證書組成部分:
owner(擁有者):證書所屬使用者的身份資訊和公鑰;
issue (發證機構):發證機構的簽名和發證機構的資訊;
Period of Vailidity 有效期限
類型:證書頒發機構所發的證書
伺服器(自簽名證書)證書
目前使用廣泛的證書格式X.509
如何生成一個證書?
1 作為一個申請者,要先生成一個密鑰(公鑰/私鑰對);
2 利用公鑰生成一個證書簽署請求,簽署請求包含個人身份資訊,個人公鑰等,然後将證書簽署請求發給CA;
3 CA驗證所聲明的資訊和證書中所要包含的公鑰以後,給證書簽名,并組織成證書的格式;
4 用戶端接收到證書(Certificate)。
生成一個密鑰:
[root@localhost ~]# openssl genrsa 1024 >./my.key
Generating RSA private key, 1024 bit long modulus
..............................................++++++
..++++++
e is 65537 (0x10001)
PS:公鑰是從私鑰中提取出來,即公鑰隐藏私鑰當中。
[root@localhost ~]# openssl rsa -in ./my.key -pubout
<a href="http://lyp0909.blog.51cto.com/attachment/201103/4/508999_1299206353l5AZ.png"></a>
使用輸出重定向儲存到一個檔案中:
[root@localhost ~]# openssl rsa -in ./my.key -pubout -out ./my.pub
writing RSA key
針對公鑰(私鑰也可,因為公鑰即從私鑰當中提取)生成一個證書頒發申請:
[root@localhost ~]# openssl req -new -key ./my.key -out ./my.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:RHCE
Organizational Unit Name (eg, section) []:linna
Common Name (eg, your name or your server's hostname) []:linna
Email Address []:mail.a.com
建立一個自簽名證書對發來的證書簽署請求進行簽名:
[root@localhost ~]# openssl req -new -x509 -key ./my.key -out ./my.crt -days 3655
輸入證書資訊
檢視證書簽署請求内容:
[root@localhost ~]# openssl req -noout -in ./my.csr –text
下面我們來完完整整實作一個頒發證書的過程:
伺服器端:先把自己做成一個CA
編輯/etc/pki/tls/openssl.conf檔案,修改CA的預設配置
###################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
[root@localhost CA]# openssl genrsa 1024 > private/cakey.pem
.............++++++
生成一個自簽署證書
PS:生成自簽署證書可以直接生成,不用生成自簽署證書請求。
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
<a href="http://lyp0909.blog.51cto.com/attachment/201103/4/508999_12992063542KEG.png"></a>
前面openssl.conf檔案裡預設設定裡的檔案和目錄都還沒有,我們這裡需要手動建立
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt serial
[root@localhost CA]# ehco 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
PS :申請者的證書簽署請求的國家名,地區名等資訊必須與CA保持一緻。
用戶端:假設有一個http服務需要提供證書
[root@localhost httpd]# mkdir certs
[root@localhost httpd]# pwd
/etc/httpd
[root@localhost httpd]# umask 077;openssl genrsa 1024 > httpd.key
...........++++++
.........++++++
umask 077 要保證所生成的密鑰必須是600的權限
-rw------- 1 root root 887 02-25 23:54 httpd.key
生成一個證書簽署請求
[root@localhost httpd]# openssl req -new -key httpd.key -out httpd.csr
輸入證書資訊,務必與CA保持一緻
[root@localhost httpd]# ls
certs conf conf.d httpd.csr httpd.key logs modules run
此時我們使用SCP的方法将httpd.csr 拷貝到伺服器端,當然我們這裡是為了示範效果,真實生産環境中并不建議這樣使用。
[root@localhost httpd]# scp ./httpd.csr 192.168.0.127:/tmp/
伺服器端:
對證書進行簽名
[root@localhost tmp]# openssl ca -in httpd.csr -out httpd.crt
<a href="http://lyp0909.blog.51cto.com/attachment/201103/4/508999_1299206355a1fP.png"></a>
證書簽署完成以後,再使用SCP指令将證書拷貝到用戶端
[root@localhost certs]# ls
httpd.crt httpd.csr
OK,此時用戶端和伺服器端就可以利用證書來通信了。
PS:系統給我們提供了一種很簡單的機制,可以實作自我發證的功能,僅供測試使用。
在/etc/pki/tls/certs 目錄下直接使用make指令(根據makefile檔案來定義):
make filename.pem
編輯/etc/pki/tls/openssl.conf檔案可以修改證書資訊的預設配置。
本文轉自 490999122 51CTO部落格,原文連結:http://blog.51cto.com/lyp0909/506212,如需轉載請自行聯系原作者
![Oracle索引内部結構研究[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)