如何使用openssl生成證書(shū)及簽名

如何使用openssl生成證書(shū)及簽名

第一步,生成私鑰

$ openssl genrsa -out privatekey.pem 2048

查看生成的私鑰內(nèi)容

$ file privatekey.pem 
privatekey.pem: PEM RSA private key
$ cat privatekey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA8AWq2V3g4B9fN7Tj37k0Wmut70ylRyziebyE3baA24pgixgu
8wpXztHdF5YixjbOdLvaqGQ3ck1CPRMD+cB3awgfw+/jPJqzdg2ACa9IFkIM5eaH
...
Zvib8+BsiAoiqXr4vAi8Lb64TJv3JDwOKEH/dnpXVmsDEt3wKRWX5A==
-----END RSA PRIVATE KEY-----

另外可以用openssl命令查看私鑰的明細(xì)

$ openssl rsa -in privatekey.pem -noout -text
Private-Key: (2048 bit)
modulus:
...

其實(shí)這個(gè)輸出我也看不懂. :-(

第二步,由私鑰生產(chǎn)對(duì)應(yīng)的公鑰

$ openssl rsa -in privatekey.pem -pubout -out publickey.pem

查看生成的公鑰內(nèi)容

$ file publickey.pem 
publickey.pem: ASCII text
$ cat publickey.pem 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8AWq2V3g4B9fN7Tj37k0
...
vQIDAQAB
-----END PUBLIC KEY-----

另外,也可以使用openssl命令查看公鑰的明細(xì)

$ openssl rsa -pubin -in publickey.pem -noout -text
Public-Key: (2048 bit)
Modulus:
...

結(jié)果這個(gè)輸出同樣看不懂。

第三步,根據(jù)私鑰生成證書(shū)簽名請(qǐng)求

$ openssl req -new -key privatekey.pem -out csr.pem -subj "/C=CN/ST=BJ/L=BJ/O=HD/OU=dev/CN=hello/emailAddress=hello@world.com"

查看證書(shū)請(qǐng)求文件的內(nèi)容

$ file csr.pem 
csr.pem: PEM certificate request
$ cat csr.pem 
-----BEGIN CERTIFICATE REQUEST-----
MIICvjCCAaYCAQAweTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkJKMQswCQYDVQQH
...
c8L1GiAnIN8bXSWpZT2ZfHcnVbYvz4bgxFGTncA06JwDHw==
-----END CERTIFICATE REQUEST-----

也可以通過(guò)openssl命令查看證書(shū)請(qǐng)求文件的明細(xì)。

$ openssl req -noout -text -in csr.pem
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=hello/emailAddress=hello@world.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                ...

結(jié)果還是看不懂哈(除了Modulus的內(nèi)容就是publickey.pem的內(nèi)容,就是說(shuō)這里面包含了公鑰的內(nèi)容)

第四步,發(fā)送簽發(fā)請(qǐng)求到CA進(jìn)行簽發(fā),生成 x509證書(shū)

這里我們沒(méi)有CA服務(wù)器,所以需要假裝生成一個(gè)CA服務(wù)器

4.1 生成CA私鑰

$ openssl genrsa -out ca.key 2048

4.2 根據(jù)CA私鑰生成CA的自簽名證書(shū)

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=CN/ST=BJ/L=BJ/O=HD/OU=dev/CN=ca/emailAddress=ca@world.com"

注意這一步和前面第三步的區(qū)別,這一步直接生成自簽名的證書(shū),而在第三步生成的是證書(shū)簽名請(qǐng)求,這個(gè)證書(shū)簽名請(qǐng)求是要發(fā)給CA生成最終證書(shū)的。

查看自簽名的CA證書(shū)

$ file ca.crt 
ca.crt: PEM certificate
$ openssl x509 -in ca.crt -noout -text   
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8a:6e:10:c5:f6:18:f7:67
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=ca/emailAddress=ca@world.com
        Validity
            Not Before: May 26 00:36:39 2018 GMT
            Not After : May 26 00:36:39 2019 GMT
        Subject: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=ca/emailAddress=ca@world.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cf:0c:6b:ed:2a:d7:28:55:a2:54:5a:78:1c:6a:
                    ...
                    cb:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                6E:00:06:26:92:A0:02:66:73:8C:A9:7E:47:DC:EB:A2:3F:91:F7:BC
            X509v3 Authority Key Identifier: 
                keyid:6E:00:06:26:92:A0:02:66:73:8C:A9:7E:47:DC:EB:A2:3F:91:F7:BC

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         bc:d7:92:12:56:30:10:a8:b3:cf:b0:0d:7c:52:79:7b:22:2a:
         ...
         e5:11:28:99

4.3 使用CA的私鑰和證書(shū)對(duì)用戶證書(shū)簽名

$ openssl x509 -req -days 3650 -in csr.pem -CA ca.crt -CAkey ca.key -CAcreateserial -out crt.pem

查看生成證書(shū)內(nèi)容

$ file crt.pem 
crt.pem: PEM certificate
$ cat crt.pem 
-----BEGIN CERTIFICATE-----
MIIDaTCCAlECCQDzYtuYa7OlUTANBgkqhkiG9w0BAQsFADB0MQswCQYDVQQGEwJD
...
Zo7/JmQs
tCqjMPMc1lPuS3zmHg==
-----END CERTIFICATE-----
$ openssl x509 -in crt.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            f3:62:db:98:6b:b3:a5:51
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=ca/emailAddress=ca@world.com
        Validity
            Not Before: May 26 00:40:35 2018 GMT
            Not After : May 23 00:40:35 2028 GMT
        Subject: C=CN, ST=BJ, L=BJ, O=HD, OU=dev, CN=hello/emailAddress=hello@world.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b7:7b:c3:e4:12:65:b9:1d:04:8b:6d:b2:f4:ff:
                    ...
                    e3:bd
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         8e:5f:5e:f3:fa:8a:bf:e4:7f:e1:84:99:24:3d:a6:86:ce:db:
         ...
         4b:7c:e6:1e

4.4 什么是消息簽名

對(duì)消息簽名簡(jiǎn)單地說(shuō)分為三部分:

  1. 針對(duì)消息內(nèi)容生成一個(gè)哈希值
  2. 使用私鑰對(duì)生成的哈希值進(jìn)行加密
  3. 然后把加密后的哈希值和你簽名過(guò)的證書(shū)添加到消息塊中。

當(dāng)用戶收到消息后,首先使用簽名證書(shū)里的公鑰對(duì)收到的加密后的哈希值進(jìn)行解密,然后再對(duì)消息內(nèi)容也生成一邊哈希值,通過(guò)比較兩個(gè)哈希值是否一致。

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

推薦閱讀更多精彩內(nèi)容