X.509数字证书之服务端证书签发操作

 未分类  Add comments
3 月 212020
 

生成服务端私钥

openssl genrsa -aes256 \
-out intermediate/private/api.iot.com.key.pem 2048

[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \
> -out intermediate/private/api.iot.com.key.pem 2048
Generating RSA private key, 2048 bit long modulus
...........................................+++
.............+++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/api.iot.com.key.pem:
Verifying - Enter pass phrase for intermediate/private/api.iot.com.key.pem:
[root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/api.iot.com.key.pem 
[root@ip-172-31-2-174 ca]#

生成服务端CSR文件

openssl req -config intermediate/openssl.cnf \
-key intermediate/private/api.iot.com.key.pem \
-new -sha256 -out intermediate/csr/api.iot.com.csr.pem

[root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf \
> -key intermediate/private/api.iot.com.key.pem \
> -new -sha256 -out intermediate/csr/api.iot.com.csr.pem
Enter pass phrase for intermediate/private/api.iot.com.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name [England]:Guangdong
Locality Name []:Shenzhen
Organization Name [Alice Ltd]:YSWL
Organizational Unit Name []:IT
Common Name []:api.iot.com
Email Address []:
[root@ip-172-31-2-174 ca]#

生成服务端证书

openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 365 -notext -md sha256 \
-in intermediate/csr/api.iot.com.csr.pem \
-out intermediate/certs/api.iot.com.cert.pem

[root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \
> -extensions server_cert -days 365 -notext -md sha256 \
> -in intermediate/csr/api.iot.com.csr.pem \
> -out intermediate/certs/api.iot.com.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Mar 21 05:58:37 2020 GMT
            Not After : Mar 21 05:58:37 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            localityName              = Shenzhen
            organizationName          = YSWL
            organizationalUnitName    = IT
            commonName                = api.iot.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
                DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
                serial:10:00

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
Certificate is to be certified until Mar 21 05:58:37 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/api.iot.com.cert.pem 
[root@ip-172-31-2-174 ca]#

验证服务端证书信息(1年)

[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/api.iot.com.cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA
        Validity
            Not Before: Mar 21 05:58:37 2020 GMT
            Not After : Mar 21 05:58:37 2021 GMT
        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWL, OU=IT, CN=api.iot.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b1:ae:bd:fd:ea:de:ab:16:9b:39:a3:53:f0:de:
                    d7:12:cd:b7:7e:55:06:f8:36:74:57:d7:e3:44:b6:
                    03:be:6c:d8:2a:1c:41:20:76:1c:8f:f1:ba:a5:1e:
                    00:a6:4b:2f:43:af:08:20:97:40:7f:a4:74:e6:ac:
                    a9:57:20:c3:e8:f2:5e:8d:be:e6:f2:a4:d5:eb:b9:
                    9a:a1:2e:3a:01:3f:a1:a1:e9:aa:d3:0a:8f:91:46:
                    9d:dd:32:ad:4d:63:1d:e6:fc:08:75:93:0c:b2:d9:
                    fe:86:38:88:48:9f:07:60:ac:c3:ed:f8:27:bb:c8:
                    4a:76:55:64:44:47:eb:6d:d1:ab:aa:47:f3:ad:93:
                    80:42:4b:a2:d6:8b:86:60:4d:6b:5a:08:2e:e9:01:
                    28:5d:05:82:c2:c6:67:d2:79:ea:b6:ab:0b:8f:6b:
                    ed:f1:43:10:7e:26:4b:b5:8a:bc:d0:94:01:6e:18:
                    fd:a3:ce:9a:04:78:12:39:91:aa:7a:c0:d9:d0:0d:
                    74:5e:db:40:a6:d4:24:83:84:71:53:16:12:92:25:
                    49:af:0b:48:2a:b2:fa:a7:bd:dc:f4:83:28:ac:a2:
                    fa:6e:ee:df:64:7e:57:0f:bc:ea:dc:ca:40:e2:f0:
                    17:79:30:38:ff:c7:aa:37:b1:ae:83:9f:26:89:79:
                    74:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5
            X509v3 Authority Key Identifier: 
                keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF
                DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA
                serial:10:00

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         23:63:ee:d6:bb:3e:59:c0:d7:4f:82:03:32:11:20:70:48:1c:
         d4:42:41:29:0c:38:f6:c9:de:c1:c6:a8:e1:f8:a9:25:40:10:
         06:ee:f3:a6:be:47:8a:24:14:07:e5:71:3a:89:3c:21:09:b8:
         80:18:d8:d5:05:db:c2:9c:8a:65:1d:e5:17:32:42:52:40:20:
         12:7a:7a:75:3e:f8:87:39:01:77:d5:11:30:94:92:75:04:55:
         f9:1f:40:6d:97:8f:3e:b8:41:46:bc:53:04:7f:1c:53:05:c5:
         d8:a6:88:c7:5b:dd:65:c7:b6:dd:f5:90:6d:71:70:9b:39:fd:
         2a:5b:fa:c2:6d:bd:bf:15:97:5e:33:3d:13:24:2c:cf:91:f1:
         3a:32:2f:8d:f7:05:84:1a:81:80:c7:fc:77:24:d8:38:1a:23:
         a3:a8:77:32:16:30:0b:04:b8:ae:30:c9:95:98:57:90:a3:02:
         b5:0b:7d:76:ac:9f:a5:ac:c3:42:74:10:e0:eb:2b:8d:8a:92:
         31:fc:7e:d1:96:d8:25:84:01:b5:06:55:c8:a4:8d:8f:26:af:
         55:bb:3f:b0:12:b8:3d:07:76:87:77:58:fc:2c:45:86:4f:11:
         15:a1:ef:03:24:1d:78:bf:84:fd:02:b5:eb:33:62:28:e9:70:
         b2:c7:21:2c:b5:4f:d9:e6:17:b1:7b:84:04:78:fd:46:bd:a0:
         38:88:45:ad:6a:0b:58:38:1d:2e:4f:ad:ab:69:ae:cb:54:6e:
         6e:34:fc:e4:76:95:09:56:ff:c1:a3:67:4a:6f:2a:5d:61:92:
         a6:57:97:8f:2a:ee:80:9f:a8:1e:d2:db:49:b3:af:46:18:7b:
         a7:08:18:8e:bc:10:75:02:b1:15:7c:fe:42:a0:ce:c0:f5:5a:
         3a:fb:89:bc:80:f8:15:32:1f:83:bf:f2:91:4f:1c:6a:58:f3:
         0c:4a:af:ac:91:7a:80:08:35:1d:8e:ce:2a:c8:5c:92:14:22:
         28:dc:b2:cf:bd:60:1d:ca:17:ee:90:27:28:99:d3:c4:58:5c:
         a0:1b:09:e8:6e:c7:e0:6a:9a:f3:84:ce:ea:02:9f:5a:d1:22:
         6f:cc:e1:4f:e6:f2:0b:a4:ab:b6:84:ae:f3:91:c6:0f:4b:58:
         94:b5:80:c0:11:74:08:c9:68:44:c6:a9:21:de:98:34:54:8d:
         f2:e2:1f:dc:17:f8:09:22:c9:06:a4:70:66:9f:3b:60:fa:e8:
         c8:67:8a:eb:6c:77:3a:c4:b8:db:95:36:2b:7f:b4:ae:94:34:
         fe:24:fa:a3:e6:9e:61:ee:05:b9:d8:a5:df:93:bf:77:4c:81:
         56:26:25:bc:1f:e7:fd:a3
[root@ip-172-31-2-174 ca]#

查看证书签发列表

[root@ip-172-31-2-174 ca]# cat intermediate/index.txt
V       210321055837Z           1000    unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com
[root@ip-172-31-2-174 ca]#

使用CA证书链验证服务端证书有效性
注意:必须构建证书链文件(根证书在最后部分),任何单级(根/中级)CA都无法完成对服务端证书的验证。

构建证书链文件

cat intermediate/certs/intermediate.cert.pem \
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

[root@ip-172-31-2-174 ca]# cat intermediate/certs/intermediate.cert.pem \
> certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem 
[root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/ca-chain.cert.pem

验证

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
intermediate/certs/api.iot.com.cert.pem

[root@ip-172-31-2-174 ca]# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
> intermediate/certs/api.iot.com.cert.pem
intermediate/certs/api.iot.com.cert.pem: OK
[root@ip-172-31-2-174 ca]#

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)