本文介紹的OpenSSL腳本
- 采用自簽名CA,以方便多份證書的簽發和使用
- 支持SAN(主體備用名稱)
- 包含各種檔案格式的匯出腳本,并簡述檔案用法
1. RSA證書
創建目錄結構
mkdir ssl
cd ssl
mkdir certs private csr conf
# intial directory structure
# ssl/
# ├── certs/
# ├── conf/
# │ ├── ca.conf
# │ └── localhost.conf
# ├── csr/
# └── private/
解釋擴展名
Notes on file extensions
*.crt - PEM-encded single certificate or multiple certificates
*-cert.crt signed certificate (-----CERTIFICATE-----)
*-chain.crt list of certificates from intermediates to root
*.key - PEM-encoded private key
*-rsa.key PKCS#1 (-----RSA PRIVATE KEY-----)
*.key PKCS#8 (-----PRIVATE KEY-----) or SEC1 (-----EC PRIVATE KEY-----)
*.jks - JKS kind of Java keystore (certificate + private key)
*.jts - JKS-type truststore (certificates)
*-cert.p12 - PKCS12-type keystore (certificate + private key)
*-chain.p12 - PKCS12-type truststore (certificates)
*.pfx - PKCS12-type Microsoft PFX
準備組態檔conf/ca.conf以創建CA
[ req ]
default_bits = 2048
default_keyfile = private/ca-encrypted.key
distinguished_name = subject
req_extensions = req_ext
x509_extensions = v3_ca
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
# Country Name (2 letter code)
C=CN
# State or Province Name (full name)
ST=BJ
# Locality Name (eg, city)
L=Beijing
# Organization Name (eg, company)
O=WebDev Org
# Organization Unit (eg, department, sub-company, job-type, regions)
OU=IT Dept
# Common Name (e.g. server FQDN or Authority Name)
CN=WebDev CA
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
#subjectAltName = @alt_ica
extendedKeyUsage = clientAuth, serverAuth, codeSigning
創建CA
#
# create CA
#
# 1. generate a rsa key for CA
openssl genrsa -aes256 -out private/ca-rsa.key 2048
# 2. convert private key from PKCS#1 to PKCS#8
openssl pkcs8 -topk8 -inform PEM -in private/ca-rsa.key -outform PEM -out private/ca-encrypted.key
# 3. create ca certificate
openssl req -new -config conf/ca.conf \
-subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=WebDev CA" \
-x509 -sha256 -days 3650 -key private/ca-encrypted.key -out certs/ca.crt
創建證書簽名請求
#
# create certificate signing request
#
# the domain name (e.g. example.com)
domain=localhost
# 1. create a server rsa key
openssl genrsa -out private/$domain-rsa.key 2048
# 2. convert rsa key to pkcs8 key (without password protection)
openssl pkcs8 -topk8 -nocrypt -inform PEM -in private/$domain-rsa.key -outform PEM -out private/$domain.key
# 3. create a server certificate request
openssl req -new -sha256 \
-subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=localhost" \
-key private/$domain.key \
-out csr/$domain.csr
準備組態檔conf/localhost.conf以簽發證書請求
[ x509_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature
subjectAltName = @alternate_names
extendedKeyUsage = serverAuth,clientAuth
[ alternate_names ]
DNS.1 = localhost
DNS.2 = loopback
IP.1 = 127.0.0.1
IP.2 = 127.0.1.1
簽發證書請求
#
# sign a certificate request
#
# the domain name (e.g. localhost)
domain=localhost
# 1. sign a certificate
openssl x509 -req \
-days 730 \
-in csr/$domain.csr \
-CA certs/ca.crt -CAkey private/ca-encrypted.key -CAserial certs/ca.srl -CAcreateserial \
-extfile conf/$domain.conf -extensions x509_extensions \
-out certs/$domain-cert.crt
#
# test certificate with SSLServer and SSLClient
#
# on one tty window
openssl s_server -accept 1443 -www -key private/$domain.key -cert certs/$domain-cert.crt
# on another tty window
openssl s_client -showcerts -connect $domain:1443 -CAfile certs/ca.crt
匯出各種HTTP服務端所需格式
#
# export for HTTP Servers
#
# create certificate chain (for Apache / Tomcat / Node.js)
cp certs/ca.crt certs/$domain-chain.crt
# create self_plus_intermediates_plus_root (for Nginx)
cat certs/$domain-cert.crt <(echo) certs/$domain-chain.crt > certs/$domain.crt
# create java keystore in PKCS12 (for Java 9+, Java 8)
openssl pkcs12 -export -in certs/$domain-cert.crt -inkey private/$domain.key -name "$domain" -out certs/$domain-cert.pfx
$JAVA_HOME/bin/keytool -importkeystore -srcstoretype PKCS12 -srckeystore certs/$domain-cert.pfx \
-alias "$domain" -deststoretype PKCS12 -destkeystore certs/$domain-cert.p12
$JAVA_HOME/bin/keytool -importkeystore -srcstoretype PKCS12 -srckeystore certs/$domain-cert.pfx \
-alias "$domain" -deststoretype JKS -destkeystore certs/$domain-cert.jks
匯出各種HTTP客戶端所需格式
#
# export for HTTP Clients
#
# create PKCS12 truststore (for Windows)
openssl pkcs12 -export -in certs/ca.crt -nokeys -name "WebDev CA" -out certs/ca.pfx
# create PKCS12 truststore (for Java 9+, Java 8)
$JAVA_HOME/bin/keytool -importcert -file certs/ca.crt -alias "WebDev CA" -storetype PKCS12 -keystore certs/$domain-chain.p12 -noprompt
$JAVA_HOME/bin/keytool -importcert -file certs/ca.crt -alias "WebDev CA" -storetype JKS -keystore certs/$domain-chain.jts -noprompt
# append this CA to ca bundle (for Postman)
cat certs/ca.crt <(echo) >> certs/ca-certs.crt
2. 已簽發證書的用法(用于服務端)
配置Nginx,在nginx.conf中使用
ssl_certificate /etc/nginx/ssl/certs/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/private/localhost.key;
配置Tomcat 8.5+,在server.xml中使用
<SSLHostConfig>
<Certificate certificateKeyFile="/etc/nginx/ssl/private/localhost.key"
certificateFile="/etc/nginx/ssl/certs/localhost-cert.crt"
certificateChainFile="/etc/nginx/ssl/certs/localhost-chain.crt"
type="RSA" />
</SSLHostConfig>
<!-- or -->
<SSLHostConfig truststoreFile="/etc/nginx/ssl/certs/localhost-chain.jts"
truststorePassword="changeit"
truststoreType="JKS">
<Certificate
certificateKeystoreFile="/etc/nginx/ssl/certs/localhost-cert.jks"
certificateKeystorePassword="changeit"
certificateKeystoreType="JKS"
certificateKeyAlias="localhost"
type="RSA" />
</SSLHostConfig>
<!-- or -->
<SSLHostConfig truststoreFile="/etc/nginx/ssl/certs/localhost-chain.p12"
truststorePassword="changeit"
truststoreType="PKCS12">
<Certificate
certificateKeystoreFile="/etc/nginx/ssl/certs/localhost-cert.p12"
certificateKeystorePassword="changeit"
certificateKeystoreType="PKCS12"
certificateKeyAlias="localhost"
type="RSA" />
</SSLHostConfig>
撰寫Node.js腳本,在server.js中使用
let server=https.createServer({
key: fs.readFileSync("/etc/nginx/ssl/private/localhost.key"),
cert: fs.readFileSync("/etc/nginx/ssl/certs/localhost-cert.crt"),
ca: fs.readFileSync("/etc/nginx/ssl/certs/localhost-chain.crt"),
});
配置webpack-dev-server,在webpack.config.js中使用
module.exports = {
devServer: {
https: {
key: '/etc/nginx/ssl/private/localhost.key',
cert: '/etc/nginx/ssl/certs/localhost-cert.crt',
ca: '/etc/nginx/ssl/certs/localhost-chain.crt',
},
},
};
3. 自簽名CA證書的用法(用于客戶端)
匯入到Windows
雙擊CA證書certs/ca.pfx,安裝證書(存盤位置為"本地計算機",證書存盤為"受信任的根證書頒發機構"),
匯入后適用于 IE、Edge及其WebView、Chrome、基于Chromium的瀏覽器等等
匯入到Firefox
注:如果已經將自簽名CA證書certs/ca.pfx匯入到Windows,那么可通過訪問about:config設定security.enterprise_roots.enabled為true來共享Windows受信任的根證書而無需再Firefox單獨匯入
在Firefox Settings / Certificates / View Certificates / 匯入ca.pfx檔案到"Your Certificates
匯入到Postman
在Postman Settings / Certificates / CA Certificates指定合并的CA合輯檔案/etc/nginx/ssl/certs/ca-bundle.crt
匯入到Java HTTP客戶端
在VM arguments,添加-Djavax.net.ssl.trustStore=/etc/nginx/ssl/certs/localhost-chain.jts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS,對于Java9+也可換成-Djavax.net.ssl.trustStore=/etc/nginx/ssl/certs/localhost-chain.p12 -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=PKCS12
4. 附: EC證書
準備組態檔conf/example.com.conf以簽發證書
[ x509_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature
subjectAltName = @alternate_names
extendedKeyUsage = serverAuth, clientAuth
[ alternate_names ]
DNS.1 = example.com
DNS.2 = *.example.com
EC證書的申請、簽發和轉換
#
# create EC CA
#
# find curve with `openssl ecparam -list_curves`
# generate a private key for a curve
openssl ecparam -genkey -name prime256v1 -noout -out private/ca-ec.key
# generate a encrypted edition of the private key
openssl ec -aes256 -in private/ca-ec.key -out private/ca-ec-encrypted.key
# create ca certificate
openssl req -new -config conf/ca.conf \
-subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=WebDev ECC CA" \
-x509 -sha256 -days 3650 -key private/ca-ec-encrypted.key -out certs/ca-ec.crt
#
# create certificate aigning request
#
# the domain name (e.g. example.com)
domain=foo.apps.example.com
# generate a private key
openssl ecparam -genkey -name prime256v1 -out private/$domain.key
# create a certificate signing request
openssl req -new \
-subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=$domain" \
-key private/$domain.key \
-out csr/$domain.csr
# optionally, generate corresponding public key
openssl ec -in private/$domain.key -pubout -out public/$domain.pub
#
# sign for certificate request
#
# the domain name (e.g. example.com)
domain=example.com
openssl x509 -req \
-sha256 -days 730 \
-in csr/$domain.csr \
-CA certs/ca-ec.crt -CAkey private/ca-ec-encrypted.key -CAserial certs/ca-ec.srl -CAcreateserial \
-extfile conf/$domain.conf -extensions x509_extensions \
-out certs/$domain-cert.crt
#
# export for HTTP Servers
#
# create certificate chain (for Apache, Tomcat, Node.js)
cp certs/ca-ec.crt certs/$domain-chain.crt
# for Nginx
cat certs/$domain-cert.crt <(echo) certs/ca-ec.crt > certs/$domain.crt
#
# export for HTTP Clients
#
# create PKCS12 truststore (for Windows, Firefox)
openssl pkcs12 -export -in certs/ca-ec.crt -nokeys -out certs/ca-ec.pfx
# append this CA to ca bundle (for Postman)
cat certs/ca-ec.crt <(echo) >> certs/ca-certs.crt
EC證書在服務端的配置方式,與RSA證書的基本一樣,除了在Tomcat配置SSL時指定type,如
<Certificate ... type="EC" />
附注:
- 上述腳本中:CA key檔案采用密碼保護是為了防止key檔案意外泄露后被濫用,server key檔案不采用密碼保護是為了避免密碼暴露在各服務器的組態檔中,
- 關于命令keytool,建議采用Oracle JDK的,因為我測出一個問題:OpenJDK的keytool創建的p12檔案,Oracle JDK不認,
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/342166.html
標籤:其他
上一篇:SpringBoot集成Mycat實作讀寫分離、高可用
下一篇:2021-10-30總結