3 月 212020
生成服务端私钥
openssl genrsa -aes256 \ -out intermediate/private/api.iot.com.key.pem 2048 [root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \ > -out intermediate/private/api.iot.com.key.pem 2048 Generating RSA private key, 2048 bit long modulus ...........................................+++ .............+++ e is 65537 (0x10001) Enter pass phrase for intermediate/private/api.iot.com.key.pem: Verifying - Enter pass phrase for intermediate/private/api.iot.com.key.pem: [root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/api.iot.com.key.pem [root@ip-172-31-2-174 ca]#
生成服务端CSR文件
openssl req -config intermediate/openssl.cnf \ -key intermediate/private/api.iot.com.key.pem \ -new -sha256 -out intermediate/csr/api.iot.com.csr.pem [root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf \ > -key intermediate/private/api.iot.com.key.pem \ > -new -sha256 -out intermediate/csr/api.iot.com.csr.pem Enter pass phrase for intermediate/private/api.iot.com.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name [England]:Guangdong Locality Name []:Shenzhen Organization Name [Alice Ltd]:YSWL Organizational Unit Name []:IT Common Name []:api.iot.com Email Address []: [root@ip-172-31-2-174 ca]#
生成服务端证书
openssl ca -config intermediate/openssl.cnf \ -extensions server_cert -days 365 -notext -md sha256 \ -in intermediate/csr/api.iot.com.csr.pem \ -out intermediate/certs/api.iot.com.cert.pem [root@ip-172-31-2-174 ca]# openssl ca -config intermediate/openssl.cnf \ > -extensions server_cert -days 365 -notext -md sha256 \ > -in intermediate/csr/api.iot.com.csr.pem \ > -out intermediate/certs/api.iot.com.cert.pem Using configuration from intermediate/openssl.cnf Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Mar 21 05:58:37 2020 GMT Not After : Mar 21 05:58:37 2021 GMT Subject: countryName = CN stateOrProvinceName = Guangdong localityName = Shenzhen organizationName = YSWL organizationalUnitName = IT commonName = api.iot.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5 X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA serial:10:00 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Mar 21 05:58:37 2021 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/api.iot.com.cert.pem [root@ip-172-31-2-174 ca]#
验证服务端证书信息(1年)
[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/api.iot.com.cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Validity Not Before: Mar 21 05:58:37 2020 GMT Not After : Mar 21 05:58:37 2021 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWL, OU=IT, CN=api.iot.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b1:ae:bd:fd:ea:de:ab:16:9b:39:a3:53:f0:de: d7:12:cd:b7:7e:55:06:f8:36:74:57:d7:e3:44:b6: 03:be:6c:d8:2a:1c:41:20:76:1c:8f:f1:ba:a5:1e: 00:a6:4b:2f:43:af:08:20:97:40:7f:a4:74:e6:ac: a9:57:20:c3:e8:f2:5e:8d:be:e6:f2:a4:d5:eb:b9: 9a:a1:2e:3a:01:3f:a1:a1:e9:aa:d3:0a:8f:91:46: 9d:dd:32:ad:4d:63:1d:e6:fc:08:75:93:0c:b2:d9: fe:86:38:88:48:9f:07:60:ac:c3:ed:f8:27:bb:c8: 4a:76:55:64:44:47:eb:6d:d1:ab:aa:47:f3:ad:93: 80:42:4b:a2:d6:8b:86:60:4d:6b:5a:08:2e:e9:01: 28:5d:05:82:c2:c6:67:d2:79:ea:b6:ab:0b:8f:6b: ed:f1:43:10:7e:26:4b:b5:8a:bc:d0:94:01:6e:18: fd:a3:ce:9a:04:78:12:39:91:aa:7a:c0:d9:d0:0d: 74:5e:db:40:a6:d4:24:83:84:71:53:16:12:92:25: 49:af:0b:48:2a:b2:fa:a7:bd:dc:f4:83:28:ac:a2: fa:6e:ee:df:64:7e:57:0f:bc:ea:dc:ca:40:e2:f0: 17:79:30:38:ff:c7:aa:37:b1:ae:83:9f:26:89:79: 74:7d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 9E:90:07:07:EF:B6:7B:A7:67:34:1E:76:DB:83:C4:E8:5B:22:ED:F5 X509v3 Authority Key Identifier: keyid:80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF DirName:/C=CN/ST=Guangdong/L=Shenzhen/O=YSWM/OU=YSWM Certificate Authority/CN=YSWM ROOT CA serial:10:00 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption 23:63:ee:d6:bb:3e:59:c0:d7:4f:82:03:32:11:20:70:48:1c: d4:42:41:29:0c:38:f6:c9:de:c1:c6:a8:e1:f8:a9:25:40:10: 06:ee:f3:a6:be:47:8a:24:14:07:e5:71:3a:89:3c:21:09:b8: 80:18:d8:d5:05:db:c2:9c:8a:65:1d:e5:17:32:42:52:40:20: 12:7a:7a:75:3e:f8:87:39:01:77:d5:11:30:94:92:75:04:55: f9:1f:40:6d:97:8f:3e:b8:41:46:bc:53:04:7f:1c:53:05:c5: d8:a6:88:c7:5b:dd:65:c7:b6:dd:f5:90:6d:71:70:9b:39:fd: 2a:5b:fa:c2:6d:bd:bf:15:97:5e:33:3d:13:24:2c:cf:91:f1: 3a:32:2f:8d:f7:05:84:1a:81:80:c7:fc:77:24:d8:38:1a:23: a3:a8:77:32:16:30:0b:04:b8:ae:30:c9:95:98:57:90:a3:02: b5:0b:7d:76:ac:9f:a5:ac:c3:42:74:10:e0:eb:2b:8d:8a:92: 31:fc:7e:d1:96:d8:25:84:01:b5:06:55:c8:a4:8d:8f:26:af: 55:bb:3f:b0:12:b8:3d:07:76:87:77:58:fc:2c:45:86:4f:11: 15:a1:ef:03:24:1d:78:bf:84:fd:02:b5:eb:33:62:28:e9:70: b2:c7:21:2c:b5:4f:d9:e6:17:b1:7b:84:04:78:fd:46:bd:a0: 38:88:45:ad:6a:0b:58:38:1d:2e:4f:ad:ab:69:ae:cb:54:6e: 6e:34:fc:e4:76:95:09:56:ff:c1:a3:67:4a:6f:2a:5d:61:92: a6:57:97:8f:2a:ee:80:9f:a8:1e:d2:db:49:b3:af:46:18:7b: a7:08:18:8e:bc:10:75:02:b1:15:7c:fe:42:a0:ce:c0:f5:5a: 3a:fb:89:bc:80:f8:15:32:1f:83:bf:f2:91:4f:1c:6a:58:f3: 0c:4a:af:ac:91:7a:80:08:35:1d:8e:ce:2a:c8:5c:92:14:22: 28:dc:b2:cf:bd:60:1d:ca:17:ee:90:27:28:99:d3:c4:58:5c: a0:1b:09:e8:6e:c7:e0:6a:9a:f3:84:ce:ea:02:9f:5a:d1:22: 6f:cc:e1:4f:e6:f2:0b:a4:ab:b6:84:ae:f3:91:c6:0f:4b:58: 94:b5:80:c0:11:74:08:c9:68:44:c6:a9:21:de:98:34:54:8d: f2:e2:1f:dc:17:f8:09:22:c9:06:a4:70:66:9f:3b:60:fa:e8: c8:67:8a:eb:6c:77:3a:c4:b8:db:95:36:2b:7f:b4:ae:94:34: fe:24:fa:a3:e6:9e:61:ee:05:b9:d8:a5:df:93:bf:77:4c:81: 56:26:25:bc:1f:e7:fd:a3 [root@ip-172-31-2-174 ca]#
查看证书签发列表
[root@ip-172-31-2-174 ca]# cat intermediate/index.txt V 210321055837Z 1000 unknown /C=CN/ST=Guangdong/L=Shenzhen/O=YSWL/OU=IT/CN=api.iot.com [root@ip-172-31-2-174 ca]#
使用CA证书链验证服务端证书有效性
注意:必须构建证书链文件(根证书在最后部分),任何单级(根/中级)CA都无法完成对服务端证书的验证。
构建证书链文件
cat intermediate/certs/intermediate.cert.pem \ certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem chmod 444 intermediate/certs/ca-chain.cert.pem [root@ip-172-31-2-174 ca]# cat intermediate/certs/intermediate.cert.pem \ > certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem [root@ip-172-31-2-174 ca]# chmod 444 intermediate/certs/ca-chain.cert.pem
验证
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \ intermediate/certs/api.iot.com.cert.pem [root@ip-172-31-2-174 ca]# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \ > intermediate/certs/api.iot.com.cert.pem intermediate/certs/api.iot.com.cert.pem: OK [root@ip-172-31-2-174 ca]#