OPENSSL证书制作与浏览器认证

网络安全 专栏收录该内容
14 篇文章 0 订阅

 

准备环境

$ mkdir -p CA/{certs,crl,newcerts,private}
$ 
$ touch CA/index.txt
$ 
$ echo 00 > CA/serial

生成CA秘钥

$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................+++
...............+++
e is 65537 (0x10001)
$ 

签署CA

$ openssl req -sha256 -new -x509 -days 3650 -key ca.key -out ca.crt -newkey rsa:2048
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:home
Organizational Unit Name (eg, section) []:desk
Common Name (e.g. server FQDN or YOUR name) []:www.home.desk.com
Email Address []:home@hm.com
$

查看证书内容

$ openssl x509 -noout -text -in ca.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12914197379374815003 (0xb33872181cea971b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=BJ, O=home, OU=desk, CN=www.home.desk.com/emailAddress=home@hm.com
        Validity
            Not Before: May 17 09:12:47 2019 GMT
            Not After : May 14 09:12:47 2029 GMT
        Subject: C=CN, ST=BJ, L=BJ, O=home, OU=desk, CN=www.home.desk.com/emailAddress=home@hm.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

$ ls
CA  ca.crt  ca.key
$ 

生成服务器秘钥

$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................+++
............................................................................................+++
e is 65537 (0x10001)
$ 

生成服务器证书请求,注意Country Name、State、Locality Name和Organization Name最好与CA证书填写的内容一致。

$ openssl req -new -sha256 -key server.key -reqexts v3_req -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:home
Organizational Unit Name (eg, section) []:desk
Common Name (e.g. server FQDN or YOUR name) []:www.home.desk
Email Address []:home@desk.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:.
$ 

使用上一节的CA证书和秘钥签发服务器证书

$ openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions v3_req -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
I am unable to access the ./demoCA/newcerts directory
./demoCA/newcerts: No such file or directory
$ 

如果遇到以上问题,执行以下操作:

$ mkdir -p demoCA/newcerts
$ 
$ touch demoCA/index.txt
$
$ echo 00 > demoCA/serial

在次运行签发命令:

$ openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions v3_req -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (home) and the request (server)
$

以上提示CA证书和服务端的证书请求中的组织名称不相同,最好设置为相同的。

$ openssl ca -in server.csr -md sha256 -keyfile ca.key -cert ca.crt -extensions v3_req -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: May 17 09:49:08 2019 GMT
            Not After : May 16 09:49:08 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = home
            organizationalUnitName    = desk
            commonName                = www.home.desk
            emailAddress              = home@desk.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
Certificate is to be certified until May 16 09:49:08 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
$ 

完成之后的目录结构:

$ ls
CA  ca.crt  ca.key  demoCA  server.crt  server.csr  server.key
$

将CA根证书嵌入window证书管理器,Chrome或者IE浏览器会从window的系统中读取证书,当用户访问我们的完整www.home.desk时,将不在阻拦,其认为是合法的证书。进入CMD命令行,执行certmgr命令,打开windows的证书管理器,导入ca.crt证书文件到“受信任的根证书颁发机构”中。也可到浏览器自带的证书管理界面进行导入。

 

END

 

  • 0
    点赞
  • 0
    评论
  • 3
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值