NolanHo 
证书签发与自签名证书
1257 字
6 分钟
证书签发与自签名证书
证书签发与自签名证书
密钥生成
一般是ssh/github/WireGuard使用,生成一对公私钥ssh-keygen -t [rsa/ecdsa/ed25519] -f [path] -C "comment"目前RSA不建议使用,又长还不安全,建议使用ed25519,
证书生成
几个概念和文件解释
-
文件
- .key: 证书对应的私钥文件
- .crt: CA认证后的文件,即证书
- .csr: 证书签名请求, 用私钥签名得到的文件
- .crl: 证书吊销列表
- .pem; 导出导入证书用的格式, .crt+.key, 使用base64存储
-
根证书和用户证书: 根证书是信任链顶级, 用户证书是根证书签发的
对于自签证书, 只要根证书是有效的(安装在电脑上), 则由它签发的用户证书就是可信的
-
.x509: 证书格式标准
生成证书有两种, 自签名和CA签发, 只有CA签发的才有https锁标志, 但是加密功能来说两者等效
自签名证书
下面讲解如何生成自己的证书根证书生成
首先需要一个根证书,我们自己就是CA- 创建工作目录
mkdir -p ./myca/{certs,crl,newcerts,private}cd mycatouch index.txtecho 1000 > serialchmod 700 private目录应该是这样的.├── certs # 证书位置├── crl # 吊销列表├── index.txt # 证书目录├── newcerts # 新证书├── private # 私钥└── serial # 自增的index- 准备OpenSSL文件
(openssl.cnf)
[ ca ]default_ca = CA_default
[ CA_default ]dir = /home/nolan/code/myca # CA 根目录certs = $dir/certsnew_certs_dir = $dir/newcertsdatabase = $dir/index.txtserial = $dir/serialprivate_key = $dir/private/ca.key.pemcertificate = $dir/certs/ca.cert.pemdefault_md = sha256policy = policy_loosedefault_days = 3650x509_extensions = v3_ca
[ policy_loose ]# policy设置# optional指后面的CSR可以不写,supplied需要写# match是必须写且值必须和CA的相同countryName = optionalstateOrProvinceName = optionalorganizationName = optionalcommonName = supplied
[ req ]prompt = no # 设置为No直接使用下面的默认值,否则交互式询问default_bits = 4096 # RSA有效,ED25519是没用的distinguished_name = req_distinguished_namestring_mask = utf8only
[ req_distinguished_name ]# 证书主题默认值C = CN # Country NameST = Hubei # State or Province NameL = WuHan # Locality NameO = Apeiria # Organization NameCN = Apeiria # Common Name
[ v3_ca ]# CA:TRUE=CA标识,critical=客户端验证时,不认识就直接拒绝basicConstraints = critical, CA:TRUE# 用途,keyCertSign/cRLSign=签发下级证书/吊销列表,critical=拒绝其他用途keyUsage = critical, keyCertSign, cRLSign# Subject Key Identifier 扩展,快速找到上级证书subjectKeyIdentifier = hash- 生成根CA私钥
# 签发证书openssl genrsa -out private/ca.key.pem 4096# 用ED25519,上面默认RSAopenssl genpkey -algorithm Ed25519 -out private/ca.key.pemchmod 400 private/ca.key.pem- 签发根 CA 证书
openssl req -config openssl.cnf \ -key private/ca.key.pem \ -new -x509 -days 3650 -sha256 \ -extensions v3_ca \ -out certs/ca.cert.pemchmod 444 certs/ca.cert.pem- 验证
openssl x509 -in certs/ca.cert.pem -noout -text结果Certificate: Data: Version: 3 (0x2) Serial Number: 18:09:35:aa:82:e4:6a:e4:8d:d2:35:5d:f2:51:49:83:55:84:5e:e1 Signature Algorithm: ED25519 Issuer: C=CN, ST=Hubei, L=WuHan, O=Apeiria, CN=Apeiria Validity Not Before: Apr 19 08:41:35 2025 GMT Not After : Apr 17 08:41:35 2035 GMT Subject: C=CN, ST=Hubei, L=WuHan, O=Apeiria, CN=Apeiria Subject Public Key Info: Public Key Algorithm: ED25519 ED25519 Public-Key: pub: e5:ac:18:8f:81:7c:d9:e4:59:8d:a3:b0:79:8d:70: fb:04:c2:4f:27:7b:34:3c:6b:a6:15:c0:a5:29:46: ab:97 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: DE:05:5A:55:8B:F6:63:FD:C7:0F:EC:BE:70:7C:55:9E:8A:84:92:1E Signature Algorithm: ED25519 Signature Value: 57:ba:4b:ba:3d:ea:fa:0d:e1:cf:cc:74:e0:03:9b:f4:94:56: 24:dc:f7:e5:d4:3e:47:21:b5:df:e4:8c:e1:c1:2f:84:46:fc: 4a:90:60:e2:df:77:97:0f:e4:2c:c0:60:92:32:d6:69:0d:40: fb:14:cb:39:f9:81:7d:cd:aa:08最终我们得到了.├── certs│ └── ca.cert.pem # CA证书├── crl├── index.txt├── newcerts├── openssl.cnf├── private│ └── ca.key.pem # CA私钥└── serial
用户证书签发
上面已经有了 CA 和私钥,下面讲解如何签发自己的证书
生成用户的私钥,其实和CA生成私钥是一样的,私钥并不分是否是CA
总之需要一个私钥openssl genpkey -algorithm Ed25519 -out nolan.key.pemchmod 400 nolan.key.pem生成CSR,也就是提交给CA的证书签名请求,通过私钥获取到证书openssl req -new -key nolan.key.pem -out nolan.csr.pem这一步需要调整`openssl.cnf`,末尾添加 user_crt 相关配置[ usr_cert ]# 普通用户证书,非 CAbasicConstraints = critical, CA:FALSE# 标识这个证书用作客户端认证keyUsage = critical, digitalSignature, keyEnciphermentextendedKeyUsage = clientAuthsubjectKeyIdentifier = hashauthorityKeyIdentifier = keyid,issuer- 签发证书
# -extensions usr_cert 就指定了刚刚的配置openssl ca -config openssl.cnf \ -extensions usr_cert \ -days 3650 \ -notext \ -md sha256 \ -in nolan.csr.pem \ -out certs/nolan.cert.pem- 验证
openssl x509 -in certs/nolan.cert.pem -noout -text结果Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: ED25519 Issuer: C=CN, ST=Hubei, L=WuHan, O=Apeiria, CN=Apeiria Validity Not Before: Apr 19 09:01:42 2025 GMT Not After : Apr 17 09:01:42 2035 GMT Subject: C=CN, ST=Hubei, O=Apeiria, CN=Apeiria Subject Public Key Info: Public Key Algorithm: ED25519 ED25519 Public-Key: pub: 03:cb:ee:2b:b6:62:0d:4f:86:6b:37:45:f1:c0:ad: c8:af:1a:0c:01:5e:6b:ab:c7:a1:ee:5a:46:87:38: 6b:dc X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Subject Key Identifier: DD:0B:04:82:65:DA:6E:76:7A:50:39:AC:C5:E9:9B:9B:35:3F:CC:84 X509v3 Authority Key Identifier: DE:05:5A:55:8B:F6:63:FD:C7:0F:EC:BE:70:7C:55:9E:8A:84:92:1E Signature Algorithm: ED25519 Signature Value: af:6b:79:2b:a4:fb:c3:84:33:9d:9a:3a:02:1a:df:c4:70:ac: 8d:7b:42:bf:e3:b3:63:98:f7:12:db:83:89:b2:0c:3b:c8:7e: ad:e3:e5:25:00:e3:c7:fb:af:1b:67:70:0c:af:47:3e:39:13: 6e:66:5e:11:c3:6b:3a:c8:95:05
Let’s Encrypt 申请
certbot方法
# 安装certbot ACMEsudo apt-get install certbot
# 验证域名所有权, 并获取证书, 不过需要确保80和443没有占用sudo certbot certonly --standalone Let’s Encrypt证书有效期一般只有90天, 需要续订
certbot一般会自动设置定时任务自动续订证书, 也可以用下面的命令测试
sudo certbot renew --dry-run # 查看续订(dry-run)
OpenSSL常用命令
- 解析 pem 证书
openssl x509 -in cert.pem -noout -text- 验证证书链
openssl verify -CAfile ca-chain.pem cert.pem- 检查服务器证书
openssl s_client -connect axi.moe:443 \ -servername axi.moe -showcerts </dev/null \ 2>/dev/null | openssl x509 -noout -text- DEBUG 用,Serve AS TLS
openssl s_server -key key.pem -cert cert.pem -accept 8443