OpenSSL以及实现私有CA实现证书申请颁发
2 OpenSSL
OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,避免窃听,同时确认另一端连线者的身份。这个包广泛被应用在互联网的网页服务器上
其主要库是以C语言所写成,实现了基本的加密功能,实现了SSL与TLS协议。OpenSSL可以运行在OpenVMS、 Microsoft Windows以及绝大多数类Unix操作系统上(包括Solaris,Linux,Mac OS X与各种版本的开放源代码BSD操作系统)
OpenSSL计划在1998年开始,其目标是发明一套*的加密工具,在互联网上使用。OpenSSL以EricYoung以及Tim Hudson两人开发的SSLeay为基础,随着两人前往RSA公司任职,SSLeay在1998年12月停止开发。因此在1998年12月,社群另外分支出OpenSSL,继续开发下去
OpenSSL管理委员会当前由7人组成有13个开发人员[3]具有提交权限(其中许多人也是OpenSSL管理委员会的一部分)。只有两名全职员工(研究员),其余的是志愿者
该项目每年的预算不到100万美元,主要依靠捐款。 TLS 1.3的开发由Akamai赞助
心脏出血漏洞:OpenSSL 1.0.1版本(不含1.0.1g)含有一个严重漏洞,可允许攻击者读取服务器的内存信息。该漏洞于2014年4月被公诸于世,影响三分之二的活跃网站
包括三个组件:
1.libcrypto:用于实现加密和解密的库
2.libssl:用于实现ssl通信协议的安全库
3.openssl:多用途命令行工具
2.2 Base64 编码
Base64是网络上最常见的用于传输 8Bit 字节码的编码方式之一,Base64就是一种基于64个可打印字符来表示二进制数据的方法
base64的编码过程如下:
将每3个字节放入一个24位的缓冲区中,最后不足3个字节的,缓冲区的剩余部分用0来填补。然后每次取出6位(2的6次方为64,使用64个字符即可表示所有),将高2位用0来填充,组成一个新的字节,计算出这个新字节的十进制值,对应上面的编码表,输出相应的字符。这样不断地进行下去,就可完成对所有数据的编码工作。
按照以上规则对文本Man编码如下:
[aaa@qq.com ~]#echo -n Man | base64 #-n 去掉回车 默认加回车
TWFu
[aaa@qq.com ~]#echo TWFu | base64 -d
Man[aaa@qq.com ~]#
[aaa@qq.com ~]#echo -n ab | base64
YWI=
[aaa@qq.com ~]#echo -n ab | base64 | base64 -d
ab[aaa@qq.com ~]#
2.3 openssl命令
两种运行模式:
- 交互模式
- 批处理模式
三种子命令:
- 标准命令
- 消息摘要命令
- 加密命令
[aaa@qq.com ~]#openssl version 查看版本
OpenSSL 1.1.1 FIPS 11 Sep 2018
[aaa@qq.com ~]#openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
[aaa@qq.com ~]#openssl
OpenSSL> help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
......
OpenSSL> ca --help
Usage: ca [options]
Valid options are:
-help Display this summary
-verbose Verbose output during processing
-config val A config file
......
OpenSSL>q
[aaa@qq.com ~]#
2.3.1 openssl命令对称加密
工具:openssl enc, gpg
算法:3des, aes, blowfish, twofish
enc命令:帮助:man enc
加密:
openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher
-e: 加密
-a: 使用base64保存
-des3 算法
解密:
openssl enc -d -des3 -a -salt –in testfile.cipher -out testfile
-d 解密
2.3.2 openssl命令单向加密 (哈希算法)
工具:openssl dgst
算法:md5sum, sha1sum, sha224sum,sha256sum…
dgst命令:帮助:man dgst
openssl dgst -md5 [-hex默认] /PATH/SOMEFILE
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE
例:
openssl dgst --md5 testfile
等同于 md5sum testfile md5已被** 建议--sha512
补充知识:
MAC: Message Authentication Code,单向加密的一种延伸应用,用于实现网络通信中保证所传输数
据的完整性机制
HMAC:hash-based MAC,使用md5或sha1算法
2.3.3 openssl命令生成用户密码
passwd命令:帮助:man sslpasswd
openssl passwd -1 -salt SALT(最多8位)
openssl passwd -1 –salt centos
-1:md5
-6:sha512
2.3.4 openssl命令生成随机数
随机数生成器:伪随机数字,利用键盘和鼠标,块设备中断生成随机数
/dev/random:仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom:从熵池返回随机数;随机数用尽,会利用软件生成伪随机数,非阻塞
帮助:man sslrand
openssl rand -base64|-hex NUM
NUM: 表示字节数,使用-hex,每个字符为十六进制,相当于4位二进制,出现的字符数为NUM*2
(面试题)范例:生成随机10位长度密码
[aaa@qq.com ~]#openssl rand -base64 9 |head -c10
# 9个字节 一个字节8位 8*9=72位 可以被6整除 base编码6个一位所以没有等号
ip97t6qQes[aaa@qq.com ~]#
[aaa@qq.com ~]#tr -dc '[:alnum:]' < /dev/urandom |head -c10
DO2mDp3eZu[aaa@qq.com ~]#
2.3.5 openssl命令实现PKI(非对称**加密)
公钥加密:
算法:RSA, ELGamal
工具:gpg, openssl rsautl(man rsautl)
数字签名:
算法:RSA, DSA, ELGamal
**交换:
算法:dh
DSA:Digital Signature Algorithm
DSS:Digital Signature Standard
RSA:
openssl命令生成**对儿:man genrsa
生成私钥
(centos7 不设置安全600权限)
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE
NUM_BITS
案例:
#生成对称秘钥加密的私钥
(umask 077; openssl genrsa –out test.key –des 2048)
小括号开启子shell umask值为022
实现自动化一般加权限不加口令
#加密对称**key
openssl genrsa -out test.key -des3 1024
#将加密对称秘钥key解密
openssl rsa -in test.key –out test2.key
从私钥中提取出公钥(不能反向)
openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE
范例:
openssl rsa –in test.key –pubout –out test.key.pub
范例 centos7直接创建600权限私钥:
[aaa@qq.com ~]#(umask 066;openssl genrsa -out /data/app.key)
Generating RSA private key, 2048 bit long modulus
........................+++
.+++
e is 65537 (0x10001)
[aaa@qq.com ~]#ls -l /data/
total 4
-rw------- 1 root root 1679 Feb 3 15:26 app.key
[aaa@qq.com ~]#openssl genrsa -out /data/app.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.............................................................................+++
++
..........+++++
e is 65537 (0x010001)
[aaa@qq.com ~]#ll /data/app.key
-rw------- 1 root root 891 Feb 3 14:52 /data/app.key
范例:
[aaa@qq.com ~]#openssl rsa -in /data/app.key -pubout -out /data/app.key.pub
writing RSA key
[aaa@qq.com ~]#ls -l /data/
total 8
-rw------- 1 root root 887 Feb 3 15:28 app.key
-rw-r--r-- 1 root root 272 Feb 3 15:32 app.key.pub
[aaa@qq.com ~]#cat /data/app.key.pub
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvkS+Z4NWAMoXEwNUyn58J0oI+
ZjXotZUJLfbVHvGd3Ug6Rk52imHp1J629edUn0Cw7KoPfQLegmWsldG4v931HCdl
ELT2vj+QE7KJhc1tGFomzCnX8Q41tRrVVbHPxQYvNmMRXRqIdqXGxFpR758EngxF
zAGcnLTrDz/I2GocrQIDAQAB
-----END PUBLIC KEY-----
范例:生成加密的私钥,并解密
[aaa@qq.com ~]#openssl genrsa -out /data/app.key -des3 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
......+++++
...........+++++
e is 65537 (0x010001)
Enter pass phrase for /data/app.key:
Verifying - Enter pass phrase for /data/app.key:
[aaa@qq.com ~]#ls -l /data
total 4
-rw------- 1 root root 963 Feb 3 15:27 app.key
[aaa@qq.com ~]#cat /data/app.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,577C3B861BAD86B6
VM8P7vx1UUcSJyXCB0pDO9xgmdNgsMOcl6NitdUvBA9Jx2oLyxsT6TYbbvZvlF55
...省略
LGkrFAgl3+6tKXxMuQDLB6Jy9m3SOwW/JoXMVVcYHrSPzTgAl2sgAkgEq8nf4yfm
ZP9WHrDe10yXY+5K2h8UiFhvrnQ+YnH4BcTrKuEa9T7pxToo0cTdqg==
-----END RSA PRIVATE KEY-----
[aaa@qq.com ~]#openssl rsa -in /data/app.key -out /data/app.key
Enter pass phrase for /data/app.key:
writing RSA key
[aaa@qq.com ~]#ls -l /data
total 4
-rw------- 1 root root 887 Feb 3 15:28 app.key
[aaa@qq.com ~]#cat /data/app.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCvkS+Z4NWAMoXEwNUyn58J0oI+ZjXotZUJLfbVHvGd3Ug6Rk52
imHp1J629edUn0Cw7KoPfQLegmWsldG4v931HCdlELT2vj+QE7KJhc1tGFomzCnX
...省略
M/m6Bj0xHgX4Y4JryS0CQQChBua8JXCCUGLle7+IEEcgQZSF4PdLrmnhrRG7Qrrg
yd6pPuvd2jAGv5fMhjROmf9MWc4DFiRK0B6dz7OyF9j/
-----END RSA PRIVATE KEY-----
2.4 建立私有CA实现证书申请颁发
建立私有CA:
- OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件
- openssl
证书申请及签署步骤:
1、生成申请请求
2、RA核验
3、CA签署
4、获取证书
openssl的配置文件:
/etc/pki/tls/openssl.cnf
三种策略:match匹配、optional可选、supplied提供
match:要求申请填写的信息跟CA设置信息必须一致
optional:可有可无,跟CA设置信息可不一致
supplied:必须填写这项申请信息
案例
[aaa@qq.com ~]#cat /etc/pki/tls/openssl.cnf
#
......
####################################################################默认CA信息
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept 默认相关数据路径 默认不存在 centos7安装默认有
certs = $dir/certs # Where the issued certs are kept 已颁发证书目录存放
crl_dir = $dir/crl # Where the issued crl are kept吊销证书列表
database = $dir/index.txt # database index file.颁发证书登记在册 记录已经颁发证书编号等
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. 新颁发的证书存放路径
certificate = $dir/cacert.pem # The CA certificate CA自己的证书
serial = $dir/serial # The current serial number 下一个即将颁发的证书编号 颁发之后自动加1 默认没有需要设置
crlnumber = $dir/crlnumber # the current crl number 证书吊销编号
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL 证书吊销文件
private_key = $dir/private/cakey.pem# The private key CA 私钥文件的文件名
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for 证书默认有效期
default_crl_days= 30 # how long before next CRL 证书列表30天发布一次
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match #关键 颁发证书填写信息是否匹配 哪些一样哪些不一样
# For the CA policy
[ policy_match ] 默认策略
countryName = match 国家一致
stateOrProvinceName = match地区一致
organizationName = match公司一致
organizationalUnitName = optional 部门
commonName = supplied 通用名 网站名
emailAddress = optional 邮箱地址
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional #不需要一致
stateOrProvinceName = optional#不需要一致
localityName = optional#不需要一致
organizationName = optional#不需要一致
organizationalUnitName = optional#不需要一致
.....
(重要)2.4.1 创建私有CA
1.创建CA所需要的文件
#生成证书索引数据库文件
touch /etc/pki/CA/index.txt 默认没有该目录以及文件
#指定第一个颁发证书的***
echo 01 > /etc/pki/CA/serial默认没有该目录以及文件
2、 生成CA私钥
[09:45:53 aaa@qq.com pki]#cd /etc/pki/CA
[09:46:01 aaa@qq.com CA]#tree
.
├── certs
├── crl
├── newcerts
└── private
#centos8 默认没有目录
4 directories, 0 files
(umask 066; openssl genrsa -out private/cakey.pem 2048)
3.生成CA自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem 自签名证书必须用这个名字
选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
国家代码:https://country-code.cl/
范例:生成自签名证书
[aaa@qq.com ~]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.aaa.org" -
keyout app.key -nodes -x509 -out app.crt
Generating a RSA private key
...........................+++++
...+++++
writing new private key to 'app.key'
-----
[aaa@qq.com ~]#openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
39:9e:7c:e3:9a:0f:e3:d3:62:ea:8f:02:c9:cd:1e:f3:4a:77:cb:ff
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = www.magedu.org
Validity
Not Before: Feb 4 15:51:39 2020 GMT
Not After : Mar 5 15:51:39 2020 GMT
Subject: CN = www.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:e1:7e:41:d5:50:03:07:73:13:b2:62:a6:cf:c0:
61:b1:25:1c:54:56:3e:8f:b3:aa:0e:97:49:50:de:
de:ed:7f:2f:0f:fd:17:22:72:f5:36:19:29:65:ff:
ad:ce:81:10:f3:23:8c:fb:af:32:7b:da:bc:3a:a5:
62:1c:8d:e3:f8:1b:a8:1d:82:86:e0:bc:d6:e1:28:
e0:37:33:16:6c:55:89:76:13:0e:50:37:65:39:da:
90:99:a0:d3:6f:af:4e:8d:34:6c:21:e1:ba:10:86:
8e:fd:fb:e2:83:fe:e7:8c:18:14:dc:f2:7d:6c:37:
fe:4e:e0:8d:99:65:d4:f6:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1F:67:31:48:D6:DA:6E:36:C9:6B:EC:3C:61:85:6A:52:C2:B2:06:17
X509v3 Authority Key Identifier:
keyid:1F:67:31:48:D6:DA:6E:36:C9:6B:EC:3C:61:85:6A:52:C2:B2:06:17
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
4f:75:d5:f8:99:ea:dc:4f:fd:57:05:ba:1e:ad:72:23:ae:b8:
ea:93:1d:43:21:f8:66:cb:85:49:6c:b8:8f:1e:f4:a0:e5:ac:
e5:2e:45:03:33:2f:6a:4a:28:97:30:f0:18:dd:c1:f7:46:0b:
3c:b0:b6:d6:bf:23:7d:3b:74:52:75:61:96:f9:b0:04:99:6c:
52:f4:5d:1c:76:33:52:48:4f:d4:1f:4e:5e:00:0c:18:75:c3:
ef:75:bc:c7:ea:37:6e:34:36:b2:a0:f6:6f:06:69:0a:c6:74:
d8:67:4c:16:81:2a:0b:ea:1c:16:ea:8e:48:dd:ba:0b:67:69:
19:1e
[aaa@qq.com ~]#
(重要)2.4.2 申请证书并颁发证书
1.为需要使用证书的主机生成生成私钥
(umask 066; openssl genrsa -out /data/test.key 2048)
2、为需要使用证书的主机生成证书申请文件
openssl req -new -key /data/test.key -out /data/test.csr 必须是csr后缀
3、在CA签署证书并将证书颁发给请求者
openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 30
注意:默认要求 国家,省,公司名称三项必须和CA一致
4、查看证书中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
openssl x509 -in /data/mysql.cs -noout -serial -subject
选取subject 内容查看
#查看指定编号的证书状态
openssl ca -status SERIAL
cat /etc/pki/CA/index.txt 实则查看这个文件
5 复制证书
/etc/pki/CA/crl/index.txt.attr
unique_subject = yes 要求内容唯一性 可修改no
重新颁发即可使用
cp app.key mysql.key
cp app.csr mysql.csr
重新颁发即可使用
openssl ca -in /data/mysql.csr -out /etc/pki/CA/certs/mysql.crt -days 100 默认365天
内容一样 证书编号发生改变
(了解)2.4.3 吊销证书
在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
例:
openssl ca -revoke /etc/pki/CA/newcerts/11.pem
openssl ca -revoke /etc/pki/CA/certs/docker.crt
指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看吊销crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
吊销例子:
[11:57:39 aaa@qq.com data]#cat /etc/pki/CA/index.txt
V 201204035739Z 01 unknown /C=CN/ST=hebei/O=magedu/OU=it/CN=www.aa.com
[11:58:28 aaa@qq.com data]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[11:59:46 aaa@qq.com data]#cat /etc/pki/CA/index.txt
R(表示已经吊销) 201204035739Z 200208035946Z 01 unknown /C=CN/ST=hebei/O=magedu/OU=it/CN=www.aaa.com
[11:59:49 aaa@qq.com data]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
或者openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf #更新吊销列表 更新出错 没有/etc/pki/CA/crlnumber 吊销文件 需要赋值
[12:01:45 aaa@qq.com data]#openssl crl -in /etc/pki/CA/crl.pem -noout -text 查看吊销文件 可将文件传 到windows查看需要修改为crl后缀
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=hebei/L=zhangjiakou/O=magedu/OU=it/CN=www.magedu.com
Last Update: Feb 8 04:01:37 2020 GMT
Next Update: Mar 9 04:01:37 2020 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Feb 8 03:59:46 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
86:eb:eb:c8:66:9a:d2:30:52:12:e2:0f:47:1d:30:f2:e9:70:
d6:c9:da:8f:59:34:b1:c1:d6:b9:a0:5d:f5:b7:7a:ed:c7:34:
b3:29:1b:76:36:54:a0:72:14:63:55:9a:54:61:02:ff:cc:bb:
db:88:14:8a:53:38:69:f3:44:ad:8f:1c:e2:da:0b:8d:5a:d5:
49:d7:4b:90:da:93:04:13:de:dc:b9:b8:32:42:64:66:80:64:
ad:b2:e4:4f:7a:cc:03:0c:e7:2c:89:7b:29:dc:9d:a8:b8:5f:
d0:dc:be:e8:80:4a:05:a4:4c:3c:1b:16:a9:f7:61:38:c0:4e:
f2:39:b0:fc:46:98:22:68:2a:90:fc:94:ac:86:92:8a:10:a9:
b4:86:58:c2:66:40:2c:a5:d1:c9:01:f8:cd:1e:9d:c3:e2:f0:
2b:98:92:90:ac:69:19:0d:10:fb:47:4f:a3:1d:fb:d7:4c:a9:
71:eb:d0:10:aa:5c:ba:98:7b:c9:58:58:37:38:6b:41:f9:84:
8b:d2:37:20:12:59:19:0b:5c:6e:74:f8:2f:29:16:11:17:2b:
83:e2:b3:09:a9:4c:39:fa:05:08:fd:4b:58:b6:62:d5:f6:4e:
0f:85:bc:d5:7d:02:f3:a2:1f:83:27:24:c7:4f:2f:d4:26:4f:
ed:7c:f4:c8
centos7 创建自签名证书
[aaa@qq.com ~]#cd /etc/pki/tls/certs
[aaa@qq.com certs]#make 查看用法
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than random, add
SERIAL=num
You can also specify key length with KEYLEN=n and expiration in days with DAYS=n
Any additional options can be passed to openssl req via EXTRA_FLAGS
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
make server.crt SERIAL=1
make stunnel.pem EXTRA_FLAGS=-sha384
make testcert DAYS=600
[aaa@qq.com certs]#ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile(执行文件) renew-dummy-cert
[aaa@qq.com certs]#cat Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIAL
EXTRA_FLAGS+=-set_serial $(SERIAL)
endif
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make
SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make
testcert\"."
@echo
@echo "To create a test certificate with serial number other than random,
add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days
with DAYS=n"
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
@echo " make testcert DAYS=600"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ #生成随机文件
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -
days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
cat $$PEM1 > aaa@qq.com ; \
echo "" >> aaa@qq.com ; \
cat $$PEM2 >> aaa@qq.com ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > aaa@qq.com
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out aaa@qq.com
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out aaa@qq.com
$(EXTRA_FLAGS)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out
$(CRT) $(EXTRA_FLAGS)
[aaa@qq.com certs]#
[aaa@qq.com certs]#make app.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > app.key
Generating RSA private key, 2048 bit long modulus
...............+++
............................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key app.key -x509 -days 365 -out app.crt
Enter pass phrase for app.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #依次输入国家
State or Province Name (full name) []:hubei #省份
Locality Name (eg, city) [Default City]:wuhan#城市
Organization Name (eg, company) [Default Company Ltd]:magedu #公司
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.magedu.org #颁发给谁
Email Address []:aaa@qq.com #邮箱
[aaa@qq.com certs]#ls
app.crt app.key ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile
renew-dummy-cert
[aaa@qq.com certs]#openssl x509 -in app.crt -noout -text 查看信息
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
90:d7:97:6a:21:21:f8:5e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=aaa@qq.com
Validity
Not Before: Feb 5 00:28:31 2020 GMT
Not After : Feb 4 00:28:31 2021 GMT
Subject: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=aaa@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f8:dd:d3:ea:0b:f1:97:0f:27:de:44:a2:32:77:
fb:5c:73:74:17:7b:5f:a4:9c:a2:d4:3b:d4:49:4c:
da:e0:a2:6a:41:05:6e:10:1e:96:dc:95:34:ed:08:
05:18:ba:27:c5:e5:f0:7c:65:15:78:f8:9b:bf:ee:
41:ef:1c:6f:7f:35:29:fd:f5:cf:4a:f1:36:7e:0c:
37:96:b1:01:e5:aa:7f:6e:a0:56:b0:33:28:ed:db:
...省略....
0b:61:df:37:ed:bd:25:39:4c:5f:27:32:57:9e:d0:
11:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E
X509v3 Authority Key Identifier:
keyid:28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a3:66:1b:85:dc:9e:1b:c7:c8:e4:29:3c:32:b2:fc:71:c9:79:
9e:ad:db:78:bd:a4:42:1a:ef:d7:7f:4a:84:d9:46:e1:60:fa:
...过程省略
[aaa@qq.com certs]# cat app.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED 显示加密的key
DEK-Info: AES-128-CBC,9DA9313678745075B8A73ADCF93A7B32
uOAKI0ktWQIMlC1qFXElLl6EU2Pek6iY1ZkInP6y9c2XBCs45h9xuBCsZos3ZpjO
JJGbu8jk+z/ib0/0pijVeRCClfNuqAhGLv1dIwj8yJz/ail2ctF9sDg6amFTvsgx
...过程省略
Cum4k//oLRMSfw6dFc9FxE8L0FWoZ6gmlcm0muJ87QE+ENvrwQV9d/raw0HVIPcT
o01rAW6HDwPABSKYPeVMLGj2PbebqWfWw26e7vgvqP69wHyqF4sdxk8gkAwMIqwP
-----END RSA PRIVATE KEY-----
[aaa@qq.com certs]# openssl rsa -in app.key -out app.key #解密
Enter pass phrase for app.key:
writing RSA key
[aaa@qq.com certs]# cat app.key
-----BEGIN RSA PRIVATE KEY-----#解密
MIIEpAIBAAKCAQEAr+bSP6dR5aTzGOO1VnuBTOflzfWT9L56J1KREq6arxogkB5X
...内容省略
ThNl2QKBgQCZ98RcsPfFUFdLn4kya2FMjt5psMHPbpllp50IMvVagYIWyUE9chfH
gPsPNRANn0M5yFWzXgLIAq4SO1ZK2fBwLxXAw7LOSsRh9Xcoi2s+2e/XKi1V6aw9
jLMr3gTtXfDrPXfj825G8/4Kz6qu/4HdJHmtHmIAM6XW4VHfmZMpLQ==
-----END RSA PRIVATE KEY-----
[aaa@qq.com certs]# cat app.crt app.key > app.pem 重定向到.pem
[aaa@qq.com certs]# cat app.pem 部分软件要求证书和私钥放在一个文件 必须为.pem 格式 也可以直接生成pem文件 make app.pem
-----BEGIN CERTIFICATE----- #证书
MIIDjzCCAnegAwIBAgIJAIzsuP9ctsFwMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV
BAYTAkNOMQ4wDAYDVQQIDAVodWJlaTESMBAGA1UEBwwJaHVhbmdnYW5nMQswCQYD
...过程省略
5PT6DfjcRs0M+BtCoune5owhFnO8+1+zuozwk5JzZux3lYu4XbTpiVBirXfVUO7M
0jb3dTDGnfWR+HT2ZAo0gQh3OWwLnMsISbHyNnz735zo8I5fqHOg9eRBYXsSTr7t
6MfU
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----# key
MIIEpAIBAAKCAQEAr+bSP6dR5aTzGOO1VnuBTOflzfWT9L56J1KREq6arxogkB5X
Z7Io6DJuge40h+piMUTkG64mj87xco5WFGYKPsvlFqvQWl3YbQ4v6LIeO3oM5QYi
...过程省略
ThNl2QKBgQCZ98RcsPfFUFdLn4kya2FMjt5psMHPbpllp50IMvVagYIWyUE9chfH
gPsPNRANn0M5yFWzXgLIAq4SO1ZK2fBwLxXAw7LOSsRh9Xcoi2s+2e/XKi1V6aw9
jLMr3gTtXfDrPXfj825G8/4Kz6qu/4HdJHmtHmIAM6XW4VHfmZMpLQ==
-----END RSA PRIVATE KEY-----
[aaa@qq.com certs]#
centos8 没有该文件 可将该文件发送到目标主机
scp /etc/pki/tls/certs/Makefile 10.0.0.8:/data/
下一篇: 创建私有CA和证书申请