先假设自己是一个CA,而且是一个root CA,Cliu8CA

生成一个CA的private key

openssl genrsa -out caprivate.key 1024

当然可以跟密码

openssl genrsa -out caprivatepass.key 1024 -des3 -passout hello:world 1024

CA有一个certificate,里面放着CA的public key,要生成这个certificate,则需要写一个certificate request

# openssl req -key caprivate.key -new -out cacertificate.req                          
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN    
State or Province Name (full name) [Some-State]:Cliu8CA
Locality Name (eg, city) []:Cliu8CA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cliu8CA
Organizational Unit Name (eg, section) []:Cliu8CA
Common Name (e.g. server FQDN or YOUR name) []:Cliu8CA
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

查看证书请求

# openssl req -in cacertificate.req -text                                             
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CN, ST=Cliu8CA, L=Cliu8CA, O=Cliu8CA, OU=Cliu8CA, CN=Cliu8CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c5:f1:aa:1e:01:04:1b:a5:dd:7a:ef:c3:7d:2a:
                    9c:73:b6:46:bb:f8:be:90:9d:3f:d8:d7:d6:d5:8b:
                    a5:17:e3:aa:e5:37:bd:cd:fb:da:84:ce:0b:38:56:
                    b4:19:6d:f6:11:32:bb:e5:77:2d:75:39:49:a0:2a:
                    6c:fd:ed:39:0d:b5:59:bc:60:09:c6:5f:06:a0:aa:
                    53:a5:3b:94:ad:08:a7:13:99:1b:c4:e4:38:79:07:
                    9e:fd:c1:2d:db:ab:f6:2e:d3:2c:51:24:56:e3:3f:
                    60:fd:e4:b5:6b:1b:ff:f2:8b:83:7d:11:a1:10:d6:
                    85:75:ed:0d:76:69:7a:ac:77
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         2b:c2:3d:f6:ff:a3:2a:c0:a3:f4:3c:81:6f:a6:bd:fd:17:58:
         39:a5:de:07:f0:0a:19:3f:ad:4f:2a:5e:c8:60:da:41:5d:67:
         82:cd:08:ef:36:72:b1:25:79:ed:ce:54:9c:12:f8:ba:5d:73:
         cf:99:f1:a9:39:af:7a:d0:fa:fa:97:0d:1b:c1:2d:14:6c:d1:
         bf:c4:b2:16:76:d8:99:cd:96:dd:99:1b:e1:90:64:e6:9a:51:
         ac:ad:27:3a:b3:e0:df:7d:c5:28:89:7b:5f:f8:5a:4c:c1:0d:
         ad:d6:b8:a0:9f:fa:68:1f:93:a7:dd:90:de:58:ee:87:23:8a:
         b2:d8
-----BEGIN CERTIFICATE REQUEST-----
MIIBpzCCARACAQAwZzELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0NsaXU4Q0ExEDAO
BgNVBAcMB0NsaXU4Q0ExEDAOBgNVBAoMB0NsaXU4Q0ExEDAOBgNVBAsMB0NsaXU4
Q0ExEDAOBgNVBAMMB0NsaXU4Q0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AMXxqh4BBBul3Xrvw30qnHO2Rrv4vpCdP9jX1tWLpRfjquU3vc372oTOCzhWtBlt
9hEyu+V3LXU5SaAqbP3tOQ21WbxgCcZfBqCqU6U7lK0IpxOZG8TkOHkHnv3BLdur
9i7TLFEkVuM/YP3ktWsb//KLg30RoRDWhXXtDXZpeqx3AgMBAAGgADANBgkqhkiG
9w0BAQsFAAOBgQArwj32/6MqwKP0PIFvpr39F1g5pd4H8AoZP61PKl7IYNpBXWeC
zQjvNnKxJXntzlScEvi6XXPPmfGpOa960Pr6lw0bwS0UbNG/xLIWdtiZzZbdmRvh
kGTmmlGsrSc6s+DffcUoiXtf+FpMwQ2t1rign/poH5On3ZDeWO6HI4qy2A==
-----END CERTIFICATE REQUEST-----

这个证书请求需要更高级的CA用它的private key对这个证书请求进行签发,方才能被大家公认(如果大家相信的是更高级的CA,则可以用更高级的CA的certificate审核这个证书)

由于这里的CA是root CA,没有更高级的CA了,所以要进行自签发,用自己的private key对自己的certificate请求进行签发

# openssl x509 -req -in cacertificate.req -signkey caprivate.key -out cacertificate.pem
Signature ok
subject=/C=CN/ST=Cliu8CA/L=Cliu8CA/O=Cliu8CA/OU=Cliu8CA/CN=Cliu8CA
Getting Private key

查看证书内容

# openssl x509 -in cacertificate.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 13213819544855395531 (0xb760eaddc1383ccb)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Cliu8CA, L=Cliu8CA, O=Cliu8CA, OU=Cliu8CA, CN=Cliu8CA
        Validity
            Not Before: Jul 14 18:35:36 2014 GMT
            Not After : Aug 13 18:35:36 2014 GMT
        Subject: C=CN, ST=Cliu8CA, L=Cliu8CA, O=Cliu8CA, OU=Cliu8CA, CN=Cliu8CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c5:f1:aa:1e:01:04:1b:a5:dd:7a:ef:c3:7d:2a:
                    9c:73:b6:46:bb:f8:be:90:9d:3f:d8:d7:d6:d5:8b:
                    a5:17:e3:aa:e5:37:bd:cd:fb:da:84:ce:0b:38:56:
                    b4:19:6d:f6:11:32:bb:e5:77:2d:75:39:49:a0:2a:
                    6c:fd:ed:39:0d:b5:59:bc:60:09:c6:5f:06:a0:aa:
                    53:a5:3b:94:ad:08:a7:13:99:1b:c4:e4:38:79:07:
                    9e:fd:c1:2d:db:ab:f6:2e:d3:2c:51:24:56:e3:3f:
                    60:fd:e4:b5:6b:1b:ff:f2:8b:83:7d:11:a1:10:d6:
                    85:75:ed:0d:76:69:7a:ac:77
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         16:61:a5:1f:c9:3c:0f:84:48:e4:52:2f:23:06:bf:c7:2c:29:
         17:ed:26:e0:b8:1a:0e:d1:9b:bb:f7:57:1a:bd:f3:41:75:b1:
         ed:d1:44:ea:b6:a8:4d:f4:17:82:af:d7:1d:e8:4f:82:fc:bb:
         87:9b:74:a2:2a:2d:16:8b:26:5b:bf:60:10:ee:2d:0d:e0:d3:
         0e:30:9e:12:1e:2b:12:34:3d:e8:7f:db:0b:05:8b:52:ba:e6:
         36:97:2d:df:72:90:23:16:4e:ab:e4:6a:d1:0b:92:4f:84:ef:
         3e:8f:ec:f7:8f:c2:11:81:c2:e8:aa:57:35:61:20:11:6b:d4:
         b5:ef

CA的证书和private key应该是一对

我们首先获取certificate中public key的RSA模

# openssl x509 -in cacertificate.pem -noout -modulus
Modulus=C5F1AA1E01041BA5DD7AEFC37D2A9C73B646BBF8BE909D3FD8D7D6D58BA517E3AAE537BDCDFBDA84CE0B3856B4196DF61132BBE5772D753949A02A6CFDED390DB559BC6009C65F06A0AA53A53B94AD08A713991BC4E43879079EFDC12DDBABF62ED32C512456E33F60FDE4B56B1BFFF28B837D11A110D68575ED0D76697AAC77

然后获取private key的RSA模

# openssl rsa -in caprivate.key -noout -modulus
Modulus=C5F1AA1E01041BA5DD7AEFC37D2A9C73B646BBF8BE909D3FD8D7D6D58BA517E3AAE537BDCDFBDA84CE0B3856B4196DF61132BBE5772D753949A02A6CFDED390DB559BC6009C65F06A0AA53A53B94AD08A713991BC4E43879079EFDC12DDBABF62ED32C512456E33F60FDE4B56B1BFFF28B837D11A110D68575ED0D76697AAC77

应该是一致的

下面假设自己是一个普通的机构Cliu8Site

这个普通的机构需要有自己的private key

openssl genrsa -out cliu8siteprivate.key 1024

也需要一个证书,里面放自己的public key,需要一个证书请求

# openssl req -key cliu8siteprivate.key -new -out cliu8sitecertificate.req                
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Cliu8Site
Locality Name (eg, city) []:Cliu8Site
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cliu8Site
Organizational Unit Name (eg, section) []:Cliu8Site
Common Name (e.g. server FQDN or YOUR name) []:Cliu8Site
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

要使得这个证书被认可,则需要一个CA对这个证书进行签名,我们用上面的Cliu8CA的private key对他进行签名

其实这个过程是Cliu8Site这个普通网站,将自己的请求发送给Cliu8CA后,由Cliu8CA来做的,只有Cliu8CA才有自己的private key

# openssl x509 -req -in cliu8sitecertificate.req -CA cacertificate.pem -CAkey caprivate.key -out cliu8sitecertificate.pem -CAcreateserial    
Signature ok
subject=/C=CN/ST=Cliu8Site/L=Cliu8Site/O=Cliu8Site/OU=Cliu8Site/CN=Cliu8Site
Getting CA Private Key

查看这个证书

# openssl x509 -in cliu8sitecertificate.pem -noout -text                                   Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 9637235651545248876 (0x85be56c3cb15b46c)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Cliu8CA, L=Cliu8CA, O=Cliu8CA, OU=Cliu8CA, CN=Cliu8CA
        Validity
            Not Before: Jul 14 18:53:42 2014 GMT
            Not After : Aug 13 18:53:42 2014 GMT
        Subject: C=CN, ST=Cliu8Site, L=Cliu8Site, O=Cliu8Site, OU=Cliu8Site, CN=Cliu8Site
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:e0:53:64:76:ae:f2:30:83:24:ae:0e:b6:a0:88:
                    9b:e9:c0:a1:8a:81:f4:ad:0c:79:ac:e0:52:94:2f:
                    56:91:09:8c:ec:a8:8b:9b:1a:f9:37:68:dd:57:63:
                    06:ec:5f:90:54:d0:8c:3a:da:c5:04:7e:15:b6:32:
                    c9:2d:f3:c5:4f:c8:a7:f6:0a:99:24:a6:85:9f:79:
                    48:c0:7e:8b:b4:58:be:f7:3f:45:a5:a8:eb:ed:dd:
                    e1:6a:95:bd:a4:12:47:ed:02:11:9a:36:28:52:43:
                    3b:6d:33:fe:25:ce:f9:b6:b3:23:e1:e6:a5:5c:65:
                    03:4f:24:03:1a:14:fb:d2:21
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         35:df:de:b9:aa:6b:d0:f9:4f:c6:3f:ba:6d:de:4b:5a:a3:88:
         b1:9f:dd:75:c7:4a:7a:58:84:3b:aa:3e:fb:7b:f1:78:c6:19:
         65:43:94:fb:69:10:1b:3a:7f:65:61:2b:6e:33:9d:0a:92:e5:
         8a:93:74:fe:ee:11:cf:8e:85:37:da:14:db:32:f9:4d:3d:e6:
         c3:21:5e:e8:c9:50:85:71:b4:16:60:4b:04:87:df:84:60:4a:
         49:66:a9:69:30:a9:f5:90:95:34:6c:49:23:68:42:16:ef:b1:
         91:e8:60:b8:de:29:d8:aa:10:63:8c:99:05:14:b8:c9:be:c5:
         a7:79

从这个证书我们可以看到,它是Cliu8CA颁发给Cliu8Site的

Cliu8Site的certificate和public key是应该相互匹配的

root@popsuper1982:/home/cliu8/keys# openssl x509 -in cliu8sitecertificate.pem -noout -modulus                                Modulus=E0536476AEF2308324AE0EB6A0889BE9C0A18A81F4AD0C79ACE052942F5691098CECA88B9B1AF93768DD576306EC5F9054D08C3ADAC5047E15B632C92DF3C54FC8A7F60A9924A6859F7948C07E8BB458BEF73F45A5A8EBEDDDE16A95BDA41247ED02119A362852433B6D33FE25CEF9B6B323E1E6A55C65034F24031A14FBD221
root@popsuper1982:/home/cliu8/keys# openssl rsa -in cliu8siteprivate.key -noout -modulus                                     Modulus=E0536476AEF2308324AE0EB6A0889BE9C0A18A81F4AD0C79ACE052942F5691098CECA88B9B1AF93768DD576306EC5F9054D08C3ADAC5047E15B632C92DF3C54FC8A7F60A9924A6859F7948C07E8BB458BEF73F45A5A8EBEDDDE16A95BDA41247ED02119A362852433B6D33FE25CEF9B6B323E1E6A55C65034F24031A14FBD221

证书链的验证过程

假设我是一个普通用户,要访问网站Cliu8Site,通过https协议

Cliu8Site会用自己的private key cliu8siteprivate.key加密数据,传给我,我接收到数据后,需要用Cliu8Site的public key进行解密

这个时候Cliu8Site会把它的certificate cliu8sitecertificate.pem通过浏览器传给我,里面就有public key。

但是我怎么能够相信这个certificate呢?我不相信,需要更高的权威机构

我查看cliu8sitecertificate.pem,发现这个certificate是由Cliu8CA进行签发的,所谓签发,也即用Cliu8CA的private key caprivate.key进行的签名。所以我要从Cliu8CA的网站上下载它的certificate,cacertificate.pem,里面包含这public key,我们用这个public key来解签名

# openssl verify -CAfile cacertificate.pem cliu8sitecertificate.pem
cliu8sitecertificate.pem: OK

哦,我明白了,Cliu8CA可以证明cliu8sitecertificate.pem是一个对的certificate,里面的public key是可以信任的,你是可以用它来解密Cliu8Site发来的数据。

但是问题来了,我能相信Cliu8CA这个机构么?

我查看cacertificate.pem,发现它是自签名的,也即是一个root certificate,没有一个更高的机构为它证明了。

如果我相信Cliu8CA这个机构,那么我解密Cliu8Site的数据,接着进行我们之间的信息交互。

如果我不相信Cliu8CA这个机构,在交互到此为止。

当然有的时候,我们发现Cliu8CA这个机构的证书是更高权威机构签名的,比如是BeijingPoliceOffice签发的,如果你相信他,你就可以进行访问。这就是证书链。

Openssl的证书操作的更多相关文章

  1. openssl - X509证书操作函数

    原文链接: http://blog.csdn.net/zqt520/article/details/26965797 现有的证书大都采用X.509规范,主要同以下信息组成:版本号.证书序列号.有效期. ...

  2. PHP的OpenSSL加密扩展学习(三):证书操作

    关于对称和非对称的加密操作,我们已经学习完两篇文章的内容了,接下来,我们就继续学习关于证书的生成. 生成 CSR 证书签名请求 CSR 是用于生成证书的签名请求,在 CSR 中,我们需要一些 dn 信 ...

  3. 使用OpenSSL生成证书

    使用OpenSSL生成证书 下载安装openssl,进入/bin/下面,执行命令(把ssl目录下的openssl.cnf 拷贝到bin目录下)1.首先要生成服务器端的私钥(key文件):openssl ...

  4. 利用openssl管理证书及SSL编程第2部分:在Windows上编译 openssl

    利用openssl管理证书及SSL编程第2部分:在Windows上编译 openssl 首先mingw的环境搭建,务必遵循下文: http://blog.csdn.net/ubuntu64fan/ar ...

  5. 利用openssl管理证书及SSL编程第1部分: openssl证书管理

    利用openssl管理证书及SSL编程第1部分 参考:1) 利用openssl创建一个简单的CAhttp://www.cppblog.com/flyonok/archive/2010/10/30/13 ...

  6. 利用keytool、openssl生成证书文件

    转载请标明出处:http://blog.csdn.net/shensky711/article/details/52225073 本文出自: [HansChen的博客] 用openssl指令逐步生成各 ...

  7. [转帖] ./demoCA/newcerts: No such file or directory openssl 生成证书时问题的解决.

    接上面一篇blog 发现openssl 生成server.crt 时有问题. 找了一个网站处理了一下: http://blog.sina.com.cn/s/blog_49f8dc400100tznt. ...

  8. Security基础(三):OpenSSL及证书服务、邮件TLS/SSL加密通信

    一.OpenSSL及证书服务 目标: 本案例要求熟悉OpenSSL工具的基本使用,完成以下任务操作: 使用OpenSSL加密/解密文件 搭建企业自有的CA服务器,为颁发数字证书提供基础环境 方案: 使 ...

  9. windows下OpenSSL加密证书安装步骤与使用方法

    OpenSSL加密证书一般用于签名认证,含私钥和公钥.在Linux系统中,OpenSSL一般是已经安装好了,可以直接使用.而在Windows系统中,是需要安装使用的. 最近在使用支付平台时,用到了Op ...

随机推荐

  1. JavaScript代码规范

    变量名:驼峰命名法(首单词小写,后面每个单词首字母大写) firstName = "John"; lastName = "Doe"; price = 19.90 ...

  2. LoadRunner监控数据库服务

    一.LR监控SQL Server SQL Server自身提供的性能计数器指标有: 指标名称 指标描述 指标范围 指标单位 1.SQL Server中访问方法(Access Methods)对象包含的 ...

  3. .Net core使用Autofac进行依赖注入示例

    一.官方文档 https://autofaccn.readthedocs.io/zh/latest/index.html 二.新建.net core 控制台程序 三.注册类型,示例一 1.新建接口 I ...

  4. 烽火2640路由器命令行手册-11-IP语音配置命令

    IP语音配置命令 目  录 第1章 配置拨号对命令... 1 1.1 配置拨号对命令... 1 1.1.1 dial-peer voice. 1 1.1.2 application. 2 1.1.3 ...

  5. About Why Inline Member Function Should Defined in The Header File

    About why inline member function should defined in the header file. It is legal to specify inline on ...

  6. 将本地代码备份到Github public repository

    1. 在本地代码所在的文件夹中初始化,即打开powershell,输入下面命令 git init 此时本地文件夹中会出现一个`.git`的隐藏文件夹.   2. 然后将当前的文档`commit`,在本 ...

  7. php ReflectionClass类遍历类中包含元素的方法

    ReflectionClass 类 类内容 class MyClass { const myconst1 = 100000001; const myconst2 = [ 1 => '开始时间', ...

  8. 利用阿里云搭建frp实现外网远程桌面链接内网电脑

    主要应用场景:针对学生放假回家使用外网无法远程操作学校的服务器或者电脑,这里通过阿里云的云服务器搭建一个frp服务,实现内网穿透,从而可以直接通过远程桌面或者其他工具实现对校园网内的服务器或者电脑进行 ...

  9. kubernets HA集群手动部署

    来源:  https://www.cnblogs.com/yangxiaoyi/p/7606121.html  http://blog.51cto.com/newfly/2288088?source= ...

  10. 迁移hive,不同集群。

    step1: 设置默认需要导出的hive数据库为defaultDatabase 在原集群中的任意节点上,新建“.hiverc”文件,加入如下内容: vi ~/.hiverc use defaultDa ...