证书生成工具
- 1,openssl
- 2,jdk自带的keystone
- 3,cfssl
证书中各个字段的含义
- 查看证书的内容
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text|egrep -i "issuer|subject|serial|dates"
openssl x509 -noout -text -in kubernetes.pem
cfssl-certinfo -cert kubernetes.pem
数字证书中主题(Subject)中字段的含义
- 一般的数字证书产品的主题通常含有如下字段:
字段名 | 字段值 |
---|---|
公用名称 (Common Name) | 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名; |
单位名称 (Organization Name) | 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称; |
- 证书申请单位所在地
字段名 | 字段值 |
---|
所在城市 (Locality)| 简称:L 字段
所在省份 (State/Provice)| 简称:S 字段
所在国家 (Country)| 简称:C 字段,只能是国家字母缩写,如中国:CN
- 其他一些字段
字段名 | 字段值 |
---|
电子邮件 (Email)| 简称:E 字段
多个姓名字段 | 简称:G 字段
介绍 | Description 字段
电话号码:|Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888
地址:|STREET 字段
邮政编码: |PostalCode 字段
显示其他内容| 简称:OU 字段
浏览器如何验证证书
当浏览器使用HTTPS连接到您的服务器时,他们会检查以确保您的SSL证书与地址栏中的主机名称匹配。
浏览器有三种找到匹配的方法:
-
1.主机名(在地址栏中)与证书主题(Subject)中的通用名称(Common Name)完全匹配。
-
2.主机名称与通配符通用名称相匹配。例如,www.example.com匹配通用名称* .example.com。
-
3.主机名 在主题备用名称(SAN: Subject Alternative Name)字段中列出
-
1.The host name (in the address bar) exactly matches the Common Name in the certificate\'s Subject.
-
2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.
-
3.The host name is listed in the Subject Alternative Name field.
客户端使用服务端返回的信息验证服务器的合法性,包括:
证书是否过期
发型服务器证书的CA是否可靠
返回的公钥是否能正确解开返回证书中的数字签名
服务器证书上的域名是否和服务器的实际域名相匹配 -- 要核对CN或SAN,见上
验证通过后,将继续进行通信,否则,终止通信
HTTPS证书生成原理和部署细节
使用rsa一键生成:
openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout java-demo.key -out java-demo.crt
国家 省份 城市 公司 部门 名字
[root@test52 registry]# openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout docker-registry.key -out docker-registry.crt
Generating a 2048 bit RSA private key
............................................+++
.....................................................................................................................................................................................+++
writing new private key to \'docker-registry.key\'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \'.\', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Locality Name (eg, city) [Default City]:guangdong
Organization Name (eg, company) [Default Company Ltd]:pp100
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server\'s hostname) []:www.maotai.com
Email Address []:ihorse@foxmail.com
证书格式查看
主要留意:
- Subject中: CN(common name)
- X509v3 extensions中: Subject Alternative Name (SAN)
- X509v3的扩展
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14
X509v3 Authority Key Identifier:
keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8
X509v3 Subject Alternative Name:
DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster,
使用xca(一款windows上的ca证书生成器)生成证书请求csr 的时候也会有类似字段,因此要搞清的X509v3的扩展含义
[root@n3 keys]# openssl x509 -noout -text -in kubernetes.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2a:b2:26:a4:7d:9f:b1:21:d8:3a:c0:dc:a7:71:73:3e:66:13:d0:3b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
Validity
Not Before: Dec 23 10:27:00 2017 GMT
Not After : Dec 23 10:27:00 2018 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a7:d3:96:63:5e:17:11:7e:d6:b5:73:15:2a:aa:
ea:69:67:48:c3:f1:10:83:03:4d:99:09:88:ec:b7:
27:12:68:20:2b:95:d3:bf:ce:3f:9a:1c:c4:88:31:
ad:cf:d2:d9:d1:7c:39:20:f5:4f:d9:e9:8f:28:e2:
44:d0:df:69:29:10:15:da:c3:12:d5:4e:c5:24:a3:
88:b9:ab:0a:93:6b:1a:e5:0b:2d:5a:13:4f:8c:37:
52:fa:33:52:bd:a1:6f:4f:73:00:5a:0e:74:2d:f0:
fa:ff:05:80:9d:28:95:e2:bf:64:03:d7:df:f9:df:
10:86:06:af:66:f4:97:d7:d2:82:91:ea:cf:d1:88:
e3:9f:6b:a3:0f:a9:0d:b4:73:9a:9c:57:00:f2:2e:
f8:50:5f:28:33:7a:87:3a:8d:53:16:09:47:c7:e6:
43:d0:3e:81:57:96:82:41:d4:f2:5a:8f:50:c0:11:
31:3c:2e:80:19:b5:32:74:02:1e:c3:1c:02:79:f3:
f3:d0:86:a5:3d:7b:d9:a3:d0:12:d3:97:6d:11:7e:
9c:4e:f3:fe:84:2d:d1:43:10:5f:a7:41:15:1c:3f:
d4:3d:5f:e7:f9:80:ec:a7:1d:3f:a1:87:b1:32:b1:
67:d8:c1:55:91:35:cb:a7:ae:10:51:cd:19:ec:c4:
1e:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14
X509v3 Authority Key Identifier:
keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8
X509v3 Subject Alternative Name:
DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
2c:bd:2c:24:3a:b6:74:61:8d:f2:57:87:71:47:36:f9:28:32:
f4:c2:10:3f:35:d2:36:1b:a0:3c:96:9a:98:8a:59:07:00:2f:
3f:ac:83:fd:f1:00:09:aa:4d:72:26:38:88:c9:5e:a3:2f:df:
f0:bf:7c:07:39:55:1d:30:dc:87:15:7c:4f:01:9f:5f:74:e0:
78:09:6a:f0:2e:bf:a9:a8:26:86:01:43:8b:49:a3:bf:77:27:
a0:ba:77:9a:3d:e6:14:4e:3b:52:e4:35:2f:8b:88:64:4c:ed:
6d:97:cf:8c:21:9d:a5:1c:80:ff:80:f0:d5:18:d0:0c:1e:35:
84:60:55:4d:0e:2c:6c:56:d3:36:d4:0c:63:3e:65:c4:3d:b7:
23:b5:2e:5f:20:5e:43:65:85:2d:87:4c:b6:e9:5d:d3:58:90:
d6:fb:b4:1e:1d:23:62:f8:9e:63:22:ad:95:ba:e9:9e:f3:88:
16:f4:f1:da:a2:c1:ef:c4:2f:d3:8d:bb:42:3c:63:8f:20:b9:
6c:9a:90:65:2e:36:4f:b5:f8:ca:75:e2:69:0f:0e:07:99:8c:
01:53:ff:cc:a0:a7:95:33:25:b7:e7:78:33:bc:2f:f8:25:3a:
fe:49:4f:55:06:ac:17:c0:f9:d9:89:2f:bb:c9:8f:10:7b:21:
7a:59:3f:08
[root@n3 keys]# cfssl-certinfo -cert kubernetes.pem
{
"subject": {
"common_name": "kubernetes",
"country": "CN",
"organization": "k8s",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"k8s",
"System",
"kubernetes"
]
},
"issuer": {
"common_name": "kubernetes",
"country": "CN",
"organization": "k8s",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"k8s",
"System",
"kubernetes"
]
},
"serial_number": "243750511260095960201836502027625859126538784827",
"sans": [
"",
"",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"127.0.0.1"
],
"not_before": "2017-12-23T10:27:00Z",
"not_after": "2018-12-23T10:27:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "6E:45:FB:5F:1F:73:87:3E:C3:C:54:AB:74:95:2A:FB:44:E0:9B:D8",
"subject_key_id": "62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14",
"pem": "-----BEGIN CERTIFICATE-----\nMIIEcTCCA1mgAwIBAgIUKrImpH2fsSHYOsDcp3FzPmYT0DswDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE3MTIyMzEwMjcwMFoXDTE4MTIyMzEwMjcwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9OWY14XEX7WtXMVKqrq\naWdIw/EQgwNNmQmI7LcnEmggK5XTv84/mhzEiDGtz9LZ0Xw5IPVP2emPKOJE0N9p\nKRAV2sMS1U7FJKOIuasKk2sa5QstWhNPjDdS+jNSvaFvT3MAWg50LfD6/wWAnSiV\n4r9kA9ff+d8QhgavZvSX19KCkerP0Yjjn2ujD6kNtHOanFcA8i74UF8oM3qHOo1T\nFglHx+ZD0D6BV5aCQdTyWo9QwBExPC6AGbUydAIewxwCefPz0IalPXvZo9AS05dt\nEX6cTvP+hC3RQxBfp0EVHD/UPV/n+YDspx0/oYexMrFn2MFVkTXLp64QUc0Z7MQe\nGwIDAQABo4IBFzCCARMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRi6lrcE8Rf1ezb\nE3fa4ZAfyUsQFDAfBgNVHSMEGDAWgBRuRftfH3OHPsMMVKt0lSr7ROCb2DCBkwYD\nVR0RBIGLMIGIggCCAIIKa3ViZXJuZXRlc4ISa3ViZXJuZXRlcy5kZWZhdWx0ghZr\ndWJlcm5ldGVzLmRlZmF1bHQuc3Zjgh5rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNs\ndXN0ZXKCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcEfwAA\nATANBgkqhkiG9w0BAQsFAAOCAQEALL0sJDq2dGGN8leHcUc2+Sgy9MIQPzXSNhug\nPJaamIpZBwAvP6yD/fEACapNciY4iMleoy/f8L98BzlVHTDchxV8TwGfX3TgeAlq\n8C6/qagmhgFDi0mjv3cnoLp3mj3mFE47UuQ1L4uIZEztbZfPjCGdpRyA/4Dw1RjQ\nDB41hGBVTQ4sbFbTNtQMYz5lxD23I7UuXyBeQ2WFLYdMtuld01iQ1vu0Hh0jYvie\nYyKtlbrpnvOIFvTx2qLB78Qv0427QjxjjyC5bJqQZS42T7X4ynXiaQ8OB5mMAVP/\nzKCnlTMlt+d4M7wv+CU6/klPVQasF8D52Ykvu8mPEHshelk/CA==\n-----END CERTIFICATE-----\n"
}
生成证书的步骤及openssl命令
第一步,为服务器端和客户端准备公钥、私钥:
# 生成服务器端私钥
openssl genrsa -out server.key 1024
# 生成服务器端公钥
openssl rsa -in server.key -pubout -out server.pem
# 生成客户端私钥
openssl genrsa -out client.key 1024
# 生成客户端公钥
openssl rsa -in client.key -pubout -out client.pem
第二步,生成 CA 证书:
# 生成 CA 私钥
openssl genrsa -out ca.key 1024
# X.509 Certificate Signing Request (CSR) Management.
openssl req -new -key ca.key -out ca.csr
# X.509 Certificate Data Management.
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
第三步,生成服务器端证书和客户端证书:
# 服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件
openssl req -new -key server.key -out server.csr
# 向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
# client 端
openssl req -new -key client.key -out client.csr
# client 端到 CA 签名
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt