X.509数字证书之客户端证书签发操作

 未分类  No Responses »
3 月 212020
 

生成客户端私钥

openssl genrsa -aes256 \
-out intermediate/private/device.key.pem 2048

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \
> -out intermediate/private/device.key.pem 2048
Generating RSA private key, 2048 bit long modulus
...............+++
...................................................................+++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/device.key.pem:
Verifying - Enter pass phrase for intermediate/private/device.key.pem:
[root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/device.key.pem 
[root@ip-172-31-2-174 ca]#

生成客户端CSR记录

openssl req -config intermediate/openssl.cnf \
-key intermediate/private/device.key.pem \
-new -sha256 -out intermediate/csr/device.csr.pem

[root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf \
> -key intermediate/private/device.key.pem \
> -new -sha256 -out intermediate/csr/device.csr.pem
Enter pass phrase for intermediate/private/device.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:MENGNIU
Organizational Unit Name []:IT
Common Name []:IOTHS0000238
Email Address []:
[root@ip-172-31-2-174 ca]#

生成客户端证书

openssl ca -config intermediate/openssl.cnf \
-extensions usr_cert -days 180 -notext -md sha256 \
-in intermediate/csr/device.csr.pem \
-out intermediate/certs/device.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \
> -extensions usr_cert -days 180 -notext -md sha256 \
> -in intermediate/csr/device.csr.pem \
> -out intermediate/certs/device.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
        Validity
            Not Before: Mar 21 06:04:03 2020 GMT
            Not After : Sep 17 06:04:03 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            localityName              = Shenzhen
            organizationName          = MENGNIU
            organizationalUnitName    = IT
            commonName                = IOTHS0000238
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier: 
                27:65:F1:14:2F:E9:F8:41:9F:45:B6:79:32:E7:6C:D5:5C:DE:D3:71
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
Certificate is to be certified until Sep 17 06:04:03 2020 GMT (180 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ip-172-31-2-174 ca]#

查看证书签发列表

[root@ip-172-31-2-174 ca]# cat intermediate/index.txt
V       210321055837Z           1000    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
V       200917060403Z           1001    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=MENGNIU/OU=IT/CN=IOTHS0000238
[root@ip-172-31-2-174 ca]#

验证客户端证书信息(180天)

[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/device.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 06:04:03 2020 GMT
            Not After : Sep 17 06:04:03 2020 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=MENGNIU, OU=IT, CN=IOTHS0000238
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:23:0a:d9:b9:37:8b:6f:41:50:2b:2b:a0:c4:
                    21:2a:a8:70:65:a3:ea:39:46:4b:76:09:2c:31:5b:
                    a5:a1:b1:08:fc:db:f4:28:5b:b6:fe:08:b6:04:bf:
                    31:4c:57:0a:06:31:bb:b6:01:1d:94:91:4c:bf:da:
                    5e:9a:fb:1e:30:d8:52:0e:96:71:9e:68:e2:2e:f7:
                    20:02:2d:09:7e:54:14:1d:a0:0b:e4:7d:85:ef:51:
                    14:4d:1d:a6:c4:1c:9c:0e:aa:82:ba:a9:b4:aa:9d:
                    de:f5:c2:3f:80:d6:e3:24:99:18:a2:59:11:a3:64:
                    f9:7f:63:f9:18:42:6d:22:46:f1:a2:8b:86:8a:28:
                    05:5e:32:3e:da:5f:62:25:38:ea:02:5e:9e:7e:8e:
                    c9:5d:f1:ec:4e:cc:e1:32:5f:ad:59:e2:df:d5:58:
                    a5:29:8a:01:b1:c4:b5:ee:43:78:bb:4b:78:34:41:
                    5a:cb:56:8d:b2:56:a8:f8:f2:05:be:5f:63:f5:0b:
                    98:30:22:20:fb:e9:b5:16:85:b9:fe:99:33:3c:d9:
                    da:3c:26:01:a8:a8:d4:9d:31:fd:27:72:87:f6:4a:
                    c0:27:64:e6:89:b8:90:fa:8e:8f:be:e3:f5:80:13:
                    fd:46:bc:0a:e5:43:cc:61:4e:da:15:dd:2f:8d:f6:
                    15:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier: 
                27:65:F1:14:2F:E9:F8:41:9F:45:B6:79:32:E7:6C:D5:5C:DE:D3:71
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
    Signature Algorithm: sha256WithRSAEncryption
         39:bb:70:3a:c0:00:19:dd:7d:1c:47:76:cf:d6:31:c0:e6:25:
         37:9e:ba:d9:45:59:fd:fc:fb:22:6d:d1:f8:5b:1b:47:0c:79:
         06:5a:6f:59:0c:e8:66:d1:b2:c6:17:8d:39:22:d5:a2:69:28:
         85:a5:8b:b7:bf:57:8b:45:b8:92:2b:4c:07:2c:7e:c9:c6:e7:
         cf:9e:4f:b7:42:44:04:8b:e1:11:ea:d5:75:5f:7d:c8:e9:70:
         c8:12:bf:44:e2:0c:e9:53:72:e8:2f:6f:c7:25:7f:a3:38:5b:
         7d:12:90:ec:a5:f3:77:2c:b1:75:f8:3c:87:96:60:3e:ba:84:
         7e:aa:79:e6:dc:45:89:70:15:6c:44:d7:e1:24:e0:f7:d5:33:
         05:2c:3b:8a:b5:07:b0:6a:41:3f:57:d7:ef:74:05:5d:b7:7a:
         dc:0a:e1:ae:d4:22:cc:5d:5a:85:da:f9:51:db:a6:56:46:e2:
         a4:dc:e3:5d:ac:a4:ce:39:8c:cf:db:c1:d1:83:0e:97:30:2e:
         29:79:d9:49:75:b5:eb:64:72:8f:cb:35:80:61:46:5e:3a:f4:
         4a:50:4f:bf:92:64:a0:91:63:d4:58:db:20:16:f8:67:75:e5:
         71:f4:de:fd:99:d8:a7:e5:5b:a3:11:be:d1:76:78:22:89:bf:
         49:55:cf:b1:8f:ca:67:91:e4:71:64:8c:fc:1c:bc:eb:15:2b:
         92:4b:01:13:30:1d:43:8f:ae:4b:e5:7f:ab:60:be:36:fb:c8:
         19:93:dc:8a:de:5e:dd:73:32:00:20:45:b3:16:b8:79:95:07:
         aa:6c:59:4d:d3:8a:48:ac:cd:fb:91:c0:1b:59:93:3d:68:51:
         97:ab:b1:09:53:7d:02:08:3a:42:05:62:a4:a8:b3:a0:fc:cc:
         98:96:73:0b:82:08:2b:6c:4b:c7:53:70:86:7f:27:ed:ed:57:
         59:15:4a:aa:f3:0e:51:c8:03:ec:dc:8d:04:00:a5:4b:77:f8:
         7b:ba:0b:1c:71:4f:3a:d7:a9:b2:1b:01:d8:8a:9f:c3:25:89:
         58:6c:24:28:8c:37:bb:81:2f:09:eb:67:d6:1f:1f:35:cf:9b:
         f6:06:20:00:d6:d0:cc:38:91:d8:cc:89:fe:06:94:81:49:22:
         4b:85:3a:cd:0f:9a:be:7e:52:fa:94:33:18:84:d9:d2:aa:88:
         20:3d:70:54:33:a7:e3:ea:24:c5:c2:79:01:fa:ef:f5:b1:bd:
         34:02:f2:79:b5:ba:d7:0f:d3:0c:6b:b0:66:c2:de:c4:f3:50:
         06:4c:05:ca:0d:b5:7b:4c:5f:1e:ff:4f:31:7b:2e:a1:43:67:
         b2:9a:b2:0a:19:35:75:df
[root@ip-172-31-2-174 ca]#

使用CA证书链验证客户端证书有效性

[root@ip-172-31-2-174 ca]# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/device.cert.pem
intermediate/certs/device.cert.pem: OK
[root@ip-172-31-2-174 ca]#

X.509数字证书之服务端证书签发操作

 未分类  No Responses »
3 月 212020
 

生成服务端私钥

openssl genrsa -aes256 \
-out intermediate/private/api.iot.com.key.pem 2048

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \
> -out intermediate/private/api.iot.com.key.pem 2048
Generating RSA private key, 2048 bit long modulus
...........................................+++
.............+++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/api.iot.com.key.pem:
Verifying - Enter pass phrase for intermediate/private/api.iot.com.key.pem:
[root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/api.iot.com.key.pem 
[root@ip-172-31-2-174 ca]#

生成服务端CSR文件

openssl req -config intermediate/openssl.cnf \
-key intermediate/private/api.iot.com.key.pem \
-new -sha256 -out intermediate/csr/api.iot.com.csr.pem

[root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf \
> -key intermediate/private/api.iot.com.key.pem \
> -new -sha256 -out intermediate/csr/api.iot.com.csr.pem
Enter pass phrase for intermediate/private/api.iot.com.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:YSWL
Organizational Unit Name []:IT
Common Name []:api.iot.com
Email Address []:
[root@ip-172-31-2-174 ca]#

生成服务端证书

openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 365 -notext -md sha256 \
-in intermediate/csr/api.iot.com.csr.pem \
-out intermediate/certs/api.iot.com.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \
> -extensions server_cert -days 365 -notext -md sha256 \
> -in intermediate/csr/api.iot.com.csr.pem \
> -out intermediate/certs/api.iot.com.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Mar 21 05:58:37 2020 GMT
            Not After : Mar 21 05:58:37 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            localityName              = Shenzhen
            organizationName          = YSWL
            organizationalUnitName    = IT
            commonName                = api.iot.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
                DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
                serial:10:00

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
Certificate is to be certified until Mar 21 05:58:37 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/api.iot.com.cert.pem 
[root@ip-172-31-2-174 ca]#

验证服务端证书信息(1年)

[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/api.iot.com.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 05:58:37 2020 GMT
            Not After : Mar 21 05:58:37 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWL, OU=IT, CN=api.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b1:ae:bd:fd:ea:de:ab:16:9b:39:a3:53:f0:de:
                    d7:12:cd:b7:7e:55:06:f8:36:74:57:d7:e3:44:b6:
                    03:be:6c:d8:2a:1c:41:20:76:1c:8f:f1:ba:a5:1e:
                    00:a6:4b:2f:43:af:08:20:97:40:7f:a4:74:e6:ac:
                    a9:57:20:c3:e8:f2:5e:8d:be:e6:f2:a4:d5:eb:b9:
                    9a:a1:2e:3a:01:3f:a1:a1:e9:aa:d3:0a:8f:91:46:
                    9d:dd:32:ad:4d:63:1d:e6:fc:08:75:93:0c:b2:d9:
                    fe:86:38:88:48:9f:07:60:ac:c3:ed:f8:27:bb:c8:
                    4a:76:55:64:44:47:eb:6d:d1:ab:aa:47:f3:ad:93:
                    80:42:4b:a2:d6:8b:86:60:4d:6b:5a:08:2e:e9:01:
                    28:5d:05:82:c2:c6:67:d2:79:ea:b6:ab:0b:8f:6b:
                    ed:f1:43:10:7e:26:4b:b5:8a:bc:d0:94:01:6e:18:
                    fd:a3:ce:9a:04:78:12:39:91:aa:7a:c0:d9:d0:0d:
                    74:5e:db:40:a6:d4:24:83:84:71:53:16:12:92:25:
                    49:af:0b:48:2a:b2:fa:a7:bd:dc:f4:83:28:ac:a2:
                    fa:6e:ee:df:64:7e:57:0f:bc:ea:dc:ca:40:e2:f0:
                    17:79:30:38:ff:c7:aa:37:b1:ae:83:9f:26:89:79:
                    74:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
                DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
                serial:10:00

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         23:63:ee:d6:bb:3e:59:c0:d7:4f:82:03:32:11:20:70:48:1c:
         d4:42:41:29:0c:38:f6:c9:de:c1:c6:a8:e1:f8:a9:25:40:10:
         06:ee:f3:a6:be:47:8a:24:14:07:e5:71:3a:89:3c:21:09:b8:
         80:18:d8:d5:05:db:c2:9c:8a:65:1d:e5:17:32:42:52:40:20:
         12:7a:7a:75:3e:f8:87:39:01:77:d5:11:30:94:92:75:04:55:
         f9:1f:40:6d:97:8f:3e:b8:41:46:bc:53:04:7f:1c:53:05:c5:
         d8:a6:88:c7:5b:dd:65:c7:b6:dd:f5:90:6d:71:70:9b:39:fd:
         2a:5b:fa:c2:6d:bd:bf:15:97:5e:33:3d:13:24:2c:cf:91:f1:
         3a:32:2f:8d:f7:05:84:1a:81:80:c7:fc:77:24:d8:38:1a:23:
         a3:a8:77:32:16:30:0b:04:b8:ae:30:c9:95:98:57:90:a3:02:
         b5:0b:7d:76:ac:9f:a5:ac:c3:42:74:10:e0:eb:2b:8d:8a:92:
         31:fc:7e:d1:96:d8:25:84:01:b5:06:55:c8:a4:8d:8f:26:af:
         55:bb:3f:b0:12:b8:3d:07:76:87:77:58:fc:2c:45:86:4f:11:
         15:a1:ef:03:24:1d:78:bf:84:fd:02:b5:eb:33:62:28:e9:70:
         b2:c7:21:2c:b5:4f:d9:e6:17:b1:7b:84:04:78:fd:46:bd:a0:
         38:88:45:ad:6a:0b:58:38:1d:2e:4f:ad:ab:69:ae:cb:54:6e:
         6e:34:fc:e4:76:95:09:56:ff:c1:a3:67:4a:6f:2a:5d:61:92:
         a6:57:97:8f:2a:ee:80:9f:a8:1e:d2:db:49:b3:af:46:18:7b:
         a7:08:18:8e:bc:10:75:02:b1:15:7c:fe:42:a0:ce:c0:f5:5a:
         3a:fb:89:bc:80:f8:15:32:1f:83:bf:f2:91:4f:1c:6a:58:f3:
         0c:4a:af:ac:91:7a:80:08:35:1d:8e:ce:2a:c8:5c:92:14:22:
         28:dc:b2:cf:bd:60:1d:ca:17:ee:90:27:28:99:d3:c4:58:5c:
         a0:1b:09:e8:6e:c7:e0:6a:9a:f3:84:ce:ea:02:9f:5a:d1:22:
         6f:cc:e1:4f:e6:f2:0b:a4:ab:b6:84:ae:f3:91:c6:0f:4b:58:
         94:b5:80:c0:11:74:08:c9:68:44:c6:a9:21:de:98:34:54:8d:
         f2:e2:1f:dc:17:f8:09:22:c9:06:a4:70:66:9f:3b:60:fa:e8:
         c8:67:8a:eb:6c:77:3a:c4:b8:db:95:36:2b:7f:b4:ae:94:34:
         fe:24:fa:a3:e6:9e:61:ee:05:b9:d8:a5:df:93:bf:77:4c:81:
         56:26:25:bc:1f:e7:fd:a3
[root@ip-172-31-2-174 ca]#

查看证书签发列表

[root@ip-172-31-2-174 ca]# cat intermediate/index.txt
V       210321055837Z           1000    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
[root@ip-172-31-2-174 ca]#

使用CA证书链验证服务端证书有效性
注意:必须构建证书链文件(根证书在最后部分),任何单级(根/中级)CA都无法完成对服务端证书的验证。

构建证书链文件

cat intermediate/certs/intermediate.cert.pem \
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

[root@ip-172-31-2-174 ca]# cat intermediate/certs/intermediate.cert.pem \
> certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem 
[root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/ca-chain.cert.pem

验证

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
intermediate/certs/api.iot.com.cert.pem

[root@ip-172-31-2-174 ca]# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
> intermediate/certs/api.iot.com.cert.pem
intermediate/certs/api.iot.com.cert.pem: OK
[root@ip-172-31-2-174 ca]#

X.509数字证书之Intermediate CA签发

 未分类  No Responses »
3 月 212020
 

创建根中级证书签发目录结构

[root@ip-172-31-2-174 ca]# mkdir -p intermediate/{certs,crl,csr,newcerts,private}
[root@ip-172-31-2-174 ca]# chmod 700 intermediate/private/
[root@ip-172-31-2-174 ca]# touch intermediate/index.txt
[root@ip-172-31-2-174 ca]# echo 1000 > intermediate/serial

准备中级CA配置文件

[root@ip-172-31-2-174 ca]# vi intermediate/openssl.cnf

生成中级CA私钥

openssl genrsa -aes256 \
-out intermediate/private/intermediate.key.pem 4096

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \
> -out intermediate/private/intermediate.key.pem 4096
Generating RSA private key, 4096 bit long modulus
...................................................................................................................................................................++
....................++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/intermediate.key.pem:
Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem:
[root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/intermediate.key.pem 
[root@ip-172-31-2-174 ca]#

生成中级CA CSR文件

openssl req -config intermediate/openssl.cnf -new -sha256 \
-key intermediate/private/intermediate.key.pem \
-out intermediate/csr/intermediate.csr.pem

[root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf -new -sha256 \
> -key intermediate/private/intermediate.key.pem \
> -out intermediate/csr/intermediate.csr.pem
Enter pass phrase for intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:YSWM
Organizational Unit Name []:YSWM Certificate Authority
Common Name []:YSWM Intermediate CA
Email Address []:
[root@ip-172-31-2-174 ca]#

生成中级CA证书

openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-in intermediate/csr/intermediate.csr.pem \
-out intermediate/certs/intermediate.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
> -days 3650 -notext -md sha256 \
> -in intermediate/csr/intermediate.csr.pem \
> -out intermediate/certs/intermediate.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Mar 21 05:54:42 2020 GMT
            Not After : Mar 19 05:54:42 2030 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            organizationName          = YSWM
            organizationalUnitName    = YSWM Certificate Authority
            commonName                = YSWM Intermediate CA
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
            X509v3 Authority Key Identifier: 
                keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Mar 19 05:54:42 2030 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ip-172-31-2-174 ca]#

验证中级CA证书信息(10年)

[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/intermediate.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA
        Validity
            Not Before: Mar 21 05:54:42 2020 GMT
            Not After : Mar 19 05:54:42 2030 GMT
        Subject: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a6:94:a7:fd:6b:0d:d5:28:48:82:26:ce:cf:55:
                    eb:d6:b5:d8:f2:f3:57:13:53:e7:d6:95:c7:b4:51:
                    2e:ef:f5:20:df:e1:a6:23:63:72:2e:5d:5d:82:5b:
                    4d:6b:cb:4a:ee:25:57:0e:1a:7f:f6:fd:51:62:20:
                    88:c8:6d:b4:a9:34:60:ea:a2:6f:52:f0:ef:56:0e:
                    27:65:d3:e5:ad:a1:74:60:eb:11:50:c9:d6:37:11:
                    fc:4e:89:f4:35:ca:b9:34:f1:22:ff:2a:ca:fc:f5:
                    e4:9d:c9:49:0f:d9:54:aa:1e:0f:b6:50:d7:84:b0:
                    ee:b3:a8:be:ce:16:10:24:00:7a:dc:e7:2d:b5:58:
                    79:9d:07:11:66:d0:77:4a:78:f4:37:b0:cd:3d:8c:
                    8d:91:fc:16:9d:70:3d:4e:b2:9b:7f:8a:37:5a:8b:
                    6d:e7:64:bb:fd:76:be:01:7e:e8:cf:81:f8:94:52:
                    a1:c8:f8:aa:dc:f8:06:86:38:ba:23:ec:b9:08:1b:
                    a6:fa:66:b1:12:66:84:af:41:dc:b1:bb:9c:06:6a:
                    82:2d:3b:06:19:6d:bf:e9:cd:ac:fa:a2:b9:2a:70:
                    61:f2:94:2c:2b:3e:5f:eb:c8:bb:e1:e8:0c:d1:52:
                    93:e9:71:a5:71:81:fc:04:58:34:59:c4:2f:1e:a5:
                    0b:43:13:a3:53:4c:c1:0c:b6:0b:1e:aa:a7:30:bf:
                    76:26:42:79:aa:02:cd:d1:42:40:21:e0:a0:a2:61:
                    e8:6d:24:14:c7:53:67:99:6c:c4:ae:0c:a3:c2:76:
                    8c:0d:2a:18:42:85:c6:f6:29:fe:e9:56:4d:55:48:
                    19:9b:57:14:c8:19:5c:eb:b9:90:60:06:ed:37:ca:
                    0d:a6:9a:7d:4c:68:b3:0c:12:df:3a:d8:e4:d6:fa:
                    b3:dc:72:dc:5c:68:c7:3a:0d:1b:8a:47:58:b0:23:
                    e3:8f:78:a7:63:8e:e0:f8:96:dc:82:77:ab:11:60:
                    d5:af:77:4d:5e:fb:7a:e4:de:1e:ca:a9:f4:5c:c4:
                    f1:2c:95:f6:24:df:00:25:8b:a9:10:0c:6a:de:e2:
                    75:64:62:70:34:fd:9b:2e:04:fc:fc:b4:74:cd:97:
                    65:e7:53:b9:63:e5:13:5e:0b:1f:4e:5e:fa:48:be:
                    d2:16:c8:31:a4:46:a0:9f:7f:ca:6b:0b:f0:c6:b0:
                    ac:18:14:66:d2:fb:c6:07:94:8a:ae:61:2c:b8:4d:
                    b8:9c:2b:aa:72:51:5f:3e:8e:64:b6:d9:42:fe:84:
                    92:38:ba:dc:c5:02:82:1f:65:95:d0:0f:c1:05:62:
                    82:30:6a:5d:63:65:82:b6:4d:4b:f2:aa:4f:7a:87:
                    fd:c3:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
            X509v3 Authority Key Identifier: 
                keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         9c:c0:fb:0f:f0:0e:4f:8b:b9:12:f5:9d:1a:9c:29:93:19:9e:
         cc:7d:23:f9:cd:f7:94:10:41:27:38:05:f1:f8:be:f8:cf:b8:
         4d:4f:84:19:4e:ac:47:98:09:ee:d6:1d:a9:ba:2f:a5:29:c2:
         1c:80:9d:c4:e5:9d:77:ba:60:dc:47:ca:fe:0f:5c:98:81:85:
         48:22:cc:7b:11:be:80:fa:d8:1e:ad:b0:4d:3c:5d:d5:eb:3e:
         88:52:67:0a:64:72:24:32:b5:ed:72:75:26:6d:61:7f:f1:48:
         7a:72:36:40:23:ca:f6:82:9f:1c:6e:59:38:d1:bb:57:08:a1:
         a4:a5:88:bd:a4:a6:24:0d:68:96:36:5b:ba:2c:dd:0e:59:09:
         10:c4:43:f7:e7:c9:ac:11:b6:8b:23:4b:be:9f:e8:13:18:c5:
         75:22:2f:59:27:41:60:e2:54:5b:f0:1e:9d:0f:73:61:04:37:
         c9:a3:62:1b:6c:27:15:36:67:e0:0c:cf:f2:8c:fe:a9:cf:36:
         5f:a4:ba:c5:d0:e4:a9:d1:45:0e:56:70:2e:a6:4b:e0:92:72:
         dd:ca:45:6f:ae:5b:f1:63:3c:a0:7a:85:77:48:b9:02:c9:bb:
         68:79:35:80:d5:d5:7c:4f:b0:bc:3b:19:6a:ef:d0:b4:d5:c8:
         6b:ec:3b:54:d5:28:6a:d0:71:b8:a0:1f:3a:87:ff:71:41:a4:
         18:cf:10:03:96:93:fc:55:80:85:3d:f2:2a:ac:62:7c:0d:e4:
         81:52:10:51:3d:fb:8a:81:2b:1b:6f:9f:1d:86:fa:a2:45:88:
         c2:8f:db:fe:77:7f:c0:13:1b:d4:97:bd:07:19:47:ce:5f:68:
         0c:ac:2f:6c:51:86:21:c1:81:f7:fd:a6:32:e3:5d:78:79:eb:
         25:90:e1:e4:9b:0a:5e:9f:e5:97:b4:8e:44:03:23:0d:af:99:
         53:f0:54:82:26:8f:fe:8f:ce:5a:20:67:4e:23:c5:73:a6:42:
         1c:76:23:96:d9:be:0a:9d:fc:4e:74:75:04:61:53:b2:6f:68:
         2f:6c:34:e3:52:b9:19:52:64:94:7c:53:99:6c:f1:4f:92:1a:
         b4:a6:58:1c:c6:b0:9b:64:ca:68:94:98:99:47:bf:12:9c:6d:
         06:c2:35:58:16:d5:97:84:a3:f5:5b:2e:43:61:b4:8f:ae:1a:
         70:e6:5a:bf:26:68:58:f4:92:06:6e:84:75:44:99:ba:6f:e2:
         01:3e:4d:e2:f9:9b:96:91:f7:e8:77:2d:3f:aa:76:9d:3f:46:
         17:8c:bb:92:aa:d2:cb:46:72:6b:ae:df:a5:bd:0f:67:11:c0:
         b0:28:79:44:91:fa:93:13
[root@ip-172-31-2-174 ca]#

X.509数字证书之ROOT CA签发操作

 未分类  No Responses »
3 月 212020
 

创建根CA证书签发目录结构

[root@ip-172-31-2-174 ~]# mkdir -p ca/{certs,crl,newcerts,private}
[root@ip-172-31-2-174 ~]# chmod 700 ca/private
[root@ip-172-31-2-174 ~]# touch ca/index.txt
[root@ip-172-31-2-174 ~]# echo 1000 > ca/serial

准备根CA配置文件

[root@ip-172-31-2-174 ~]# cd ca/
[root@ip-172-31-2-174 ca]# vi openssl.cnf

生成根CA证书私钥

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 -out private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
..............................................................++
..............................................................................++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:
[root@ip-172-31-2-174 ca]# chmod 400 private/ca.key.pem 
[root@ip-172-31-2-174 ca]#

生成根CA证书

openssl req -config openssl.cnf \
-key private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-out certs/ca.cert.pem

[root@ip-172-31-2-174 ca]# openssl req -config openssl.cnf \
> -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256 -extensions v3_ca \
> -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:YSWM
Organizational Unit Name []:YSWM Certificate Authority
Common Name []:YSWM ROOT CA
Email Address []:
[root@ip-172-31-2-174 ca]# chmod 444 certs/ca.cert.pem 
[root@ip-172-31-2-174 ca]#

验证根CA证书信息(20年)

[root@ip-172-31-2-174 ca]# openssl x509 -in certs/ca.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b4:3b:48:9b:76:69:bf:60
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA
        Validity
            Not Before: Mar 21 05:47:53 2020 GMT
            Not After : Mar 16 05:47:53 2040 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a1:41:53:36:5b:8c:73:e7:da:90:c2:85:2b:48:
                    47:c1:8b:fb:b9:c0:a9:c1:d5:a8:a7:37:de:41:b3:
                    6b:cb:41:72:ad:e9:99:76:85:37:79:76:6c:54:8b:
                    d3:24:2f:18:6e:37:d2:b4:fb:f8:07:d9:45:7b:71:
                    5c:a2:1a:c1:ea:99:e0:28:53:ab:14:e2:73:5d:54:
                    01:16:fc:1e:27:3d:98:e9:3c:d6:b4:69:df:45:9e:
                    18:ac:8b:4c:ca:10:ff:3b:7d:c5:63:c0:8d:be:e3:
                    31:d7:64:4d:3c:94:32:d1:43:bd:37:87:66:11:b8:
                    24:a5:ab:61:ca:bc:8c:1e:05:78:da:9d:5b:3b:66:
                    ea:b3:a7:6d:b0:f5:1a:8a:72:4e:aa:f3:66:f8:f5:
                    4d:c0:58:b7:11:8f:64:21:ce:8d:5e:d9:e5:79:a9:
                    6a:d3:8f:50:34:f1:e6:2b:73:ce:df:57:9c:2d:fe:
                    a1:17:df:74:d9:0c:f4:4a:a5:a3:9c:6a:64:fd:93:
                    f9:92:18:9b:98:ba:0e:78:06:dc:88:37:0f:17:73:
                    ea:3c:b7:20:fb:10:63:b9:b8:08:55:82:15:84:38:
                    41:9d:e4:e3:31:a9:e5:f5:47:e2:5b:71:15:ac:b6:
                    ec:47:4f:5e:ef:f5:78:44:0c:b1:1d:6a:81:d0:0e:
                    66:b8:bc:a5:10:f0:e0:cc:56:f6:52:86:83:9c:ce:
                    0c:1a:92:42:a3:10:02:92:af:65:0e:1e:1e:d1:bf:
                    3e:9c:c6:59:d1:ae:87:1c:7c:5d:03:0c:b1:1d:0d:
                    73:2f:d1:a7:b3:1c:6e:bf:50:fc:a1:cd:61:e0:e5:
                    20:81:b6:05:2e:89:7a:98:8e:d8:05:a3:14:80:b6:
                    63:cc:c5:0e:26:64:45:93:b0:9c:ac:cd:71:4d:71:
                    19:9a:b7:60:f3:ce:be:e5:0b:78:43:48:d5:70:ad:
                    7a:2c:33:d5:48:85:2e:b8:4a:b3:31:52:70:74:14:
                    ca:26:ce:a1:01:9c:ab:f8:cc:8f:87:f1:8c:20:48:
                    c6:38:aa:e5:57:71:e8:c4:28:41:32:3e:10:4e:16:
                    2d:85:57:d2:a2:46:4c:d4:b7:31:c2:43:41:14:98:
                    b5:5b:f2:19:87:62:fd:72:1b:b4:1c:9f:fc:b7:c3:
                    db:90:f1:15:c4:d0:19:0d:9f:eb:16:b0:d0:47:b8:
                    94:11:29:28:33:f8:ed:7c:0a:09:73:91:bf:5b:ca:
                    48:a8:4f:03:72:82:c2:ab:1b:18:0d:1f:40:e5:6a:
                    a9:64:ef:25:13:2a:9e:6e:c6:46:b5:9b:01:7c:b2:
                    80:40:1a:84:01:71:55:7c:fe:bb:19:bf:4c:53:1a:
                    f2:92:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F
            X509v3 Authority Key Identifier: 
                keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         01:6d:de:25:86:9e:73:82:21:bd:fe:e2:13:39:2d:da:06:aa:
         34:82:9c:62:06:93:a9:bc:f1:23:85:a5:3e:bc:b9:b8:d0:1f:
         78:09:db:8e:82:ab:0e:44:1e:58:44:6b:da:b3:f6:94:a7:62:
         35:85:07:6a:45:90:91:a3:e7:a4:50:25:b3:bc:dd:58:55:f5:
         bd:13:82:1f:2c:3f:13:f9:3d:de:95:9e:7b:34:ad:9d:29:67:
         71:12:cb:bf:87:47:e2:a0:cf:ff:b4:9d:7f:12:40:ed:d1:3a:
         65:ca:ae:d2:3e:f7:94:85:9c:7f:16:b0:78:72:5d:ff:2e:3b:
         13:47:9c:b2:bc:72:2b:90:9c:2b:0e:79:4d:e4:8c:d3:e5:d7:
         98:1b:09:0a:88:f8:63:74:a1:af:56:04:71:4b:b0:1a:d0:75:
         7e:53:5f:5a:5f:fd:73:53:72:12:69:79:5e:d6:88:ad:40:50:
         c4:6d:1a:c7:e8:ac:dc:7c:6a:f5:f0:b7:5f:5a:95:da:a1:6e:
         b3:98:ea:49:40:49:19:39:6d:f2:7d:bb:0b:4a:d4:31:6a:e0:
         2c:20:02:bc:00:f6:74:e6:b0:b0:d3:05:df:dd:6a:1f:db:50:
         ff:43:bf:dd:3b:10:a6:1a:b9:bf:39:5a:c4:09:b0:10:b7:8e:
         76:fc:64:cf:76:2f:a9:08:24:b2:92:3c:37:04:ba:2b:63:98:
         1c:6e:f8:9d:3d:fa:b1:56:49:7c:46:35:7e:2d:ff:43:fe:6c:
         cb:e3:91:66:2a:3e:31:f3:45:b9:c2:96:34:ac:f4:16:e4:6a:
         cd:f0:86:f9:bd:19:19:1e:19:eb:1e:f8:74:71:8a:fb:3b:37:
         4b:45:59:b9:90:30:bc:67:85:de:e0:d9:36:b5:5d:e5:06:d8:
         e1:0a:d3:86:b3:02:d2:a8:c5:43:ca:b9:70:d6:32:a8:c0:4d:
         39:5a:be:bf:7d:3b:66:60:d1:c8:1f:66:a8:57:de:9f:7f:e1:
         2a:4f:89:1c:78:5d:25:9f:69:dc:b5:2e:59:97:99:65:a1:a1:
         ef:78:78:f1:26:5f:fc:ae:1e:72:00:70:ed:25:d2:91:55:8a:
         1c:34:e6:d3:bf:02:1f:9c:4d:dd:a2:b9:12:fa:5a:f3:22:a4:
         05:24:35:e1:56:76:ab:fe:33:65:46:86:56:f6:d6:ca:f7:4c:
         96:15:0b:16:16:b1:f6:49:64:f9:fe:38:42:dd:2c:b3:db:97:
         41:62:ce:b7:62:66:a9:7a:e3:8d:54:8c:89:23:7a:ac:a5:89:
         df:85:b4:dc:b1:dd:82:67:12:49:05:9e:fb:c0:c8:c9:16:66:
         d1:af:ad:a5:9e:75:14:9b
[root@ip-172-31-2-174 ca]#

X.509数字证书签发的中级CA配置文件

 未分类  No Responses »
3 月 172020
  
# OpenSSL intermediate CA configuration file.
# Copy to `/root/ca/intermediate/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /root/ca/intermediate
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/intermediate.key.pem
certificate       = $dir/certs/intermediate.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/intermediate.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_loose

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = GB
stateOrProvinceName_default     = England
localityName_default            =
0.organizationName_default      = Alice Ltd
organizationalUnitName_default  =
emailAddress_default            =

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

X.509数字证书签发的根CA配置文件

 未分类  No Responses »
3 月 172020
  
# OpenSSL root CA configuration file.
# Copy to `/root/ca/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /root/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = GB
stateOrProvinceName_default     = England
localityName_default            =
0.organizationName_default      = Alice Ltd
organizationalUnitName_default  =
emailAddress_default            =

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

Kubernetes Proxy 命令行代理工具参数

 未分类  No Responses »
3 月 082020
  
[centos@k8s-01 ~]$ kubectl proxy --help
Creates a proxy server or application-level gateway between localhost and the Kubernetes API Server. It also allows
serving static content over specified HTTP path. All incoming data enters through one port and gets forwarded to the
remote kubernetes API Server port, except for the path matching the static content path.

Examples:
  # To proxy all of the kubernetes api and nothing else, use:
  
  $ kubectl proxy --api-prefix=/
  
  # To proxy only part of the kubernetes api and also some static files:
  
  $ kubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/
  
  # The above lets you 'curl localhost:8001/api/v1/pods'.
  
  # To proxy the entire kubernetes api at a different root, use:
  
  $ kubectl proxy --api-prefix=/custom/
  
  # The above lets you 'curl localhost:8001/custom/api/v1/pods'
  
  # Run a proxy to kubernetes apiserver on port 8011, serving static content from ./local/www/
  kubectl proxy --port=8011 --www=./local/www/
  
  # Run a proxy to kubernetes apiserver on an arbitrary local port.
  # The chosen port for the server will be output to stdout.
  kubectl proxy --port=0
  
  # Run a proxy to kubernetes apiserver, changing the api prefix to k8s-api
  # This makes e.g. the pods api available at localhost:8001/k8s-api/v1/pods/
  kubectl proxy --api-prefix=/k8s-api

Options:
      --accept-hosts='^localhost$,^127\.0\.0\.1$,^\[::1\]$': Regular expression for hosts that the proxy should accept.
      --accept-paths='^.*': Regular expression for paths that the proxy should accept.
      --address='127.0.0.1': The IP address on which to serve on.
      --api-prefix='/': Prefix to serve the proxied API under.
      --disable-filter=false: If true, disable request filtering in the proxy. This is dangerous, and can leave you
vulnerable to XSRF attacks, when used with an accessible port.
      --keepalive=0s: keepalive specifies the keep-alive period for an active network connection. Set to 0 to disable
keepalive.
  -p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port.
      --reject-methods='^$': Regular expression for HTTP methods that the proxy should reject (example
--reject-methods='POST,PUT,PATCH'). 
      --reject-paths='^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach': Regular expression for paths that the proxy should
reject. Paths specified here will be rejected even accepted by --accept-paths.
  -u, --unix-socket='': Unix socket on which to run the proxy.
  -w, --www='': Also serve static files from the given directory under the specified prefix.
  -P, --www-prefix='/static/': Prefix to serve static files under, if static file directory is specified.

Usage:
  kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [options]

Use "kubectl options" for a list of global command-line options (applies to all commands).
[centos@k8s-01 ~]$

Kubernetes Dashboard UI组件安装配置

 未分类  No Responses »
3 月 072020
 

下载Dashboard组件编排文件

https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml

[centos@k8s-01 ~]$ curl -O https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7059  100  7059    0     0  43862      0 --:--:-- --:--:-- --:--:-- 44118
[centos@k8s-01 ~]$

[centos@k8s-01 ~]$ kubectl apply -f recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
[centos@k8s-01 ~]$

使用命令行代理工具Proxy以访问Web控制台
默认访问URL地址(服务监听 127.0.0.1:8001)

http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

将端口监听在0.0.0.0以提供外部访问

nohup kubectl proxy --address='0.0.0.0' --port=8001 --accept-hosts='^*$' &

访问页面

创建验证令牌

[centos@k8s-01 ~]$ vi dashboard-adminuser.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

[centos@k8s-01 ~]$ kubectl apply -f dashboard-adminuser.yaml
clusterrolebinding.rbac.authorization.k8s.io/admin-user created
[centos@k8s-01 ~]$

查找生成的令牌信息

[centos@k8s-01 ~]$ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
Name:         default-token-qmwrz
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: default
              kubernetes.io/service-account.uid: 80e30596-8d5a-423e-b980-6444f11f42ae

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjkwcDA3TnY5TG5NQzQ2eTJ4bXNOM0ctNlpnc1Ezcjl0aXdrcVp0R01LdEEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLXFtd3J6Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4MGUzMDU5Ni04ZDVhLTQyM2UtYjk4MC02NDQ0ZjExZjQyYWUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6ZGVmYXVsdCJ9.gS9XEJpbm1LEU4lnWnLsnheQSw2-AWYLzzURAmiylAC3lp0eFhXqXApKhWY4jNQPyslMVsXzsUwXKcIoTAEx44MHd29kW7v3RmTul2o3imA3BlVuu5O0vZHaovXGrwar3UDfx9qZfqB4O2arjHTxvNJ5JXsY8ZsPIpCo4ZAF6cZnsANcTf_d2oajZKt8GruFtMMH6to4z-7yAS7r06gUX4WxQUjir3lPFB--_TBdqWamvK97EmhpGndWVUYZsdkd9649SFQM9k31ht2-3ZpcZVgYU0lX_WswIOiEJjhrQnrxPainvdIGQZyrpyG-zbqvTWSbP32JPUWtgLxM-92OaA


Name:         kubernetes-dashboard-certs
Namespace:    kubernetes-dashboard
Labels:       k8s-app=kubernetes-dashboard
Annotations:  
Type:         Opaque

Data
====


Name:         kubernetes-dashboard-csrf
Namespace:    kubernetes-dashboard
Labels:       k8s-app=kubernetes-dashboard
Annotations:  
Type:         Opaque

Data
====
csrf:  256 bytes


Name:         kubernetes-dashboard-key-holder
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
pub:   459 bytes
priv:  1679 bytes


Name:         kubernetes-dashboard-token-j49z9
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard
              kubernetes.io/service-account.uid: 5a61cd25-243e-405a-8dc5-70e0c005a6a1

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjkwcDA3TnY5TG5NQzQ2eTJ4bXNOM0ctNlpnc1Ezcjl0aXdrcVp0R01LdEEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1qNDl6OSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjVhNjFjZDI1LTI0M2UtNDA1YS04ZGM1LTcwZTBjMDA1YTZhMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.BUg5yeCa9e0R1zC1DJWMSk8ZhskqeMm-ygOnn-sP9evcZEam5yQlthpqxOG5aoFMhaippnOpGcvNnCt0GwyNMRwKbBLG-6DgDPVpgoF5LfY3V1sun6DcFuBTBLdXdBM5iuVlv1c0Mhs8PvyAJenzCshrd4JAUgVzsUK8umWZf_cUlLqCCvimGlYOzpK-cMUepVanegxpiYOZrmEZZYzztpRIYTX9wWE1jzSUDndebbuJIcKILsMa25lSvFjBJDgBvwfVyQ1gRt9AOZu5oWhqgtRc3HJbJv5bAv5p_laoVuJLdiW2k2ZQZp07ZfeBAxz5Lmg-56icjOEaYr_AcdMu5g
ca.crt:     1025 bytes
namespace:  20 bytes
[centos@k8s-01 ~]$

配置SecureCRT端口转发

Windows 2016 NPS RADIUS服务配置

 未分类  Windows 2016 NPS RADIUS服务配置已关闭评论
3 月 062020
 

主机列表

DC 18.163.111.34
NPS 18.163.35.186
RRAS 18.162.114.236
PC 18.163.117.102

修改主机IP地址信息为静态IP并指向DNS到AD DC服务器

修改主机名

将NPS主机加入域

重启后使用域管理员账户登录NPS主机

添加角色

启动并配置NPS服务

将NPS注册到活动目录域服务

在活动目录中查看已加入域的计算机RADIUS所属成员组

配置RADIUS客户端

重启NPS服务

 Older Entries  Newer Entries