https04_交互流程

https://www.cnblogs.com/blogtech/p/16589237.html

https://blog.csdn.net/yx1166/article/details/124299040

1.      通过自签方式验证

自签方式意思就是我们自己模拟CA机构来颁发证书。

基本流程

1. 创建一个虚拟的CA机构，生成证书（DME叫做信任证书）
2. 提供加密私钥，填写申请csr，去虚拟机CA机构签名
3. 自建CA机构颁发身份证书

1.1    虚拟CA机构，生成信任证书

?

1 2 3 4 5 6

# 生成CA机构证书密钥key openssl genrsa –des3 –out ca.key 2048 openssl rsa –in ca.key –out ca.key # 用私钥ca.key 生成ca机构的证书ca.crt(dme叫做trust.cer) # 把公钥保证成证书 openssl req –new –x509 –key ca.key –out trust.cer –days 365

1.2    生成csr

req.conf配置

 

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = CN ST = Guangdong L = ShenZhen O = TenCent Technologies OU = xxx Department CN = Wechat [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] IP.1 = xxx.xx.xx.x

 

?

1 2 3

openssl genrsa -out server_key.pem -aes128 4096 #根据私钥server_key.pem和请求体req.conf生成一个新的证书请求文件server.csr openssl req -new -key server_key.pem -out server.csr -config req.conf

1.3    颁发身份证书

v3.ext

[v3_ca]
basicConstraints = critical, CA:FALSE
subjectAltName = @alt_names

[ alt_names ]
IP.1 = xxx.xxx.xx.x

?

1	openssl x509 -req -in server.csr -CA trust.cer -CAkey ca.key -CAcreateserial -out server.cer -days 3650 -extensions v3_ca -extfile v3.ext