1.什么是openssl? 它的作用是?应用场景是什么?什么是openssl? 它的作用是?应用场景是什么?
openssl是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,它可以避免信息被窃听到。
SSL是Secure Sockets Layer(安全套接层协议)的缩写,可以在Internet上提供秘密性传输。Netscape(网景)公司在推出第一个Web浏览器的同时,提出了SSL协议标准。其目标是保证两个应用间通信的保密性和可靠性,可在服务器端和用户端同时实现支持。
因为在网络传输的过程中,网络的数据肯定要经过wifi路由器对吧,那么我们通过路由器做些手脚我们就可以拿到数据,因此openssl的作用就是避免信息被窃听到。
那么openssl是如何保证信息不被窃听到呢?因此我们需要了解 非对称加密、数字签名、数字证书等一些基本概念的。
1.1 什么是非对称加密?
非对称加密是用密钥对数据进行加密,然后我们可以使用另一个不同的密钥对数据进行解密。这两个密钥就是公钥和私钥。
我们根据私钥可以计算出公钥,但是我们根据公钥计算不出来私钥的。私钥一般是有服务器掌握的,公钥则是在客户端使用的。
注意:非对称加密的具体算法我们后续有文章研究
1.2 什么是数字签名?
根据百度百科说:数字签名(又可以叫公钥数字签名)是一种类似写在纸上的普通的物理签名,但是使用了公钥加密领域的技术实现,它是用于鉴别数字信息的方法。数字签名有两种互补的运算,一个是用于签名,另一个是用于验证。
作用是:它会将报文使用一定的HASH算法算出一个固定位数的摘要信息,然后使用私钥将摘要加密,然后会将刚才的报文一起发送给接收者,接收者会通过公钥将摘要解出来。也通过hash算法算出报文摘要,如果两个摘要一致,说明数据未被篡改,说明数据是完整的。
1.3 什么是数字证书?
根据百度百科说:数字证书是互联网通讯中标志通讯各方身份信息一串数字。提供了一种在Internet上验证通信实体身份的方式。它是由CA颁发给网站的一种身份的方式。它里面包含了该网站的公钥、有效时间、网站的地址、及 CA的数字签名等。
作用是:它是使用CA的私钥将网站的公钥等信息进行了签名,当客户端请求服务器端的时候,网站会把证书发给客户端,客户端先通过CA的数字签名校验CA的身份,来证明证书的真实完整性。
了解到上面的非对称加密、数字签名、数字证书的概念之后,我们来看看它是如何来保证数据没有被伪造的:
SSL 实现认证用户和服务器
现在我们来想一个问题,如果我们现在访问我们的博客园网站,我们怎么知道访问的是真博客园还是假博客园呢?为了确定我们的博客园网站的服务器有没有被伪造,在SSL中有这么一个规则:假如我们向服务器发出请求后,服务器必须返回它的数字证书给接收者,当我们拿到数字证书之后,我们可以根据里面的ca数字签名,来检验数字证书的合法性。假如我们现在能够证明数字证书是博客园的,但是不代表发送给我们证书的服务器就是博客园的呢?为了解决这个问题,其实在我们拿到的证书里面会带有博客园的公钥,在之后的通信中,客户端会使用该公钥加密数据给博客园服务器,博客园服务器必须使用私钥才能够解出里面的数据。只要他能够解出数据出来,说明他是合法的,否则的话,是伪造的。如果是伪造的,那么就不能通讯。因此SSL就解决了服务器认证的问题了。
加密数据在通讯过程中如何防止数据不被窃取呢?
客户端第一次给服务器发送请求的时候(拿到证书之前的那个请求),会在请求里面放一个随机数(比如叫A),服务器的返回证书的响应里也会带一个随机数(比如叫B), 客户端拿到证书后,会使用公钥加密一个随机数(比如叫C)发送给服务器,因此客户端,服务器就有三个随机数:A、B、C。双方使用这些随机数和一个相同的算法会生成一个密钥,以后所有的通信都使用这个对称密钥来进行的。
一般情况下,这三个密钥不可能同时被泄露的,因为它是由三个随机数随机生成的。并且其中一个随机数使用了公钥加密的。因此是通过这种方式来保证数据不被窃取的。
上面都是在网上看到的一些概念性问题,简单的理解下就好了,知道是这么个概念就行了,而我们的openssl是SSL的实现版。因此openssl的作用避免信息被窃取到,它是通过上面的知识点来做到的。
openssl的应用场景:
在使用http网站中,我们经常看到网站会有一些广告什么的,这些广告其实不是网站自己放上去的,而是中间的运营商在中间篡改了内容导致的。现在我们可以使用https技术(基于openssl)来对数据进行加密的。它能保证数据不被篡改。
2.使用openssl生成免费证书
1 使用openssl工具生成一个RSA私钥
openssl genrsa -des3 -out server.key 2048
如上:des3 是算法,2048位强度(为了保密性)。 server.key 是密钥文件名 -out的含义是:指生成文件的路径和名称。server.key 默认输入“123456”.
[root@htas-master ~]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
............................................................................+++
...........................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@htas-master ~]#
我们查看刚刚生成的私钥,需要输入创建是的server.key 使用命令如下:
openssl rsa -text -in server.key
[root@htas-master ~]# openssl rsa -text -in server.key
Enter pass phrase for server.key:
Private-Key: (2048 bit)
modulus:
00:d7:8d:71:12:66:6e:02:aa:da:a1:fc:20:a0:c7:
57:2f:ba:4b:30:5f:51:f8:7f:84:57:86:75:30:07:
d2:9e:fa:78:40:a5:7e:4f:e8:2b:13:9e:1f:c0:4c:
22:21:86:82:87:41:5f:94:e4:ba:72:53:13:e0:b6:
c2:2d:e4:9a:35:bf:80:eb:03:94:24:b3:03:77:7f:
93:95:2a:60:99:10:62:85:6c:64:c1:25:c2:1a:3a:
a9:01:20:9b:68:c9:6c:36:84:04:c1:49:70:d3:c6:
2b:c9:7f:bb:eb:d8:bc:e6:70:83:2a:ad:a9:90:27:
5b:34:c0:9b:90:e7:68:71:35:66:e0:d4:d4:04:b0:
80:96:87:b1:42:01:ed:4e:66:84:0c:a1:78:67:b6:
e8:f9:7f:cc:ff:55:c2:17:99:a0:b9:79:a2:b8:55:
73:67:c0:44:eb:cd:76:01:a6:9f:7b:e5:02:16:17:
93:34:44:ac:da:ce:e3:74:30:b9:38:f2:94:fe:05:
8d:49:0f:c7:eb:92:68:b9:e6:33:42:a5:70:1d:9f:
dc:13:4c:08:24:5f:1b:6d:a1:97:00:e3:89:7f:a6:
65:6a:09:76:e7:c3:5f:5d:00:dc:5e:03:cf:8e:6b:
03:9c:b2:d3:e3:35:94:29:20:95:87:b9:e8:40:64:
1c:d9
publicExponent: 65537 (0x10001)
privateExponent:
7c:58:3d:b8:2d:9a:9c:b3:4e:f8:4e:e7:cb:97:f2:
f5:b7:74:14:6d:88:6d:df:b1:ca:83:e8:2a:52:f8:
ef:78:f1:d1:e9:26:1a:96:85:f3:05:2e:af:d1:bb:
86:b7:7f:a8:e2:cf:6e:a7:1b:df:43:89:9e:02:0f:
b6:45:bf:a7:ed:d7:42:bb:87:c4:3b:f8:6e:01:0c:
73:ea:44:5b:48:16:6d:7d:80:09:e3:ec:3b:11:47:
d9:3c:a4:2a:28:b7:e2:22:fa:53:3e:38:76:12:45:
c4:31:89:88:9e:39:2a:7e:11:4c:97:6d:cf:98:c4:
86:83:ed:ba:03:a4:3e:59:4e:ff:91:15:35:d5:02:
5d:7c:03:43:0b:1c:b1:f8:85:f2:fa:de:4a:c9:4e:
bf:ec:2d:8f:b6:3a:b8:bf:45:31:50:23:ee:57:1d:
f6:0e:d8:d0:77:30:11:b1:ca:05:a8:9a:56:e3:fd:
b6:c2:09:5e:3d:85:86:c3:42:15:1e:44:42:28:fd:
ef:c8:1b:d6:20:ad:99:19:8b:e7:0f:48:74:14:41:
a2:14:ad:c4:c6:70:92:d6:b5:33:f7:ec:a8:68:33:
5a:1d:7d:8a:b7:06:e5:27:ac:ee:b9:01:6e:1d:31:
bb:03:45:5d:cb:50:8d:c7:df:aa:1f:47:0b:9a:92:
59
prime1:
00:eb:42:37:ff:9f:03:74:ec:76:0f:3c:d8:d9:9d:
15:90:33:f4:c5:59:35:d8:51:4a:2f:48:5e:ea:6c:
18:35:d0:f3:6e:59:75:c7:f1:db:34:bc:b8:df:c9:
5b:4f:65:0d:f2:66:b3:e8:e7:29:7c:a7:b8:63:cf:
7d:31:41:c5:44:97:1b:dd:63:dd:0b:8f:6a:d0:f8:
68:1c:7d:5d:79:c9:e2:15:9b:01:28:94:d1:7b:ff:
19:4b:f6:7f:8e:a5:d9:8a:d9:9a:25:b9:15:17:ed:
5a:ee:64:9b:15:64:e1:db:44:5b:1b:f7:56:b0:4b:
09:37:e1:e7:ca:46:b2:2c:47
prime2:
00:ea:8e:74:9a:2b:9d:cb:85:ad:3f:98:e8:fe:7a:
2c:d5:98:57:35:61:af:d8:59:e9:7e:cf:8b:be:2c:
fd:10:62:55:39:ad:17:07:e1:e1:39:85:71:67:db:
59:ca:c3:8c:27:ea:a9:fd:31:16:79:7a:58:1d:7b:
a9:46:02:6a:49:bf:e4:ee:d2:d5:74:94:d7:68:58:
0a:54:e6:a7:f8:78:a0:8d:43:41:b4:b0:18:5f:98:
85:1f:b2:ef:d8:8e:e0:20:78:59:98:c4:b0:d7:5e:
36:f5:87:48:bc:ee:52:83:6b:4f:32:8b:5f:99:47:
a0:aa:ad:e9:ba:55:b8:9d:df
exponent1:
00:dd:9d:3b:73:29:2f:f0:6c:ef:a9:da:ff:cb:bf:
16:19:09:58:82:af:4e:f1:bf:61:ca:b8:b9:f0:ca:
72:e3:ff:39:d1:b1:a4:29:fd:c3:29:22:be:64:d1:
21:9a:e0:ef:0a:71:84:f8:d9:09:53:cc:0a:fe:ba:
ee:8c:00:10:fc:53:fc:83:c9:16:e9:54:e8:a2:81:
de:51:38:27:5e:1a:b7:46:f3:05:5c:5d:14:19:62:
6d:4a:09:a2:8f:95:dc:1f:d8:6c:45:2c:dc:99:f5:
95:bb:0c:3a:ab:24:a5:3e:10:5e:63:31:d4:0f:ae:
1f:b8:ec:ad:94:f6:93:d0:f1
exponent2:
32:05:1f:28:a1:94:8d:0a:7c:df:cb:24:24:e0:b9:
1e:f3:d5:e5:34:67:e3:a3:88:ff:da:12:db:03:8d:
14:29:64:33:60:8e:40:c8:12:d7:c9:75:5d:c8:91:
65:84:3e:27:65:0b:cb:4a:e4:98:13:57:27:32:6f:
ee:d6:25:04:85:3f:b5:0e:91:26:c3:77:0c:71:7a:
02:91:0d:d1:17:28:65:f7:a9:d3:76:9a:3c:08:b2:
9b:07:f5:ce:20:e9:fb:02:af:58:bc:d9:59:94:65:
f4:06:5d:a4:ac:ce:3b:e8:6e:83:40:e5:aa:32:74:
38:f1:cd:9e:47:19:8f:d1
coefficient:
58:0f:63:1b:78:7f:19:9e:87:c9:03:d2:77:83:fb:
77:ec:9b:8a:67:91:83:ac:2e:45:b7:9c:8a:05:d6:
31:ae:e4:a7:61:17:48:81:55:9c:c8:bd:a8:79:74:
84:d2:cd:f4:c5:9f:d8:c7:91:d1:a8:85:48:9b:96:
93:6f:72:f1:16:58:12:51:80:8f:ac:33:56:6a:fc:
e8:47:9c:94:91:86:f4:0f:c9:6e:f4:c6:b4:d9:4f:
94:fe:72:55:e7:05:91:91:61:bf:9f:83:41:44:fb:
3b:9a:81:40:9e:78:5e:48:6d:29:11:bb:e9:0b:59:
43:0d:31:51:31:65:c5:91
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA141xEmZuAqraofwgoMdXL7pLMF9R+H+EV4Z1MAfSnvp4QKV+
T+grE54fwEwiIYaCh0FflOS6clMT4LbCLeSaNb+A6wOUJLMDd3+TlSpgmRBihWxk
wSXCGjqpASCbaMlsNoQEwUlw08YryX+769i85nCDKq2pkCdbNMCbkOdocTVm4NTU
BLCAloexQgHtTmaEDKF4Z7bo+X/M/1XCF5mguXmiuFVzZ8BE6812Aaafe+UCFheT
NESs2s7jdDC5OPKU/gWNSQ/H65JoueYzQqVwHZ/cE0wIJF8bbaGXAOOJf6Zlagl2
58NfXQDcXgPPjmsDnLLT4zWUKSCVh7noQGQc2QIDAQABAoIBAHxYPbgtmpyzTvhO
58uX8vW3dBRtiG3fscqD6CpS+O948dHpJhqWhfMFLq/Ru4a3f6jiz26nG99DiZ4C
D7ZFv6ft10K7h8Q7+G4BDHPqRFtIFm19gAnj7DsRR9k8pCoot+Ii+lM+OHYSRcQx
iYieOSp+EUyXbc+YxIaD7boDpD5ZTv+RFTXVAl18A0MLHLH4hfL63krJTr/sLY+2
Ori/RTFQI+5XHfYO2NB3MBGxygWomlbj/bbCCV49hYbDQhUeREIo/e/IG9YgrZkZ
i+cPSHQUQaIUrcTGcJLWtTP37KhoM1odfYq3BuUnrO65AW4dMbsDRV3LUI3H36of
RwuaklkCgYEA60I3/58DdOx2DzzY2Z0VkDP0xVk12FFKL0he6mwYNdDzbll1x/Hb
NLy438lbT2UN8maz6OcpfKe4Y899MUHFRJcb3WPdC49q0PhoHH1decniFZsBKJTR
e/8ZS/Z/jqXZitmaJbkVF+1a7mSbFWTh20RbG/dWsEsJN+HnykayLEcCgYEA6o50
miudy4WtP5jo/nos1ZhXNWGv2Fnpfs+Lviz9EGJVOa0XB+HhOYVxZ9tZysOMJ+qp
/TEWeXpYHXupRgJqSb/k7tLVdJTXaFgKVOan+HigjUNBtLAYX5iFH7Lv2I7gIHhZ
mMSw11429YdIvO5Sg2tPMotfmUegqq3pulW4nd8CgYEA3Z07cykv8Gzvqdr/y78W
GQlYgq9O8b9hyri58Mpy4/850bGkKf3DKSK+ZNEhmuDvCnGE+NkJU8wK/rrujAAQ
/FP8g8kW6VToooHeUTgnXhq3RvMFXF0UGWJtSgmij5XcH9hsRSzcmfWVuww6qySl
PhBeYzHUD64fuOytlPaT0PECgYAyBR8ooZSNCnzfyyQk4Lke89XlNGfjo4j/2hLb
A40UKWQzYI5AyBLXyXVdyJFlhD4nZQvLSuSYE1cnMm/u1iUEhT+1DpEmw3cMcXoC
kQ3RFyhl96nTdpo8CLKbB/XOIOn7Aq9YvNlZlGX0Bl2krM476G6DQOWqMnQ48c2e
RxmP0QKBgFgPYxt4fxmeh8kD0neD+3fsm4pnkYOsLkW3nIoF1jGu5KdhF0iBVZzI
vah5dITSzfTFn9jHkdGohUiblpNvcvEWWBJRgI+sM1Zq/OhHnJSRhvQPyW70xrTZ
T5T+clXnBZGRYb+fg0FE+zuagUCeeF5IbSkRu+kLWUMNMVExZcWR
-----END RSA PRIVATE KEY-----
[root@htas-master ~]#
使用cat命令查看server.key
[root@htas-master ~]# cat server.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A51F20F5E74DB0CD
+tg15q/13nXLvFdrViO+fCpeGqag7lH4hu4fRNPD7QGPzSLPIbIGFryGqyHJPi11
dO3mcxaB6wiFKE2aKfqXRPhUOrWocm1C+vM5TDiWn4fI4qMd2XYslmlswsqovprh
zEp9P3zTOrNtdkVmyROPIHG4o/Da17776YZZGN2i0nkgcuwj6kiVYMrggDk7eAF9
O+AYyFeZlN1DDmUUhKLTko9RBl7R/3R8zZPTvmI121kLNpTcus3wCdYj1xezqauK
wa0o8/XAinRRH4BtDZjOBxxf1Pz4ajFZHPAEaaho9kDalqhskXTzXGxdMmAFVM79
wtUR/uakoDJz9+0bwKZc0RlDS2VVtOdvS5FkjHFVZ7ALl1ogXsa7l2OWUUJzC+x1
uLiDKj0/6q1jm3TzphJcXv6zaIIVajaL1U9tmdfFIhAw4C04Uth67jTabMtRSyXk
7Ijdx4nYgo4b6y2FMUPQPdpy73Mmd+dYfwQyk6erck0Z+705v5dDaj5Vz9bw80VM
Nl29KGccgmzTDRpNkql5WsfggHbCi8PY6ClW3VWjJXQVQUWGIe3s7TNF1b6XEp5Z
/kY6IoQDO1Bn1pC6B/EI8cHP4simYveEadBU41pV40I9mS9eDeVZ8EtFUuk+KfmF
dr2l/SsPNHPfX6his7bLV+fkEW/xfeC92cdZBLuNbJcVZRL5OXpqkSAumpTVGz9e
fY28LmpFy+g4rRSOoNw3OW/V2rWzLuHDGisNEd4niiy3FF3zoI8kNlMSyWmNMm79
5UZPZHq+BQ3mD88iCp3OoomEg2C3807NbvgcQziiiXDDAHCQ1Ia7sxoX9v8HR2lD
+KvIABbZgVs+kFgWr9UyvWZcsQ0IamtbiVvXR3OwarOEDIJYumMMkckMhMDEsTSV
bazsoRsB+CgaY3LPmUdA6NLtx5ya+FPwUlVyJigZvN/XZuy4Bm+HO4NpVe7dV7K/
ITzj2eAglw/xaQe/7U7k0tNuD1WWUAcQzYzx+BISHsUHDUw1ua7oP6xpCsuph79e
H/7Q+dbyiNZhKJQuUTQOA7mgImODpyEJVnLyojT8pr1w9UzC3Y5NqcHpYfxVogFg
nhRtjk5ZjDEin8x7EycWF4R6YpHVsr0qezxmHuxEvyTP1b+I3voDGbRxwwIxJUUK
z9qdTXKgBvYA75T0FqatXgl2NA/lLCvSnnrn1ntO2MZE5G8mzQ5Vp+k/V7u1Irk/
t/ck5A0ejKHLHpT4f3wPKMI6/YxGhHXthkJGZKgnE6TEY8ZuFfxuB15l/VOInbR8
hqRbt0YOlwUQi5f6lI+nYKLXudNvfq42zLu0PWjDJvtlMTEHUy+6mcZPyQuGlF3Y
JWo0ThyO0msAxD8tCz627zKzWq7pnZanF654yNGQU4Jvx/xeAs+I7zfko+qmQq4B
re3wM54Huj/Gjc2PyjqU3fQ1rxi52Q/PE1vtuYKNnY3IV5JI1xVtaRCmHjc2ts73
vsihrn5foQB7/bAyX/PG3KvsE38A+++EB70j8c1DTQ2Ptm8za6zfSqxSH+CHCAtT
9XgILaB+47n30twCDeoeMQLizY25l9CNbJiUuVLJ7jL2j/HusLT1zA==
-----END RSA PRIVATE KEY-----
[root@htas-master ~]#
2. 创建证书签名请求CSR文件
-key的含义是:指定ca私钥-out的含义是: server.csr 生成证书文件
openssl req -new -key server.key -out server.csr
使用命令操作:
[root@htas-master ~]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:ht
Organizational Unit Name (eg, section) []:ht
Common Name (eg, your name or your server's hostname) []:*.com.cn
Email Address []:435695323@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:ht
运行如上命令后,生成CSR时会要求填入以下信息:
Country Name (2 letter code) []:CN // 输入国家代码,中国填写 CN
State or Province Name (full name) []:beijing // 输入省份,这里填写 beijing
Locality Name (eg, city) []:beijing // 输入城市,我们这里也填写 beijing
Organization Name (eg, company) []:ht // 输入组织机构(或公司名,我这里随便写个ht)
Organizational Unit Name (eg, section) []:ht // 输入机构部门
Common Name (eg, fully qualified host name) []:*.com.cn // 输入域名,我这边是 (*.com.cn)
Email Address []:435695323@qq.com // 你的邮箱地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 // 你的证书密*码,如果不想设置密*码,可以直接回车
An optional company name []:ht // 可选公司名称随便输入
如上操作后,会在当前目录下生成以下两个文件:
-rw-r--r-- 1 root root 1094 Dec 22 02:12 server.csr
-rw-r--r-- 1 root root 1743 Dec 22 02:05 server.key
查看csr文件如下命令:
openssl req -text -in server.csr -noout
root@htas-master ~]# openssl req -text -in server.csr -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=cn, ST=beijing, L=beijing, O=ht, OU=ht, CN=*.com.cn/emailAddress=435695323@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d7:8d:71:12:66:6e:02:aa:da:a1:fc:20:a0:c7:
57:2f:ba:4b:30:5f:51:f8:7f:84:57:86:75:30:07:
d2:9e:fa:78:40:a5:7e:4f:e8:2b:13:9e:1f:c0:4c:
22:21:86:82:87:41:5f:94:e4:ba:72:53:13:e0:b6:
c2:2d:e4:9a:35:bf:80:eb:03:94:24:b3:03:77:7f:
93:95:2a:60:99:10:62:85:6c:64:c1:25:c2:1a:3a:
a9:01:20:9b:68:c9:6c:36:84:04:c1:49:70:d3:c6:
2b:c9:7f:bb:eb:d8:bc:e6:70:83:2a:ad:a9:90:27:
5b:34:c0:9b:90:e7:68:71:35:66:e0:d4:d4:04:b0:
80:96:87:b1:42:01:ed:4e:66:84:0c:a1:78:67:b6:
e8:f9:7f:cc:ff:55:c2:17:99:a0:b9:79:a2:b8:55:
73:67:c0:44:eb:cd:76:01:a6:9f:7b:e5:02:16:17:
93:34:44:ac:da:ce:e3:74:30:b9:38:f2:94:fe:05:
8d:49:0f:c7:eb:92:68:b9:e6:33:42:a5:70:1d:9f:
dc:13:4c:08:24:5f:1b:6d:a1:97:00:e3:89:7f:a6:
65:6a:09:76:e7:c3:5f:5d:00:dc:5e:03:cf:8e:6b:
03:9c:b2:d3:e3:35:94:29:20:95:87:b9:e8:40:64:
1c:d9
Exponent: 65537 (0x10001)
Attributes:
unstructuredName :ht
challengePassword :123456
Signature Algorithm: sha256WithRSAEncryption
d1:6c:64:56:10:43:9c:1d:a2:d4:4a:67:b0:47:ed:39:5c:cc:
4e:b1:c1:ce:da:b5:5d:a1:fd:b9:68:53:4f:15:f9:c6:ea:f7:
7d:08:ce:39:4b:ea:65:67:cc:ac:c8:0e:ea:be:af:6d:93:25:
79:3e:51:f3:5d:ed:35:3c:96:93:e3:d5:1a:8e:ea:1b:6c:56:
bc:86:28:af:3b:e4:8b:dd:f4:c0:85:9b:14:7a:66:5a:bd:a9:
35:77:db:d3:66:6e:b9:5e:c6:63:98:61:92:9f:f7:f3:77:7a:
ff:5b:5e:39:4e:13:7e:61:6e:75:7c:c9:37:c9:d5:a7:ae:a5:
6e:91:ae:5c:40:c9:5c:51:da:c6:30:3e:39:83:84:4d:7c:bf:
16:3d:ec:59:7d:86:84:ee:63:af:ea:a3:2a:5d:dd:46:f3:72:
2e:64:c6:02:23:75:07:d1:b6:50:5a:4b:46:8e:7c:fd:c3:3c:
fb:99:ca:e6:32:f4:a5:e8:f2:15:9d:3a:5a:bb:08:f5:29:74:
6d:a1:ce:a1:f6:2e:81:31:4d:13:53:83:9c:75:d4:7a:55:24:
31:ed:c7:5b:8a:e7:bd:e3:c8:18:ac:42:dd:9d:20:1b:b5:ce:
8a:b6:91:53:59:2c:6e:31:e5:17:18:2d:4c:96:40:98:96:75:
2e:4f:46:33
[root@htas-master ~]#
3. 生成CA证书
x509的含义: 指定格式-in的含义: 指定请求文件-signkey的含义: 自签名
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
[root@htas-master ~]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=ht/OU=ht/CN=*.com.cn/emailAddress=435695323@qq.com
Getting Private key
Enter pass phrase for server.key:
[root@htas-master ~]#
执行命令后查看生成文件,多出一个server.crt文件
-rw-r--r-- 1 root root 1265 Dec 22 02:18 server.crt
-rw-r--r-- 1 root root 1094 Dec 22 02:12 server.csr
-rw-r--r-- 1 root root 1743 Dec 22 02:05 server.key
注意:如上server.crt 是证书持有人的信息,持有人的公钥,以及签署者的签名等信息。
4. 生成客户端证书
生成客户端证书与生成CA证书相似。
4.1. 先要生成私钥
使用命令:
openssl genrsa -out client.key 2048
[root@htas-master ~]# openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..................................................................................................................+++
......................................................+++
e is 65537 (0x10001)
[root@htas-master ~]#
4.2 生成请求文件
openssl req -new -key client.key -out client.csr
执行命令:
[root@htas-master ~]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:ht
Organizational Unit Name (eg, section) []:ht
Common Name (eg, your name or your server's hostname) []:*.com.cn
Email Address []:435695323@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:ht
[root@htas-master ~]#
4.3 发给ca签名
openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.crt
使用命令:
[root@htas-master ~]# openssl x509 -req -days 365 -in client.csr -signkey client.key -out client.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=ht/OU=ht/CN=*.com.cn/emailAddress=435695323@qq.com
Getting Private key
[root@htas-master ~]#