一、生成自簽名證書

1.1、創建root CA私鑰

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt

執行步驟如下：

 root@duke:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt 
Generating a 4096 bit RSA private key.............................................++.............................................++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:NanJingLocality Name (eg, city) []:NanJingOrganization Name (eg, company) [Internet Widgits Pty Ltd]:rancherOrganizational Unit Name (eg, section) []:info technologyCommon Name (e.g. server FQDN or YOUR name) []:dukeEmail Address []:[email protected]

1.2、為服務端(web)生成證書簽名請求檔案

如果你使用類似demo.rancher.com的FQDN域名訪問，則需要設定demo.rancher.com作為CN；如果你使用IP地址訪問，CN則為IP地址：

openssl req -newkey rsa:4096 -nodes -sha256 -keyout demo.rancher.com.key -out  demo.rancher.com.csr或者openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.0.2.key -out 192.168.0.2.csr

執行步驟如下：

【注意】:
Commone Name一定要是你要授予證書的FQDN域名或主機名，并且不能與生成root CA設定的Commone Name相同，
challenge password可以不填，

root@duke:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.0.2.key -out 192.168.0.2.csrGenerating a 4096 bit RSA private key....................................................................++....................................................................++writing new private key to '192.168.0.2.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:NanJingLocality Name (eg, city) []:NanJingOrganization Name (eg, company) [Internet Widgits Pty Ltd]:RANCHEROrganizational Unit Name (eg, section) []:info technologyCommon Name (e.g. server FQDN or YOUR name) []:192.168.0.2Email Address []:[email protected]Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:附屬屬性修改密碼，可以不填An optional company name []:附屬屬性另一個公司名稱，可以不填

1.3、用1.1創建的CA證書給1.2生成的簽名請求進行簽名

openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out 192.168.0.2.crt

執行步驟如下：

root@duke:~# openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out 192.168.0.2.crt
Signature ok
subject=/C=CN/ST=NanJing/L=NanJing/O=RANCHER/OU=info technology/CN=192.168.0.2/[email protected]
Getting CA Private Key

1.4、使用IP進行簽名

如果你使用IP，例如192.168.0.2來連接，則可以改為運行以下命令

echo 'subjectAltName = IP:192.168.0.2' > extfile.cnfopenssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out  192.168.0.2.crt

執行步驟如下：

root@duke:~# echo 'subjectAltName = IP:192.168.0.2' > extfile.cnf
root@duke:~# openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.0.2.crt
Signature ok
subject=/C=CN/ST=NanJing/L=NanJing/O=RANCHER/OU=info technology/CN=192.168.0.2/[email protected]
Getting CA Private Key

【注意】：subjectAltName后的IP不需添加埠，

1.5、檢查檔案

經過上面步驟操作后，會生成ca.crt、ca.srl、ca.key、192.168.0.2.crt、192.168.0.2.key、192.168.0.2.csr、extfile.cnf這幾個檔案，

執行步驟如下：

root@duke:~# ls
192.168.0.2.crt 192.168.0.2.key ca.crt ca.srl docker-1.13.1.tgz kubectl shipyard var 模板圖片下載桌面
192.168.0.2.csr anaconda3 ca.key docker extfile.cnf mapd-docker-storage tigervncserver_1.6.80-4_amd64.deb 公共的視頻檔案音樂

二、驗證自簽名證書

【注意】: 因為使用的是自簽名證書，瀏覽器會提示證書的頒發機構是未知的，

把生成的ca證書和去除密碼的私鑰檔案部署到web服務器(例如：harbor)后，執行以下命令驗證:

2.1、不加CA證書驗證

openssl s_client -connect 192.168.0.2:443 -servername 192.168.0.2

執行步驟如下：

root@duke:~#  openssl s_client -connect 192.168.0.2:8443 -servername 192.168.0.2CONNECTED(00000003)depth=0 C = CN, ST = NanJing, L = NanJing, O = rancher, OU = info technology, CN = duke, emailAddress = [email protected]verify error:num=18:self signed certificate 報錯自簽名不正確verify return:1depth=0 C = CN, ST = NanJing, L = NanJing, O = rancher, OU = info technology, CN = duke, emailAddress = [email protected] return:1---Certificate chain 0 s:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected]   i:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] certificate-----BEGIN CERTIFICATE-----MIIF6TCCA9GgAwIBAgIJALx+htau6IhyMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHTmFuSmluZzEQMA4GA1UEBwwHTmFuSmluZzEQMA4GA1UECgwHcmFuY2hlcjEYMBYGA1UECwwPaW5mbyB0ZWNobm9sb2d5MQ0wCwYDVQQDDARkdWtlMRwwGgYJKoZIhvcNAQkBFg1oenc5N0AxMjYuY29tMB4XDTE4MTIyNDA2MTU0OVoXDTE5MTIyNDA2MTU0OVowgYoxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdOYW5KaW5nMRAwDgYDVQQHDAdOYW5KaW5nMRAwDgYDVQQKDAdyYW5jaGVyMRgwFgYDVQQLDA9pbmZvIHRlY2hub2xvZ3kxDTALBgNVBAMMBGR1a2UxHDAaBgkqhkiG9w0BCQEWDWh6dzk3QDEyNi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwxjnhRPlbrfr+wsxtDgK8MOBSPSoqpeEl6j8LoV+UFwWKlIZH9Qc82nV2/OVZAZUP1UZ/syJlup3e8gus9UvltAuGvMZdGGeVtWqRCoEbpSgaehpspbC8yL7UOx5PTafDqyLuP5jZ4/xskpCXvsUbtDYDs1/9H5yVP4yAsZtsGFfdxx4Ztyger5SEFYwjhHdGhrgMk1Zj3f2CJu0iPDqRP2dxJp0/+Hc3MrKrkXd8/BLEWHiKL7GhQZRPEqYcTZYwtooXEqwvJBgi02VTn+SGQLKi9ekYNdUyLAp3qO1FC/G9OiIKjy625+umlgZXV06Uy5NnbrAmqkUJwN/q+jt/GsJYgOPn2PdylvIx2T+x3bh+VGj2lY8NztkDV5/16FCoIt7xTfOJMfCuGqHfHYAAG+QmC1W+qX04HFeMrJcTG2RSW/g6dKUFI3k+fzhUIqHqeQgTc9Pg1zJtWDzNyMZYgcxvS3J5TBrSUIXuKr5oomKEV7+tRUPjEVjjE6tb1OAQdoahB2IOHcAxKAiutJz5AWQOd+YgWUEx9i33MBNnPZ3JjMof09fbwOO7SuhFjRob8rKas0jLx2RM7xTMY5KPHiBQ45vSX5MxmSFNNHQlzWUoIoQLVLh5ZylhavjwQ5zCeXBE8SKrKG49T2j1VgG+I/QnNfshBepfF+7ZzllhmQIDAQABo1AwTjAdBgNVHQ4EFgQUVYAauWx8AP42NMOq6IDO2g/EK0UwHwYDVR0jBBgwFoAUVYAauWx8AP42NMOq6IDO2g/EK0UwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAVJFOtmkav5obqDDYoGeTOUBHZl1Iu6A0L0P+aL9506Vj+2vGkfG3QegwLMX1Yqs7OW2tFSJZ9TVGdL6FvCvT4+We+k5otmxg/Mo767NTioSjStIRD024ZY00rUezHBk7nodUWdRcIfcmGjLf3XTWZzriKDghyH82C6L6FMx043ETDbsfBKGFWY9LyTKb6JNHNhU6ycdzO7AdPaJMJ17WpZTHWJZDzX+Xeep29RP4+nRpVmuTEGY4IQGLNJ7PNgS9Pe++4QF8ZZXsRLljfdetx0A1Yhc8A5b9+NZYQF9cjBsaCOqcwNpI5+hTfsl2As2AFllbd0j1xGJ4vqlK1wVdkYrvroO2guXfkDXse2lfKUfDDfrTRNfUysUyawUSt92TiNUUNaIILtyiE6D20mLwJe/JkyydrTemuqXD/OFxKnBT0KjTPr5JTCHvBKnYBgXEq2ydzsrR9fjeaktPxoWBNtN8VAFtadjso40FnFloqgBNRKuUSq17QZxppVTGy+DDbUAWOeIZAy+nvpisNqA9UmG2SbqSSUVuaWK1e9QIayFMEA/ytn5rSVYXTXF4FFT46lOKLCfeEOAI6owAbPOCP503f+4HeKJ7dzNbkGC2hCodrur26oflFroZ6tV6i5qjvoKcAblLKT3tuY4IhOPSjlueF0OfpLZTTBhXQ3M7xZA=-----END CERTIFICATE-----subject=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected]=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] client certificate CA names sentPeer signing digest: SHA512Server Temp Key: ECDH, P-256, 256 bits---SSL handshake has read 2464 bytes and written 450 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384Server public key is 4096 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:    Protocol  : TLSv1.2    Cipher    : ECDHE-RSA-AES256-GCM-SHA384    Session-ID: 340DBA9B6572AEAF10CFD75D77B86CBAB1ED2F91DC69C44628C08C112A84F473    Session-ID-ctx:     Master-Key: C294F7E4E56D19FAA1EC1279718385BF677C4E6DC250424F2424BAB8F48E37290FCEFC0C5B8326D33AE69DAC5CF35F77    Key-Arg   : None    PSK identity: None    PSK identity hint: None    SRP username: None    TLS session ticket lifetime hint: 300 (seconds)    TLS session ticket:    0000 - c7 bb 8d 3d cf cb cc 5c-61 2d 75 79 63 b0 39 57   ...=...\a-uyc.9W    0010 - 2f 80 15 34 c5 60 31 e1-43 54 7d 95 bf e4 ad 5e   /..4.`1.CT}....^    0020 - ea 62 db 2b 94 46 13 83-a2 08 c0 04 c8 7b 74 1c   .b.+.F.......{t.    0030 - 26 da 21 1d b5 db d7 c4-3a 3e e2 b0 81 14 2d 87   &.!.....:>....-.    0040 - d8 0f a4 60 34 cc e9 0f-46 54 87 49 7f 1c 2a 56   ...`4...FT.I..*V    0050 - 55 e7 11 d0 cd d9 df 8c-b1 0e 8f 34 c1 ff 71 4c   U..........4..qL    0060 - 46 73 61 a3 88 d7 2a 4c-90 2b c6 76 7c 28 f4 ef   Fsa...*L.+.v|(..    0070 - 69 48 a1 15 23 73 32 c5-55 c6 4a 65 b9 40 7d c3   iH..#s2.U.Je.@}.    0080 - dc 5e cf 6d 0c cf 90 59-88 0c 6c 12 76 ca d0 1a   .^.m...Y..l.v...    0090 - 65 43 f9 a6 1b 5c 03 ed-ac 59 85 26 1a a9 1b bb   eC...\...Y.&....    00a0 - 53 37 d9 da f9 f7 27 f2-00 6a 27 ae a1 c1 98 f5   S7....'..j'.....    00b0 - ff 27 07 51 6f 98 d4 b3-cd 63 24 d5 9e 1b 85 99   .'.Qo....c$.....    Start Time: 1545636922    Timeout   : 300 (sec)    Verify return code: 18 (self signed certificate)---

2.2、添加CA證書驗證

openssl s_client -connect 192.168.0.2:8443 -servername 192.168.0.2 -CAfile ca.crt

執行步驟如下：

root@duke:~# openssl s_client -connect 192.168.0.2:8443 -servername 192.168.0.2 -CAfile ca.crt      CONNECTED(00000003)depth=0 C = CN, ST = NanJing, L = NanJing, O = rancher, OU = info technology, CN = duke, emailAddress = [email protected] 沒有報錯，證書鑒權正確verify return:1---Certificate chain 0 s:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected]   i:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] certificate-----BEGIN CERTIFICATE-----MIIF6TCCA9GgAwIBAgIJALx+htau6IhyMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHTmFuSmluZzEQMA4GA1UEBwwHTmFuSmluZzEQMA4GA1UECgwHcmFuY2hlcjEYMBYGA1UECwwPaW5mbyB0ZWNobm9sb2d5MQ0wCwYDVQQDDARkdWtlMRwwGgYJKoZIhvcNAQkBFg1oenc5N0AxMjYuY29tMB4XDTE4MTIyNDA2MTU0OVoXDTE5MTIyNDA2MTU0OVowgYoxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdOYW5KaW5nMRAwDgYDVQQHDAdOYW5KaW5nMRAwDgYDVQQKDAdyYW5jaGVyMRgwFgYDVQQLDA9pbmZvIHRlY2hub2xvZ3kxDTALBgNVBAMMBGR1a2UxHDAaBgkqhkiG9w0BCQEWDWh6dzk3QDEyNi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwxjnhRPlbrfr+wsxtDgK8MOBSPSoqpeEl6j8LoV+UFwWKlIZH9Qc82nV2/OVZAZUP1UZ/syJlup3e8gus9UvltAuGvMZdGGeVtWqRCoEbpSgaehpspbC8yL7UOx5PTafDqyLuP5jZ4/xskpCXvsUbtDYDs1/9H5yVP4yAsZtsGFfdxx4Ztyger5SEFYwjhHdGhrgMk1Zj3f2CJu0iPDqRP2dxJp0/+Hc3MrKrkXd8/BLEWHiKL7GhQZRPEqYcTZYwtooXEqwvJBgi02VTn+SGQLKi9ekYNdUyLAp3qO1FC/G9OiIKjy625+umlgZXV06Uy5NnbrAmqkUJwN/q+jt/GsJYgOPn2PdylvIx2T+x3bh+VGj2lY8NztkDV5/16FCoIt7xTfOJMfCuGqHfHYAAG+QmC1W+qX04HFeMrJcTG2RSW/g6dKUFI3k+fzhUIqHqeQgTc9Pg1zJtWDzNyMZYgcxvS3J5TBrSUIXuKr5oomKEV7+tRUPjEVjjE6tb1OAQdoahB2IOHcAxKAiutJz5AWQOd+YgWUEx9i33MBNnPZ3JjMof09fbwOO7SuhFjRob8rKas0jLx2RM7xTMY5KPHiBQ45vSX5MxmSFNNHQlzWUoIoQLVLh5ZylhavjwQ5zCeXBE8SKrKG49T2j1VgG+I/QnNfshBepfF+7ZzllhmQIDAQABo1AwTjAdBgNVHQ4EFgQUVYAauWx8AP42NMOq6IDO2g/EK0UwHwYDVR0jBBgwFoAUVYAauWx8AP42NMOq6IDO2g/EK0UwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAVJFOtmkav5obqDDYoGeTOUBHZl1Iu6A0L0P+aL9506Vj+2vGkfG3QegwLMX1Yqs7OW2tFSJZ9TVGdL6FvCvT4+We+k5otmxg/Mo767NTioSjStIRD024ZY00rUezHBk7nodUWdRcIfcmGjLf3XTWZzriKDghyH82C6L6FMx043ETDbsfBKGFWY9LyTKb6JNHNhU6ycdzO7AdPaJMJ17WpZTHWJZDzX+Xeep29RP4+nRpVmuTEGY4IQGLNJ7PNgS9Pe++4QF8ZZXsRLljfdetx0A1Yhc8A5b9+NZYQF9cjBsaCOqcwNpI5+hTfsl2As2AFllbd0j1xGJ4vqlK1wVdkYrvroO2guXfkDXse2lfKUfDDfrTRNfUysUyawUSt92TiNUUNaIILtyiE6D20mLwJe/JkyydrTemuqXD/OFxKnBT0KjTPr5JTCHvBKnYBgXEq2ydzsrR9fjeaktPxoWBNtN8VAFtadjso40FnFloqgBNRKuUSq17QZxppVTGy+DDbUAWOeIZAy+nvpisNqA9UmG2SbqSSUVuaWK1e9QIayFMEA/ytn5rSVYXTXF4FFT46lOKLCfeEOAI6owAbPOCP503f+4HeKJ7dzNbkGC2hCodrur26oflFroZ6tV6i5qjvoKcAblLKT3tuY4IhOPSjlueF0OfpLZTTBhXQ3M7xZA=-----END CERTIFICATE-----subject=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected]=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] client certificate CA names sentPeer signing digest: SHA512Server Temp Key: ECDH, P-256, 256 bits---SSL handshake has read 2464 bytes and written 450 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384Server public key is 4096 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:    Protocol  : TLSv1.2    Cipher    : ECDHE-RSA-AES256-GCM-SHA384    Session-ID: A6C098FEBD7A744A4B7698949AAD54C4A56B362EA357BA0F2EE66335E3584691    Session-ID-ctx:     Master-Key: EFCAB47D6C3F3132B93AE60A45CF5F7776240108617CCD29894F509710D80038A08B6A0A802AF7825ECD74698D551D34    Key-Arg   : None    PSK identity: None    PSK identity hint: None    SRP username: None    TLS session ticket lifetime hint: 300 (seconds)    TLS session ticket:    0000 - c7 bb 8d 3d cf cb cc 5c-61 2d 75 79 63 b0 39 57   ...=...\a-uyc.9W    0010 - 50 df ce 95 3d 8f 24 aa-4c 80 0b 4d 8e 6f b3 af   P...=.$.L..M.o..    0020 - e4 66 f7 dd ea b6 45 76-17 3e eb 7b 3e 77 52 17   .f....Ev.>.{>wR.    0030 - 33 e4 d3 54 5e d2 0d ab-ed 73 54 df ab 22 3d cd   3..T^....sT.."=.    0040 - 56 8d f8 9e c4 cd 83 33-8f f5 a2 91 68 ea cf cd   V......3....h...    0050 - 2a e7 f2 3f 8e c6 e1 b8-a5 f3 28 92 98 70 01 d8   *..?......(..p..    0060 - fd ad 08 aa ae 6b 4d ff-7f 2f 6f b6 63 23 33 4d   .....kM../o.c#3M    0070 - 94 18 f2 a7 01 a8 c6 bc-a3 c5 d3 6f 71 39 f0 d0   ...........oq9..    0080 - 9b 99 cf 5f 79 01 c0 2d-b8 69 40 15 ea ae c1 77   [email protected]    0090 - f0 77 72 ba 52 b9 6c b7-56 c8 a9 f2 f4 67 82 45   .wr.R.l.V....g.E    00a0 - ee 41 86 1f b9 97 66 2b-66 17 6c 81 b2 92 88 8a   .A....f+f.l.....    00b0 - ba 96 63 75 97 f3 63 4f-4b a4 9c ab 3f b7 8c db   ..cu..cOK...?...    Start Time: 1545637270    Timeout   : 300 (sec)    Verify return code: 0 (ok)---

轉載請註明出處，本文鏈接：https://www.uj5u.com/qita/63520.html

標籤：其他

上一篇：Cisco交換機、路由器，密碼恢復

下一篇：OSI模型級各層功能

簡單使用OpenSSL生成密鑰

一、生成自簽名證書

1.1、創建root CA私鑰

1.2、為服務端(web)生成證書簽名請求檔案

1.3、用1.1創建的CA證書給1.2生成的簽名請求進行簽名

1.4、使用IP進行簽名

1.5、檢查檔案

二、驗證自簽名證書

2.1、不加CA證書驗證

2.2、添加CA證書驗證