头为"Subject",这是很重要的一项 Subject Public Key Info: Public Key Algorithm: rsaEncryption # 使用的公钥算法 Public-Key: (2048 bit) # 公钥的长度 Modulus: 00:ac:64:4f:8c:7f:5b:9a:e3:be:2d:b6:f2:95:d9: 6b:42:ca:ec:4b:23:d1:bd:6e:f1:6f:e6:05:1c:74: 39:da:15:e1:3c:e6:5c:26:37:2c:e0:99:0a:e1:7c: b0:9a:58:79:6a:98:a8:78:0e:6f:46:1a:75:f7:62: 69:38:94:26:7f:7a:d5:d2:44:dc:d5:d0:85:e4:75: b2:62:88:ec:09:7a:d3:32:7a:46:31:b3:4b:96:7c: 9f:d2:55:b8:ea:0e:20:4c:f1:88:1b:22:a6:44:bb: 36:fd:6e:75:8c:03:13:70:de:56:b3:c6:c3:ea:5c: c2:3b:60:54:dc:a4:ee:90:9e:df:af:eb:93:b4:a5: 71:99:bb:83:39:86:0d:ee:52:3e:de:3b:05:e2:48: 61:79:e4:ed:57:79:b9:18:c2:cd:3a:72:eb:c9:db: 2a:75:47:25:20:60:99:b3:cd:70:3c:63:7f:0e:b2: d1:e9:cb:45:93:0a:0d:95:ef:59:39:d5:d2:e7:d2: 8d:63:9f:26:dd:ad:0b:ad:6a:91:48:f2:3e:bb:1d: d6:15:04:a2:27:48:12:67:88:d0:cf:dd:cf:07:db: 0c:15:95:e4:6c:e9:28:f9:86:67:39:21:db:7a:23: ce:69:84:fe:67:e5:84:2f:a1:85:bc:9c:9e:4b:94: dc:67 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption # 为请求文件数字签名时使用的算法 3a:14:45:a2:fc:d6:63:98:1b:82:f4:d8:2b:b8:ab:56:39:0b: 66:0e:1d:70:d9:31:54:83:68:b4:f7:45:b1:07:1c:7a:cf:62: f6:d6:4a:b9:45:e0:ca:f2:4a:c5:76:5e:32:0c:de:d8:58:c7: 43:1a:5d:f8:5f:8c:1f:de:9f:5d:da:e4:0b:c2:c5:c7:b2:76: f7:06:52:33:b7:42:d9:f9:c4:ab:e4:58:b3:d7:97:d1:37:a1: 1d:4d:12:3b:2b:ea:24:6a:2c:aa:28:42:f9:c9:76:7b:5a:51: 1b:34:f5:7d:bb:86:64:a9:a7:c6:ab:0a:c4:a1:cf:4d:08:87: 81:79:cd:ab:7c:2f:0b:84:29:06:81:41:df:ac:54:64:43:36: b6:81:1b:1c:59:8c:ba:0d:3b:52:cb:51:89:9d:7a:ca:d4:d1: 46:f7:0c:8d:aa:cd:50:d9:45:be:5a:39:24:5c:76:be:0b:13: 7e:2a:15:c2:c5:96:e7:14:63:9e:6a:09:22:0d:20:95:ec:d5: d6:9e:06:cc:a2:31:76:f5:89:ca:75:58:38:5a:bc:9e:35:cf: b2:16:d2:07:ce:2d:68:49:56:19:12:b2:44:4d:07:87:8d:5d: 40:86:43:f4:c6:bf:c2:f7:f9:75:ee:72:f6:ed:81:80:f3:03: 97:6c:7c:fb -----BEGIN CERTIFICATE REQUEST----- MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNYMQswCQYDVQQH DAJUWTEMMAoGA1UECgwDWkRDMQwwCgYDVQQLDANaREMxFDASBgNVBAMMC3d3dy5s amouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArGRPjH9bmuO+ LbbyldlrQsrsSyPRvW7xb+YFHHQ52hXhPOZcJjcs4JkK4Xywmlh5apioeA5vRhp1 92JpOJQmf3rV0kTc1dCF5HWyYojsCXrTMnpGMbNLlnyf0lW46g4gTPGIGyKmRLs2 /W51jAMTcN5Ws8bD6lzCO2BU3KTukJ7fr+uTtKVxmbuDOYYN7lI+3jsF4khheeTt V3m5GMLNOnLrydsqdUclIGCZs81wPGN/DrLR6ctFkwoNle9ZOdXS59KNY58m3a0L rWqRSPI+ux3WFQSiJ0gSZ4jQz93PB9sMFZXkbOko+YZnOSHbeiPOaYT+Z+WEL6GF vJyeS5TcZwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBADoURaL81mOYG4L02Cu4 q1Y5C2YOHXDZMVSDaLT3RbEHHHrPYvbWSrlF4MrySsV2XjIM3thYx0MaXfhfjB/e n13a5AvCxceydvcGUjO3Qtn5xKvkWLPXl9E3oR1NEjsr6iRqLKooQvnJdntaURs0 9X27hmSpp8arCsShz00Ih4F5zat8LwuEKQaBQd+sVGRDNraBGxxZjLoNO1LLUYmd esrU0Ub3DI2qzVDZRb5aOSRcdr4LE34qFcLFlucUY55qCSINIJXs1daeBsyiMXb1 icp1WDhavJ41z7IW0gfOLWhJVhkSskRNB4eNXUCGQ/TGv8L3+XXucvbtgYDzA5ds fPs= -----END CERTIFICATE REQUEST-----
将"-text"和"-noout"结合使用,则只输出证书请求的文件头部分。
[root@docker-03 ~]# openssl req -in req1.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=CN, ST=SX, L=TY, O=ZDC, OU=ZDC, CN=www.ljj.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:64:4f:8c:7f:5b:9a:e3:be:2d:b6:f2:95:d9: 6b:42:ca:ec:4b:23:d1:bd:6e:f1:6f:e6:05:1c:74: 39:da:15:e1:3c:e6:5c:26:37:2c:e0:99:0a:e1:7c: b0:9a:58:79:6a:98:a8:78:0e:6f:46:1a:75:f7:62: 69:38:94:26:7f:7a:d5:d2:44:dc:d5:d0:85:e4:75: b2:62:88:ec:09:7a:d3:32:7a:46:31:b3:4b:96:7c: 9f:d2:55:b8:ea:0e:20:4c:f1:88:1b:22:a6:44:bb: 36:fd:6e:75:8c:03:13:70:de:56:b3:c6:c3:ea:5c: c2:3b:60:54:dc:a4:ee:90:9e:df:af:eb:93:b4:a5: 71:99:bb:83:39:86:0d:ee:52:3e:de:3b:05:e2:48: 61:79:e4:ed:57:79:b9:18:c2:cd:3a:72:eb:c9:db: 2a:75:47:25:20:60:99:b3:cd:70:3c:63:7f:0e:b2: d1:e9:cb:45:93:0a:0d:95:ef:59:39:d5:d2:e7:d2: 8d:63:9f:26:dd:ad:0b:ad:6a:91:48:f2:3e:bb:1d: d6:15:04:a2:27:48:12:67:88:d0:cf:dd:cf:07:db: 0c:15:95:e4:6c:e9:28:f9:86:67:39:21:db:7a:23: ce:69:84:fe:67:e5:84:2f:a1:85:bc:9c:9e:4b:94: dc:67 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption # 为请求文件数字签名时使用的算法 3a:14:45:a2:fc:d6:63:98:1b:82:f4:d8:2b:b8:ab:56:39:0b: 66:0e:1d:70:d9:31:54:83:68:b4:f7:45:b1:07:1c:7a:cf:62: f6:d6:4a:b9:45:e0:ca:f2:4a:c5:76:5e:32:0c:de:d8:58:c7: 43:1a:5d:f8:5f:8c:1f:de:9f:5d:da:e4:0b:c2:c5:c7:b2:76: f7:06:52:33:b7:42:d9:f9:c4:ab:e4:58:b3:d7:97:d1:37:a1: 1d:4d:12:3b:2b:ea:24:6a:2c:aa:28:42:f9:c9:76:7b:5a:51: 1b:34:f5:7d:bb:86:64:a9:a7:c6:ab:0a:c4:a1:cf:4d:08:87: 81:79:cd:ab:7c:2f:0b:84:29:06:81:41:df:ac:54:64:43:36: b6:81:1b:1c:59:8c:ba:0d:3b:52:cb:51:89:9d:7a:ca:d4:d1: 46:f7:0c:8d:aa:cd:50:d9:45:be:5a:39:24:5c:76:be:0b:13: 7e:2a:15:c2:c5:96:e7:14:63:9e:6a:09:22:0d:20:95:ec:d5: d6:9e:06:cc:a2:31:76:f5:89:ca:75:58:38:5a:bc:9e:35:cf: b2:16:d2:07:ce:2d:68:49:56:19:12:b2:44:4d:07:87:8d:5d: 40:86:43:f4:c6:bf:c2:f7:f9:75:ee:72:f6:ed:81:80:f3:03: 97:6c:7c:fb
还可以只输出subject部分的内容。
[root@docker-03 ~]# openssl req -in req1.csr -subject -noout subject=/C=CN/ST=SX/L=TY/O=ZDC/OU=ZDC/CN=www.ljj.com
也可以使用"-pubkey"输出证书请求文件中的公钥内容。如果从申请证书请求时所提供的私钥中提取出公钥,这两段公钥的内容是完全一致的。
[root@docker-03 ~]# openssl req -in req1.csr -pubkey -noout -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArGRPjH9bmuO+Lbbyldlr QsrsSyPRvW7xb+YFHHQ52hXhPOZcJjcs4JkK4Xywmlh5apioeA5vRhp192JpOJQm f3rV0kTc1dCF5HWyYojsCXrTMnpGMbNLlnyf0lW46g4gTPGIGyKmRLs2/W51jAMT cN5Ws8bD6lzCO2BU3KTukJ7fr+uTtKVxmbuDOYYN7lI+3jsF4khheeTtV3m5GMLN OnLrydsqdUclIGCZs81wPGN/DrLR6ctFkwoNle9ZOdXS59KNY58m3a0LrWqRSPI+ ux3WFQSiJ0gSZ4jQz93PB9sMFZXkbOko+YZnOSHbeiPOaYT+Z+WEL6GFvJyeS5Tc ZwIDAQAB -----END PUBLIC KEY-----
[root@docker-03 ~]# openssl rsa -in pri_key.pem -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArGRPjH9bmuO+Lbbyldlr QsrsSyPRvW7xb+YFHHQ52hXhPOZcJjcs4JkK4Xywmlh5apioeA5vRhp192JpOJQm f3rV0kTc1dCF5HWyYojsCXrTMnpGMbNLlnyf0lW46g4gTPGIGyKmRLs2/W51jAMT cN5Ws8bD6lzCO2BU3KTukJ7fr+uTtKVxmbuDOYYN7lI+3jsF4khheeTtV3m5GMLN OnLrydsqdUclIGCZs81wPGN/DrLR6ctFkwoNle9ZOdXS59KNY58m3a0LrWqRSPI+ ux3WFQSiJ0gSZ4jQz93PB9sMFZXkbOko+YZnOSHbeiPOaYT+Z+WEL6GFvJyeS5Tc ZwIDAQAB -----END PUBLIC KEY-----
(3).指定证书请求文件中的签名算法。
注意到证书请求文件的头部分有一项是"Signature Algorithm",它表示使用的是哪种数字签名算法。默认使用的是sha1,还支持md5、sha512等,更多可支持的签名算法见"openssl dgst --help"中所列出内容。例如此处指定md5算法。
[root@docker-03 ~]# openssl req -new -key pri_key.pem -out req2.csr -md5 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SX Locality Name (eg, city) [Default City]:TY Organization Name (eg, company) [Default Company Ltd]:ZDC Organizational Unit Name (eg, section) []:ZDC Common Name (eg, your name or your server's hostname) []:www.ljj.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
[root@docker-03 ~]# openssl req -in req2.csr -noout -text | grep Algo Public Key Algorithm: rsaEncryption Signature Algorithm: md5WithRSAEncryption
(4).验证请求文件的数字签名,这样可以验证出证书请求文件是否被篡改过。下面的命令中"-verify"选项表示验证证书请求文件的数字签名。
[root@docker-03 ~]# openssl req -verify -in req1.csr verify OK -----BEGIN CERTIFICATE REQUEST----- MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNYMQswCQYDVQQH DAJUWTEMMAoGA1UECgwDWkRDMQwwCgYDVQQLDANaREMxFDASBgNVBAMMC3d3dy5s amouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArGRPjH9bmuO+ LbbyldlrQsrsSyPRvW7xb+YFHHQ52hXhPOZcJjcs4JkK4Xywmlh5apioeA5vRhp1 92JpOJQmf3rV0kTc1dCF5HWyYojsCXrTMnpGMbNLlnyf0lW46g4gTPGIGyKmRLs2 /W51jAMTcN5Ws8bD6lzCO2BU3KTukJ7fr+uTtKVxmbuDOYYN7lI+3jsF4khheeTt V3m5GMLNOnLrydsqdUclIGCZs81wPGN/DrLR6ctFkwoNle9ZOdXS59KNY58m3a0L rWqRSPI+ux3WFQSiJ0gSZ4jQz93PB9sMFZXkbOko+YZnOSHbeiPOaYT+Z+WEL6GF vJyeS5TcZwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBADoURaL81mOYG4L02Cu4 q1Y5C2YOHXDZMVSDaLT3RbEHHHrPYvbWSrlF4MrySsV2XjIM3thYx0MaXfhfjB/e n13a5AvCxceydvcGUjO3Qtn5xKvkWLPXl9E3oR1NEjsr6iRqLKooQvnJdntaURs0 9X27hmSpp8arCsShz00Ih4F5zat8LwuEKQaBQd+sVGRDNraBGxxZjLoNO1LLUYmd esrU0Ub3DI2qzVDZRb5aOSRcdr4LE34qFcLFlucUY55qCSINIJXs1daeBsyiMXb1 icp1WDhavJ41z7IW0gfOLWhJVhkSskRNB4eNXUCGQ/TGv8L3+XXucvbtgYDzA5ds fPs= -----END CERTIFICATE REQUEST-----
结果中第一行的"verify OK"表示证书请求文件是完整未被篡改过的,但同时输出了证书请求的内容。如果不想输出这部分内容,使用"-noout"选项即可。
[root@docker-03 ~]# openssl req -verify -in req1.csr -noout verify OK
(5).自签署证书,可用于自建根CA时。
使用openssl req自签署证书时,需要使用"-x509"选项,由于是签署证书请求文件,所以可以指定"-days"指定所颁发的证书有效期。
[root@docker-03 ~]# openssl req -x509 -key pri_key.pem -in req1.csr -out CA1.crt -days 365
由于openssl req命令的主要功能是创建和管理证书请求文件,所以没有提供对证书文件的管理能力,暂时也就只能通过cat来查看证书文件CA1.crt了。
[root@docker-03 ~]# cat CA1.crt -----BEGIN CERTIFICATE----- MIIDhTCCAm2gAwIBAgIJAKq9jK9LpzQpMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV BAYTAkNOMQswCQYDVQQIDAJTWDELMAkGA1UEBwwCVFkxDDAKBgNVBAoMA1pEQzEM MAoGA1UECwwDWkRDMRQwEgYDVQQDDAt3d3cubGpqLmNvbTAeFw0yMDAzMDQxMDM0 NDFaFw0yMTAzMDQxMDM0NDFaMFkxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTWDEL MAkGA1UEBwwCVFkxDDAKBgNVBAoMA1pEQzEMMAoGA1UECwwDWkRDMRQwEgYDVQQD DAt3d3cubGpqLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxk T4x/W5rjvi228pXZa0LK7Esj0b1u8W/mBRx0OdoV4TzmXCY3LOCZCuF8sJpYeWqY qHgOb0YadfdiaTiUJn961dJE3NXQheR1smKI7Al60zJ6RjGzS5Z8n9JVuOoOIEzx iBsipkS7Nv1udYwDE3DeVrPGw+pcwjtgVNyk7pCe36/rk7SlcZm7gzmGDe5SPt47 BeJIYXnk7Vd5uRjCzTpy68nbKnVHJSBgmbPNcDxjfw6y0enLRZMKDZXvWTnV0ufS jWOfJt2tC61qkUjyPrsd1hUEoidIEmeI0M/dzwfbDBWV5GzpKPmGZzkh23ojzmmE /mflhC+hhbycnkuU3GcCAwEAAaNQME4wHQYDVR0OBBYEFD87CCQ5p/Nviih8S4H8 kisLtEjZMB8GA1UdIwQYMBaAFD87CCQ5p/Nviih8S4H8kisLtEjZMAwGA1UdEwQF MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADX1ELAeclJK8lL2eSl3KdS/oz3ol3yp 3TDbmZoBR9tnBLcoBhqSx+X4daRgH+L4IJcppzbFznxHNNVqFz8nIJVCv8ccMFxY GZrKUtVuR46Zgvbkp45y3QgyihhI/HqNCDLfCiE7H9lO+/TTRUG48hOq8iTa0oIJ FkHWcLKy5Tl4+G/Kw3t+v+7UZRCqLN31U9/xv1MMDlJSF85+IxEfzoi/SzMkyVRH AAO2KRUGlW53pIrDMx//9tzdI+xaOeJSXqHDsvcC0+aMLMCnZbinq/W0mjldsUtr qGFZWBP0EpD8dFM8SQVFzORA3TnTd7etfJmWi9Om1nNs32ATJbq7f20= -----END CERTIFICATE-----
实际上,"-x509"选项和"-new"或"-newkey"配合使用时,可以不指定证书请求文件,它在自签署过程中将在内存中自动创建证书请求文件,当然,既然要创建证书请求文件,就需要人为输入申请者的信息了。例如:
[root@docker-03 ~]# openssl req -new -x509 -key pri_key.pem -out CA1.crt -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SX Locality Name (eg, city) [Default City]:TY Organization Name (eg, company) [Default Company Ltd]:ZDC Organizational Unit Name (eg, section) []:ZDC Common Name (eg, your name or your server's hostname) []:www.ljj.com Email Address []:
其实,使用"-x509"选项后,"-new"或"-newkey"将表示创建一个证书文件而不是一个证书请求文件。
(6).让openssl req自动创建所需的私钥文件。
在前面的所有例子中,在需要私钥的时候都明确使用了"-key"选项提供私钥。其实如果不提供,openssl req会在任何需要私钥的地方自动创建私钥,并保存在特定的位置,默认的保存位置为当前目录,文件名为privkey.pem,具体保存的位置和文件名由配置文件(默认为/etc/pki/tls/openssl.cnf)决定,此处不讨论该文件。当然,openssl req命令的"-keyout"选项可以指定私钥保存位置。
例如:
[root@docker-03 ~]# openssl req -new -out req3.csr
Generating a 2048 bit RSA private key #自动创建私钥
.............+++
................................+++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase: #要求输入加密私钥文件的密码,且要求长度为4-1024个字符
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SX
Locality Name (eg, city) [Default City]:TY
Organization Name (eg, company) [Default Company Ltd]:ZDC
Organizational Unit Name (eg, section) []:ZDC
Common Name (eg, your name or your server's hostname) []:www.ljj.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
但是,openssl req在自动创建私钥时,将总是加密该私钥文件,并提示输入加密的密码。可以使用"-nodes"选项禁止加密私钥文件。
[root@docker-03 ~]# openssl req -new -out req3.csr -nodes Generating a 2048 bit RSA private key ..+++ ...........................................+++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:
指定自动创建私钥时,私钥文件的保存位置和文件名。使用"-keyout"选项。
[root@docker-03 ~]# openssl req -new -out req3.csr -nodes -keyout myprivkey.pem Generating a 2048 bit RSA private key ...................................+++ ............................................................................+++ writing new private key to 'myprivkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:^C
(7).使用"-newkey"选项。
"-newkey"选项和"-new"选项类似,只不过"-newkey"选项可以直接指定私钥的算法和长度,所以它主要用在openssl req自动创建私钥时。
它的使用格式为"-newkey arg",其中arg的格式为"rsa:numbits",rsa表示创建rsa私钥,numbits表示私钥的长度,如果不给定长度(即"-newkey rsa")则默认从配置文件中读取长度值。其实不止支持rsa私钥,只不过现在基本都是用rsa私钥,所以默认就使用rsa。
[root@docker-03 ~]# openssl req -newkey rsa:2048 -out req3.csr -nodes -keyout myprivkey.pem Generating a 2048 bit RSA private key .....................................................................+++ ...............+++ writing new private key to 'myprivkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:^C
通过上面一系类的举例说明后,想必openssl req的各基本选项的用法都通了。从上面的示例中也发现了,openssl req经常会依赖于配置文件(默认为/etc/pki/tls/openssl.cnf)中的值。所以,先将openssl req的命令用法总结下,再简单说明下配置文件中和req有关的内容。
openssl req [-new] [-newkey rsa:bits] [-verify] [-x509] [-in filename] [-out filename] [-key filename] [-passin arg] [-passout arg] [-keyout filename] [-pubkey] [-nodes] [-[dgst]] [-config filename] [-subj arg] [-days n] [-set_serial n] [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-reqopt] [-subject] [-subj arg] [-text] [-noout] [-batch] [-verbose] 选项说明: -new :创建一个证书请求文件,会交互式提醒输入一些信息,这些交互选项以及交互选项信息的长度值以及其他一些扩展属性在配置文件(默认为 :openssl.cnf,还有些辅助配置文件)中指定了默认值。如果没有指定"-key"选项,则会自动生成一个RSA私钥,该私钥的生成位置 :也在openssl.cnf中指定了。如果指定了-x509选项,则表示创建的是自签署证书文件,而非证书请求文件 -newkey args:类似于"-new"选项,创建一个新的证书请求,并创建私钥。args的格式是"rsa:bits"(其他加密算法请查看man),其中bits :是rsa密钥的长度,如果bits省略了(即-newkey rsa),则长度根据配置文件中default_bits指令的值作为默认长度,默认该值为2048 :如果指定了-x509选项,则表示创建的是自签署证书文件,而非证书请求文件 -nodes :默认情况下,openssl req自动创建私钥时都要求加密并提示输入加密密码,指定该选项后则禁止对私钥文件加密 -key filename :指定私钥的输入文件,创建证书请求时需要 -keyout filename :指定自动创建私钥时私钥的存放位置,若未指定该选项,则使用配置文件中default_keyfile指定的值,默认该值为privkey.pem -[dgst] :指定对创建请求时提供的申请者信息进行数字签名时的单向加密算法,如-md5/-sha1/-sha512等, :若未指定则默认使用配置文件中default_md指定的值 -verify :对证书请求文件进行数字签名验证 -x509 :指定该选项时,将生成一个自签署证书,而不是创建证书请求。一般用于测试或者为根CA创建自签名证书 -days n :指定自签名证书的有效期限,默认30天,需要和"-x509"一起使用。 :注意是自签名证书期限,而非请求的证书期限,因为证书的有效期是颁发者指定的,证书请求者指定有效期是没有意义的, :配置文件中的default_days指定了请求证书的有效期限,默认365天 -set_serial n :指定生成自签名证书时的证书序列号,该序列号将写入配置文件中serial指定的文件中,这样就不需要手动更新该序列号文件 :支持数值和16进制值(0x开头),虽然也支持负数,但不建议 -in filename :指定证书请求文件filename。注意,创建证书请求文件时是不需要指定该选项的 -out filename :证书请求或自签署证书的输出文件,也可以是其他内容的输出文件,不指定时默认stdout -subj args :替换或自定义证书请求时需要输入的信息,并输出修改后的请求信息。args的格式为"/type0=value0/type1=value1...", :如果value为空,则表示使用配置文件中指定的默认值,如果value值为".",则表示该项留空。其中可识别type(man req)有: :C是Country、ST是state、L是localcity、O是Organization、OU是Organization Unit、CN是common name等 【输出内容选项:】 -text :以文本格式打印证书请求 -noout :不输出部分信息 -subject :输出证书请求文件中的subject(如果指定了x509,则打印证书中的subject) -pubkey :输出证书请求文件中的公钥 【配置文件项和杂项:】 -passin arg :传递解密密码 -passout arg :指定加密输出文件时的密码 -config filename :指定req的配置文件,指定后将忽略所有的其他配置文件。如果不指定则默认使用/etc/pki/tls/openssl.cnf中req段落的值 -batch :非交互模式,直接从配置文件(默认/etc/pki/tls/openssl.cnf)中读取证书请求所需字段信息。但若不指定"-key"时,仍会询问key -verbose :显示操作执行的详细信息
以下则是配置文件中(默认/etc/pki/tls/openssl.cnf)关于req段落的配置格式。
input_password :密码输入文件,和命令行的"-passin"选项对应,密码格式以及意义见"openssl密码格式" output_password:密码的输出文件,与命令行的"-passout"选项对应,密码格式以及意义见"openssl密码格式" default_bits :openssl req自动生成RSA私钥时的长度,不写时默认是512,命令行的"-new"和"-newkey"可能会用到它 default_keyfile:默认的私钥输出文件,与命令行的"-keyout"选项对应 encrypt_key :当设置为no时,自动创建私钥时不会加密该私钥。设置为no时与命令行的"-nodes"等价。还有等价的兼容性写法:encry_rsa_key default_md :指定创建证书请求时对申请者信息进行数字签名的单向加密算法,与命令行的"-[dgst]"对应 prompt :当指定为no时,则不提示输入证书请求的字段信息,而是直接从openssl.cnf中读取 :请小心设置该选项,很可能请求文件创建失败就是因为该选项设置为no distinguished_name:(DN)是一个扩展属性段落,用于指定证书请求时可被识别的字段名称。
以下是默认的配置文件格式及值。关于配置文件的详细分析见"配置文件"部分。
[ req ] default_bits = 2048 default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = XX countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) localityName_default = Default City 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Default Company Ltd organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64
# 自动创建私钥
