证书生成工具

  • 1,openssl
  • 2,jdk自带的keystone
  • 3,cfssl

证书中各个字段的含义

- 查看证书的内容
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text|egrep -i "issuer|subject|serial|dates"
openssl x509 -noout -text -in kubernetes.pem
cfssl-certinfo -cert kubernetes.pem

数字证书中主题(Subject)中字段的含义

  • 一般的数字证书产品的主题通常含有如下字段:
字段名 字段值
公用名称 (Common Name) 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名;
单位名称 (Organization Name) 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称;
  • 证书申请单位所在地
字段名 字段值
所在城市 (Locality)| 简称:L 字段
所在省份 (State/Provice)| 简称:S 字段
所在国家 (Country)| 简称:C 字段,只能是国家字母缩写,如中国:CN
  • 其他一些字段
字段名 字段值
电子邮件 (Email)| 简称:E 字段
多个姓名字段 | 简称:G 字段
介绍 | Description 字段
电话号码:|Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888
地址:|STREET 字段
邮政编码: |PostalCode 字段
显示其他内容| 简称:OU 字段

浏览器如何验证证书

当浏览器使用HTTPS连接到您的服务器时,他们会检查以确保您的SSL证书与地址栏中的主机名称匹配。

浏览器有三种找到匹配的方法:

  • 1.主机名(在地址栏中)与证书主题(Subject)中的通用名称(Common Name)完全匹配。

  • 2.主机名称与通配符通用名称相匹配。例如,www.example.com匹配通用名称* .example.com。

  • 3.主机名主题备用名称(SAN: Subject Alternative Name)字段中列出

  • 1.The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.

  • 2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.

  • 3.The host name is listed in the Subject Alternative Name field.

参考

客户端使用服务端返回的信息验证服务器的合法性,包括:

    证书是否过期
发型服务器证书的CA是否可靠
返回的公钥是否能正确解开返回证书中的数字签名
服务器证书上的域名是否和服务器的实际域名相匹配 -- 要核对CN或SAN,见上
验证通过后,将继续进行通信,否则,终止通信

HTTPS证书生成原理和部署细节

使用rsa一键生成:
openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout java-demo.key -out java-demo.crt 国家 省份 城市 公司 部门 名字
[root@test52 registry]# openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout docker-registry.key -out docker-registry.crt
Generating a 2048 bit RSA private key
............................................+++
.....................................................................................................................................................................................+++
writing new private key to 'docker-registry.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Locality Name (eg, city) [Default City]:guangdong
Organization Name (eg, company) [Default Company Ltd]:pp100
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.maotai.com
Email Address []:ihorse@foxmail.com

证书格式查看

主要留意:

- Subject中: CN(common name)
- X509v3 extensions中: Subject Alternative Name (SAN) - X509v3的扩展
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14
X509v3 Authority Key Identifier:
keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8 X509v3 Subject Alternative Name:
DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster,

使用xca(一款windows上的ca证书生成器)生成证书请求csr 的时候也会有类似字段,因此要搞清的X509v3的扩展含义

[root@n3 keys]# openssl x509  -noout -text -in  kubernetes.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2a:b2:26:a4:7d:9f:b1:21:d8:3a:c0:dc:a7:71:73:3e:66:13:d0:3b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
Validity
Not Before: Dec 23 10:27:00 2017 GMT
Not After : Dec 23 10:27:00 2018 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a7:d3:96:63:5e:17:11:7e:d6:b5:73:15:2a:aa:
ea:69:67:48:c3:f1:10:83:03:4d:99:09:88:ec:b7:
27:12:68:20:2b:95:d3:bf:ce:3f:9a:1c:c4:88:31:
ad:cf:d2:d9:d1:7c:39:20:f5:4f:d9:e9:8f:28:e2:
44:d0:df:69:29:10:15:da:c3:12:d5:4e:c5:24:a3:
88:b9:ab:0a:93:6b:1a:e5:0b:2d:5a:13:4f:8c:37:
52:fa:33:52:bd:a1:6f:4f:73:00:5a:0e:74:2d:f0:
fa:ff:05:80:9d:28:95:e2:bf:64:03:d7:df:f9:df:
10:86:06:af:66:f4:97:d7:d2:82:91:ea:cf:d1:88:
e3:9f:6b:a3:0f:a9:0d:b4:73:9a:9c:57:00:f2:2e:
f8:50:5f:28:33:7a:87:3a:8d:53:16:09:47:c7:e6:
43:d0:3e:81:57:96:82:41:d4:f2:5a:8f:50:c0:11:
31:3c:2e:80:19:b5:32:74:02:1e:c3:1c:02:79:f3:
f3:d0:86:a5:3d:7b:d9:a3:d0:12:d3:97:6d:11:7e:
9c:4e:f3:fe:84:2d:d1:43:10:5f:a7:41:15:1c:3f:
d4:3d:5f:e7:f9:80:ec:a7:1d:3f:a1:87:b1:32:b1:
67:d8:c1:55:91:35:cb:a7:ae:10:51:cd:19:ec:c4:
1e:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14
X509v3 Authority Key Identifier:
keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8 X509v3 Subject Alternative Name:
DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
2c:bd:2c:24:3a:b6:74:61:8d:f2:57:87:71:47:36:f9:28:32:
f4:c2:10:3f:35:d2:36:1b:a0:3c:96:9a:98:8a:59:07:00:2f:
3f:ac:83:fd:f1:00:09:aa:4d:72:26:38:88:c9:5e:a3:2f:df:
f0:bf:7c:07:39:55:1d:30:dc:87:15:7c:4f:01:9f:5f:74:e0:
78:09:6a:f0:2e:bf:a9:a8:26:86:01:43:8b:49:a3:bf:77:27:
a0:ba:77:9a:3d:e6:14:4e:3b:52:e4:35:2f:8b:88:64:4c:ed:
6d:97:cf:8c:21:9d:a5:1c:80:ff:80:f0:d5:18:d0:0c:1e:35:
84:60:55:4d:0e:2c:6c:56:d3:36:d4:0c:63:3e:65:c4:3d:b7:
23:b5:2e:5f:20:5e:43:65:85:2d:87:4c:b6:e9:5d:d3:58:90:
d6:fb:b4:1e:1d:23:62:f8:9e:63:22:ad:95:ba:e9:9e:f3:88:
16:f4:f1:da:a2:c1:ef:c4:2f:d3:8d:bb:42:3c:63:8f:20:b9:
6c:9a:90:65:2e:36:4f:b5:f8:ca:75:e2:69:0f:0e:07:99:8c:
01:53:ff:cc:a0:a7:95:33:25:b7:e7:78:33:bc:2f:f8:25:3a:
fe:49:4f:55:06:ac:17:c0:f9:d9:89:2f:bb:c9:8f:10:7b:21:
7a:59:3f:08
[root@n3 keys]# cfssl-certinfo -cert kubernetes.pem
{
"subject": {
"common_name": "kubernetes",
"country": "CN",
"organization": "k8s",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"k8s",
"System",
"kubernetes"
]
},
"issuer": {
"common_name": "kubernetes",
"country": "CN",
"organization": "k8s",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"k8s",
"System",
"kubernetes"
]
},
"serial_number": "243750511260095960201836502027625859126538784827",
"sans": [
"",
"",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"127.0.0.1"
],
"not_before": "2017-12-23T10:27:00Z",
"not_after": "2018-12-23T10:27:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "6E:45:FB:5F:1F:73:87:3E:C3:C:54:AB:74:95:2A:FB:44:E0:9B:D8",
"subject_key_id": "62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14",
"pem": "-----BEGIN CERTIFICATE-----\nMIIEcTCCA1mgAwIBAgIUKrImpH2fsSHYOsDcp3FzPmYT0DswDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE3MTIyMzEwMjcwMFoXDTE4MTIyMzEwMjcwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9OWY14XEX7WtXMVKqrq\naWdIw/EQgwNNmQmI7LcnEmggK5XTv84/mhzEiDGtz9LZ0Xw5IPVP2emPKOJE0N9p\nKRAV2sMS1U7FJKOIuasKk2sa5QstWhNPjDdS+jNSvaFvT3MAWg50LfD6/wWAnSiV\n4r9kA9ff+d8QhgavZvSX19KCkerP0Yjjn2ujD6kNtHOanFcA8i74UF8oM3qHOo1T\nFglHx+ZD0D6BV5aCQdTyWo9QwBExPC6AGbUydAIewxwCefPz0IalPXvZo9AS05dt\nEX6cTvP+hC3RQxBfp0EVHD/UPV/n+YDspx0/oYexMrFn2MFVkTXLp64QUc0Z7MQe\nGwIDAQABo4IBFzCCARMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF\nBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRi6lrcE8Rf1ezb\nE3fa4ZAfyUsQFDAfBgNVHSMEGDAWgBRuRftfH3OHPsMMVKt0lSr7ROCb2DCBkwYD\nVR0RBIGLMIGIggCCAIIKa3ViZXJuZXRlc4ISa3ViZXJuZXRlcy5kZWZhdWx0ghZr\ndWJlcm5ldGVzLmRlZmF1bHQuc3Zjgh5rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNs\ndXN0ZXKCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcEfwAA\nATANBgkqhkiG9w0BAQsFAAOCAQEALL0sJDq2dGGN8leHcUc2+Sgy9MIQPzXSNhug\nPJaamIpZBwAvP6yD/fEACapNciY4iMleoy/f8L98BzlVHTDchxV8TwGfX3TgeAlq\n8C6/qagmhgFDi0mjv3cnoLp3mj3mFE47UuQ1L4uIZEztbZfPjCGdpRyA/4Dw1RjQ\nDB41hGBVTQ4sbFbTNtQMYz5lxD23I7UuXyBeQ2WFLYdMtuld01iQ1vu0Hh0jYvie\nYyKtlbrpnvOIFvTx2qLB78Qv0427QjxjjyC5bJqQZS42T7X4ynXiaQ8OB5mMAVP/\nzKCnlTMlt+d4M7wv+CU6/klPVQasF8D52Ykvu8mPEHshelk/CA==\n-----END CERTIFICATE-----\n"
}

生成证书的步骤及openssl命令

第一步,为服务器端和客户端准备公钥、私钥:

# 生成服务器端私钥
openssl genrsa -out server.key 1024
# 生成服务器端公钥
openssl rsa -in server.key -pubout -out server.pem
# 生成客户端私钥
openssl genrsa -out client.key 1024
# 生成客户端公钥
openssl rsa -in client.key -pubout -out client.pem

第二步,生成 CA 证书:

# 生成 CA 私钥
openssl genrsa -out ca.key 1024
# X.509 Certificate Signing Request (CSR) Management.
openssl req -new -key ca.key -out ca.csr
# X.509 Certificate Data Management.
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

第三步,生成服务器端证书和客户端证书:

# 服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件
openssl req -new -key server.key -out server.csr
# 向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt # client 端
openssl req -new -key client.key -out client.csr
# client 端到 CA 签名
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

[svc]证书各个字段的含义的更多相关文章

  1. [svc]证书学习索引

    数字证书基础知识 对称加密/非对称加密细枝末节 openssl对称非对称加密实战 使用OpenSSL实现CA证书的搭建过程 通过openssl生成证书 HTTPS证书生成原理和部署细节 证书各个字段的 ...

  2. k8s学习笔记之五:Pod资源清单spec字段常用字段及含义

    第一章.前言 在上一篇博客中,我们大致简述了一般情况下资源清单的格式,以及如何获得清单配置的命令帮助,下面我们再讲解下清单中spec字段中比较常见的字段及其含义 第二章.常用字段讲解 spec.con ...

  3. Pod中spec的字段常用字段及含义

    一.Pod中spec的字段常用字段及含义 1.pod.spec.containers ²  spec.containers.name <string>  #pod的名称,必须字段,名称唯一 ...

  4. Android的DDMS中的Threads的各个字段的含义

    在使用DDMS调试代码时,Threads窗口中各个字段的含义从网上搜了下,如下所示: 该标签页显示了如下信息: ID – a VM-assigned unique thread ID. In Dalv ...

  5. mysql,user表中各字段的含义

    1.查询user表 select * from mysql.user 2.修改用户密码 ALTER user ' 3.user表中各字段的含义 Select_priv:用户可以通过SELECT命令选择 ...

  6. 详解usbmon抓取的log各字段的含义

    详解 usbmon 抓取的 log 各字段的含义 在上篇文章中,我们已经介绍了如何在 linux 下使用 usbmon 抓取 usb 总线上数据的方法.(https://www.cnblogs.com ...

  7. mysql查看表的字段与含义

    查看表的字段与含义 select column_name,column_comment from information_schema.`COLUMNS` where table_Schema='lo ...

  8. jmeter jdbc各字段的含义

    JDBC采样器各选项的含义如下: 1.Variable Name 其中的Variable Name和上面JDBC Connection Configuration中的Variable Name相同,这 ...

  9. oracle V$SESSION各个字段的含义

    源地址:https://zhidao.baidu.com/question/345549929.html SADDR - session addressSID - session identifier ...

随机推荐

  1. 6-20 Ideal Path uva1599

    第一个bfs很快  但是我第一次做还用了结构体  这题完全不需要  反而导致了代码非常乱 输入: 一开始我是用m二维数组储存颜色  vector path来储存路径 但是二维数组的下标是不够用的   ...

  2. python爬虫学习(一):BeautifulSoup库基础及一般元素提取方法

    最近在看爬虫相关的东西,一方面是兴趣,另一方面也是借学习爬虫练习python的使用,推荐一个很好的入门教程:中国大学MOOC的<python网络爬虫与信息提取>,是由北京理工的副教授嵩天老 ...

  3. rabbitmq学习(七) —— springboot下的可靠使用

    前面的学习都是基于原生的api,下面我们使用spingboot来整合rabbitmq springboot对rabbitmq提供了友好支持,极大的简化了开发流程 引入maven <depende ...

  4. iOS 技术篇:从使用到了解block底层原理 (一)

    1.概述 block : Object - C对于闭包的实现 . 闭包 = 一个函数(或是指向函数的指针) +该函数执行的外部的上下文变量(自由变量) 2.对block的理解 可以嵌套定义,定义 bl ...

  5. JS中获取文件点之后的后缀字符

    var FileName = $("#file").val(); var index1=FileName.lastIndexOf("."); var index ...

  6. mfc调用cmd执行完保留黑框

    mfc调用cmd的方法有很多,本文采用 ShellExecute ShellExecute(AfxGetMainWnd()->m_hWnd,L"open",L"cm ...

  7. 电商sku商品推荐

    1.逻辑回归LR进行实时离线三级品类训练. 2.通过用户对于实时.离线三级品类的偏好进行召回. 3.通过人的特征.sku特征.人sku交互特征.以及位置手机特征通过gbdt模型进行点击量预估.

  8. HDU.4757.Tree(可持久化Trie)

    题目链接 \(Description\) 给定一棵树,点有点权.\(Q\)次询问\(x,y,z\),求\(x\)到\(y\)的简单路径中,与\(z\)异或能得到的最大的数是多少. \(Solution ...

  9. CODEVS.1228 苹果树(DFS序)

    To CODEVS.1228 苹果树  To poj 3321 Description 在卡卡的房子外面,有一棵苹果树.每年的春天,树上总会结出很多的苹果.卡卡非常喜欢吃苹果,所以他一直都精心的呵护这 ...

  10. packageOfficialDebug和resourceFile does not exist.

    Android Studio运行时候报packageOfficialDebug错误 报错信息为 Error:A problem was found with the configuration of ...