这就是TLS系列之二（证书)

埋头过坎 2020-12-03

1020

前面TLS系列简单介绍了TLS的概念及HTTPS协议交互的过程，如下：

其中第2步是服务器生成带公钥的证书返回给客户端用于证明自己的身份。今天就来聊聊证书是如何生成的，以及证书是长什么样子的。

在LInux环境，通常会借助openssl软件来生成证书， openssl实现了SSL协议库，提供了对称加密算法（包括AES、DES等）及非对称加密算法（包括RSA、 DH等），其中RSA既可以用于密钥交换，也可以用于数字签名。

证书一般采用X.509格式，一般通过不同的文件形式进行保存，包括crt， pem等常见格式。

本文采用的openssl版本如下：

(base) bash-4.1$ openssl version
OpenSSL 1.1.1d  10 Sep 2019

生成证书主要包括3个过程：

a. 创建私钥，如下：

(base) bash-4.1$ openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
............+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:  # 输入密钥
Verifying - Enter pass phrase for ca.key:
(base) bash-4.1$

b. 生成证书签名请求文件，如下：

(base) bash-4.1$ openssl req -new -key ca.key -out ca.csr
Enter pass phrase for ca.key:  # 需要输入前面设置的密钥
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN  # 国家
State or Province Name (full name) [Some-State]:GD # 省份
Locality Name (eg, city) []:SZ # 城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SelfOrg  # 组织名
Organizational Unit Name (eg, section) []:Tech  # 部门名
Common Name (e.g. server FQDN or YOUR name) []:localhost  # 域名
Email Address []:tech@self.org    # 邮箱     


Please enter the following 'extra' attributes # 其它属性
to be sent with your certificate request
A challenge password []:
An optional company name []:
(base) bash-4.1$

c. 生成X.509格式证书，如下：

(base) bash-4.1$ openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = CN, ST = GD, L = SZ, O = SelfOrg, OU = Tech, CN = localhost, emailAddress = tech@self.org
Getting Private key
Enter pass phrase for ca.key:  # 输入密钥

最后生成的结果文件包括私钥、证书签名请求及证书，如下：

(base) bash-4.1$ ls -l
total 12
-rw-r--r--. 1 xxx xxx 1269 Dec  3 23:27 ca.crt
-rw-r--r--. 1 xxx xxx 1029 Dec  3 23:26 ca.csr
-rw-------. 1 xxx xxx 1751 Dec  3 23:23 ca.key
# 私钥格式
(base) bash-4.1$ cat ca.key 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,785DB378F5135BD8


Y2zb4YnmYKevIdvIaW9w07C3jT/9vCvdYbngEgMQllhBxxcFypoQ+rkZrvlzb/MF
G9dMeFO+XcMidPTg9PyrOqeh1vxH/ndMQpk+CCChBwodp+kg925ncM8c+KCYwTYw
TMvviIpcUb4VO4UTSWoC/8cw44mxXQEGwhP6i6myjuDZYTQAgcj8LrjrMAYN/D+H
iNUDvus1IfxiWiES6k/HQ5sCK7+/P3LM81noy5zixaMvPZ5uUYnV3+ecmSGItFr4
SV8WeyLQFrX/zXtcWJgjvxnnll+dmp8K0NB1O4uzJYRn2roMC/ivDHX/Hr9dFw82
HD+CBLJ4JvATMHy/+HlCz9efpn/oiP4ZsH9AKTNrsoJqAi1bVYv43JP/JHjhdx11
mLgR6fCTgDHXTKlCRHWtZxm9wj9n4k8pUHs6qPr8NunP50o5cn8sT4nRUBP2ThIR
cJ64eKYHU59PK/tka2dn10JgpFfbxuLIO4SrT+lLdrwAKHRl2+9GOUFL2a/Bov4k
2e2sbubzHfQwSpLyP7I2o/fz2VfoTj5cspP1JsVwaAYM/sYyWmiyZ3ZJH0LEtlyO
nUxZBytSdKIRBxpJ8f413cXe5Rz/8zdganf7yl/8XJqBpW8byHaZQhVctm5Gx8zE
edBeDh1xZxswPJ4fwGVK6rTF9YgJ091ybrQRmG/zbO7kjebdsrAF46CtJ7I6vEyL
tLeoPpXqO5LJ/GbLs3/skj+V1tN1H5wiQJ+YBuF5CqTRY7ykWQv/Cn/CFnmfK6xb
7cnJaHsvV8gRzh0nFzkwNv91d3lGp1UfkLVlkmtaFUa6qx2wBPu04UnjijTJeKhz
9W96/+QklcDY4IKFWkbxLGJ9147VwO3+UMpNQRHkUCe+GrPwMDcEwkwOcYXxPI3s
L44HgUYC9CYngpu2RhlnsQI6BjV2w8IHF7UoRIEbi0DpB45gkQNIV+RphTY9Gg9s
AXl8TVfa8dKSnPnzwKNsC9zapp6rIJc8HO64B/Y/GX+ZzG76WyccqDmHw446DJKK
nxGz987eAWVdo0TkB7GxokNn/FkmcDEzEiqN2lG1JSe220efgl6EUZMH7xwOqIJi
+IyCTeNAMTl3KYdwU0Sv3yPgGJTQLo0CqJDfhdFH5CsmPXTxEOKzyCz7b1CUzYId
seMKh0ibTar6pzRGvntbn+vUBn83SJ0FtiiEyHD682sr15IKAqpA6GhGPErQ/Kb0
rosWaIfBINo5gzHhbvZackh9iozJxMJyVaNkbFqU5t+Hn4fB4Ea9NFpd7m6lVj2K
frpZeBrLB1TCHMdVeGSV2xSTJ+i2ebPX3cLhxGFs323ILPKSIH1uuo5FhoIYl/sY
ETf/K3EBy1Tp/1l2kDvzz9QNE0U60+4TsZwZkiEIDTz5Nm8Su7UvE2RddHHoihBY
g/8Q3pSJynOqzzWwp4YjAseLhFRnz/3zoFLonSGL5ZZ+K456OqS7KfIu/02wtupn
phx/UH/ug4wMDy241drgH4d+RLj0imBysIoBFollIx41lBOLXg6tvzPUgApFsm5g
7QqzqPPGHHi/NuZzZLoBWnekNWaxKN+Qa6qUVRNYTCxxQv2ReIObo8otC56e5MEg
-----END RSA PRIVATE KEY-----
(base) bash-4.1$ 


# 证书请求文件内容， 跟前面输入的是一致的
(base) bash-4.1$ openssl req -text -in ca.csr -noout
Certificate Request:
    Data:
        Version: 1 (0x0) # 证书版本
        Subject: C = CN, ST = GD, L = SZ, O = SelfOrg, OU = Tech, CN = localhost, emailAddress = tech@self.org # 主体信息 
        Subject Public Key Info: # 公钥
            Public Key Algorithm: rsaEncryption # 公钥算法
                RSA Public-Key: (2048 bit) # 长度
                Modulus:
                    00:e6:ef:66:a3:4b:98:31:db:7b:fe:5e:ba:1e:80:
                    1b:d8:93:da:c9:ab:76:9e:23:86:02:88:8b:b5:39:
                    e7:fd:06:10:ff:a7:53:33:ce:ca:81:fe:46:9e:a5:
                    d0:c2:02:83:80:94:3d:0d:e8:60:5f:f5:8c:3e:07:
                    79:16:21:66:08:82:89:02:d0:75:48:01:2b:41:66:
                    45:75:29:83:e9:57:0c:d3:77:79:5d:7d:b1:1a:9e:
                    f7:da:29:b7:3c:e5:e3:f2:d7:97:68:97:bb:07:99:
                    33:c9:84:a4:96:25:2a:ad:69:79:f7:b5:d9:2f:c9:
                    72:8d:c9:34:94:c4:27:f8:b4:23:28:c2:1c:c0:01:
                    06:b0:ef:c3:78:28:63:eb:9a:25:37:00:de:6c:49:
                    f0:3a:09:98:03:dd:59:7b:48:06:f5:8c:57:06:e2:
                    63:93:95:72:d5:92:67:e8:6e:b4:f1:f1:fe:a2:db:
                    98:ea:21:1e:56:88:5c:e9:b0:a9:bf:ec:ac:73:66:
                    37:bd:47:21:35:41:ca:a8:e7:ff:60:d4:b8:5d:ba:
                    d6:c2:33:a1:b6:2f:42:f3:92:0b:6c:2a:88:bf:4b:
                    3d:5e:b8:f5:7f:e4:15:60:a0:e2:12:e8:02:85:48:
                    29:89:da:8f:bf:6f:5c:1a:0b:7f:f2:f5:bd:5a:fa:
                    a2:81
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption # 签名
         28:0f:c0:97:0b:ab:6d:9e:e9:12:12:82:10:ea:13:7a:5e:1a:
         a7:83:e9:f5:53:2c:79:4f:c0:6f:b0:5b:a1:80:c6:84:3a:3c:
         5a:22:6c:d6:68:a9:9b:f0:ac:8c:06:57:db:6b:38:fe:a1:17:
         1e:50:34:c2:45:f9:c7:64:65:ba:63:fc:7c:df:82:8a:7a:bb:
         43:17:56:a8:35:a6:aa:3e:e4:9a:a3:33:45:4a:e0:4e:bb:58:
         9e:8a:6b:3c:ad:33:98:ea:02:10:33:c8:c9:b9:dc:e9:91:b0:
         f9:bd:e4:fa:61:76:18:6a:bc:62:8c:b5:44:fb:a0:f5:ab:42:
         72:9a:1c:3d:aa:a1:6b:ae:c9:e6:f4:24:20:9a:3e:9a:50:1c:
         ab:02:f2:c4:0e:55:12:79:e2:0f:a4:e9:60:6b:15:59:6d:f0:
         6a:1e:83:15:00:be:f9:cd:82:0d:d7:d7:ab:95:75:8d:50:d3:
         d4:49:ff:56:38:4a:f6:3d:9d:9b:88:c9:e1:9f:c5:5f:95:45:
         d6:58:4d:32:88:40:74:39:72:6d:36:ff:cc:c8:9a:08:08:6d:
         9a:99:7e:ae:ff:cb:31:d0:ec:14:77:e3:13:6e:f7:5b:76:0f:
         19:26:50:ce:ff:18:49:0c:9e:f1:be:1a:41:43:cb:df:1c:eb:
         17:5d:0f:d4
(base) bash-4.1$ 


# 证书格式
(base) bash-4.1$ openssl x509 -text  -in ca.crt -noout 
Certificate:
    Data:
        Version: 1 (0x0) # 版本
        Serial Number: # 证书序列号
            2e:4c:e5:94:86:c5:57:92:5d:15:f0:cb:04:46:6d:2b:34:fd:d8:14
        Signature Algorithm: sha256WithRSAEncryption # 签名算法
        Issuer: C = CN, ST = GD, L = SZ, O = SelfOrg, OU = Tech, CN = localhost, emailAddress = tech@self.org # 颁发者
        Validity  # 有效期起始和截止时间
            Not Before: Dec  3 15:27:09 2020 GMT
            Not After : Dec  1 15:27:09 2030 GMT
        Subject: C = CN, ST = GD, L = SZ, O = SelfOrg, OU = Tech, CN = localhost, emailAddress = tech@self.org # 主体信息
        Subject Public Key Info: # 公钥信息
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e6:ef:66:a3:4b:98:31:db:7b:fe:5e:ba:1e:80:
                    1b:d8:93:da:c9:ab:76:9e:23:86:02:88:8b:b5:39:
                    e7:fd:06:10:ff:a7:53:33:ce:ca:81:fe:46:9e:a5:
                    d0:c2:02:83:80:94:3d:0d:e8:60:5f:f5:8c:3e:07:
                    79:16:21:66:08:82:89:02:d0:75:48:01:2b:41:66:
                    45:75:29:83:e9:57:0c:d3:77:79:5d:7d:b1:1a:9e:
                    f7:da:29:b7:3c:e5:e3:f2:d7:97:68:97:bb:07:99:
                    33:c9:84:a4:96:25:2a:ad:69:79:f7:b5:d9:2f:c9:
                    72:8d:c9:34:94:c4:27:f8:b4:23:28:c2:1c:c0:01:
                    06:b0:ef:c3:78:28:63:eb:9a:25:37:00:de:6c:49:
                    f0:3a:09:98:03:dd:59:7b:48:06:f5:8c:57:06:e2:
                    63:93:95:72:d5:92:67:e8:6e:b4:f1:f1:fe:a2:db:
                    98:ea:21:1e:56:88:5c:e9:b0:a9:bf:ec:ac:73:66:
                    37:bd:47:21:35:41:ca:a8:e7:ff:60:d4:b8:5d:ba:
                    d6:c2:33:a1:b6:2f:42:f3:92:0b:6c:2a:88:bf:4b:
                    3d:5e:b8:f5:7f:e4:15:60:a0:e2:12:e8:02:85:48:
                    29:89:da:8f:bf:6f:5c:1a:0b:7f:f2:f5:bd:5a:fa:
                    a2:81
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption # 签名相关
         6c:37:a7:c9:e4:87:f8:fa:0b:98:53:85:bc:57:9c:98:3d:20:
         c7:71:d9:46:c9:36:60:44:f1:29:ef:01:39:d6:c7:5a:a8:fe:
         75:c0:29:83:60:b5:6d:dd:37:58:1b:cf:bd:24:1d:a8:e2:6b:
         75:5c:af:ae:5a:bb:f0:87:11:7b:85:5f:ea:ff:fb:83:4c:36:
         a0:33:8d:c5:a2:bd:bd:07:1c:a7:aa:ab:2e:90:ec:fe:70:ab:
         7e:89:47:c4:92:f9:cd:ee:4e:9d:02:83:d7:dd:d1:2b:ef:7f:
         21:23:a5:94:88:1a:ab:9b:b0:a7:23:53:f0:df:9a:37:92:f9:
         76:28:be:5d:c9:25:02:0c:86:9e:c1:92:bf:2c:58:89:f1:3b:
         8c:cc:e2:a3:02:01:d2:bb:20:c2:a4:9e:8f:22:af:96:83:b7:
         47:42:b9:02:6c:bf:54:37:84:ac:45:60:aa:48:6b:34:d6:84:
         85:41:72:c4:62:70:9a:69:76:d0:ee:77:b4:82:0f:c1:61:02:
         5e:42:00:56:2b:98:5f:b1:56:51:21:1a:b6:1e:a8:40:e8:d6:
         c5:21:35:03:84:03:e4:e7:25:d8:99:3b:83:e7:3f:ff:49:79:
         95:05:13:51:7b:53:f0:1d:ea:47:50:39:59:85:95:26:64:f9:
         39:e8:c2:81
(base) bash-4.1$

各文件的具体信息在上面的注释里面进行了解读，下面是X.509的格式，可以结合上面的实际例子查看：

在现在的互联网环境，基本HTTPS是成为了必要，包括k8s里面也大量了使用到，后续将结合K8S中的https服务代理继续介绍TLS及证书相关内容。

数据库

文章转载自埋头过坎，如果涉嫌侵权，请发送邮件至：contact@modb.pro进行举报，并提供相关证据，一经查实，墨天轮将立刻删除相关内容。

这就是TLS系列之二（证书)

评论