🔥码云GVP开源项目 12k star Uniapp+ElementUI 功能强大 支持多语言、二开方便! 广告
[TOC] 本文主要介绍用openssl 工具来进行证书的管理 ## **CA私钥与根证书** 生成CA的私钥 ``` $ openssl genrsa -out ca.key 1024 ``` 然后私钥自签名生成CA的证书 ``` $ openssl req -x509 -new -nodes -key ca.key -subj "/CN=PENGSHIZHU" -days 3650 -out ca.crt ``` 其中`-x509`表示进行自签名,`-nodes`表示不对证书进行加密,`-subj`中CN表示证书的域名,`-days`表示证书的有效期天数。 ## **生成与签发服务器证书** ##### **方法一:不使用csr.conf(只能配置一个域名)** 生成服务器的私钥 ``` $ openssl genrsa -out server.key 1024 ``` 生成证书签名请求文件,这里只能通过CN配置一个域名 ``` $ openssl req -new -nodes -key server.key -out server.csr -subj "/CN=server.com" ``` 查看证书签名请求文件的内容,看subj的信息是否都正确 ``` $ openssl req -in server.csr -text Certificate Request: Data: Version: 0 (0x0) Subject: CN=server.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:cb:e0:09:23:93:23:0e:ae:08:10:23:6e:d5:d4: 88:8b:19:ae:68:0c:06:2c:90:2c:a4:03:9e:5f:1f: d5:0c:c9:92:3a:b3:ae:e2:a2:dc:9c:23:ed:7b:5a: 9d:b6:8c:f9:4a:64:69:b7:c2:81:bf:d1:39:16:ee: 25:43:75:33:af:17:2f:fb:96:f4:b5:41:fe:2a:ea: b2:16:aa:f6:bf:80:79:20:4f:9f:c1:e9:5c:87:50: 19:c8:e7:a3:d8:93:3c:60:61:77:10:9e:3c:64:d5: 72:13:59:36:c8:44:79:14:b0:10:df:75:a3:97:17: 10:af:be:a4:45:e5:c2:2e:df Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 1a:03:a3:83:cf:cb:eb:71:0d:30:78:76:6b:a1:6c:17:f0:80: 37:59:79:1e:75:28:37:67:bf:9f:cb:1f:9e:3d:37:38:c5:80: ea:26:16:f7:ba:4c:dc:c0:f3:fb:4a:fa:ec:77:6b:df:ae:51: 40:11:44:a0:d6:a5:a1:40:cc:d5:2a:72:7d:2f:d7:54:1e:4a: 2f:df:4e:61:c8:c5:29:49:8d:62:09:aa:eb:54:50:77:3b:1c: 05:c0:64:af:cb:a9:98:be:3f:b3:ba:1a:16:91:b5:df:07:a3: 79:4e:b5:a8:ae:28:f2:56:de:db:1f:90:51:aa:fb:9f:6d:fa: 66:5b -----BEGIN CERTIFICATE REQUEST----- MIIBVDCBvgIBADAVMRMwEQYDVQQDDApzZXJ2ZXIuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDL4AkjkyMOrggQI27V1IiLGa5oDAYskCykA55fH9UMyZI6 s67iotycI+17Wp22jPlKZGm3woG/0TkW7iVDdTOvFy/7lvS1Qf4q6rIWqva/gHkg T5/B6VyHUBnI56PYkzxgYXcQnjxk1XITWTbIRHkUsBDfdaOXFxCvvqRF5cIu3wID AQABoAAwDQYJKoZIhvcNAQELBQADgYEAGgOjg8/L63ENMHh2a6FsF/CAN1l5HnUo N2e/n8sfnj03OMWA6iYW97pM3MDz+0r67Hdr365RQBFEoNaloUDM1SpyfS/XVB5K L99OYcjFKUmNYgmq61RQdzscBcBkr8upmL4/s7oaFpG13wejeU61qK4o8lbe2x+Q Uar7n236Zls= -----END CERTIFICATE REQUEST----- ``` 验证一下该文件内容是否正确(主要是验证文件内容是否被修改过) ``` $ openssl req -verify -in server.csr verify OK -----BEGIN CERTIFICATE REQUEST----- MIIBVDCBvgIBADAVMRMwEQYDVQQDDApzZXJ2ZXIuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDL4AkjkyMOrggQI27V1IiLGa5oDAYskCykA55fH9UMyZI6 s67iotycI+17Wp22jPlKZGm3woG/0TkW7iVDdTOvFy/7lvS1Qf4q6rIWqva/gHkg T5/B6VyHUBnI56PYkzxgYXcQnjxk1XITWTbIRHkUsBDfdaOXFxCvvqRF5cIu3wID AQABoAAwDQYJKoZIhvcNAQELBQADgYEAGgOjg8/L63ENMHh2a6FsF/CAN1l5HnUo N2e/n8sfnj03OMWA6iYW97pM3MDz+0r67Hdr365RQBFEoNaloUDM1SpyfS/XVB5K L99OYcjFKUmNYgmq61RQdzscBcBkr8upmL4/s7oaFpG13wejeU61qK4o8lbe2x+Q Uar7n236Zls= -----END CERTIFICATE REQUEST----- ``` 使用CA进行签名: ``` $ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt Signature ok subject=/CN=server.com Getting CA Private Key ``` 注意,CA签名时要同时用以ca.key与ca.crt,因为ca.crt中包含了CA的相关信息比如域名CN等;上面的-CAcreateserial表示为该证书创建序列号,用来作为该证书的唯一标识。 使用根证书验证该证书: ``` $ openssl verify -verbose -CAfile ca.crt server.crt server.crt: OK ``` 查看证书的内容: ``` $ openssl x509 -in server.crt -text Certificate: Data: Version: 1 (0x0) Serial Number: 13682036317016922791 (0xbde05b8a2fc99aa7) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=PENGSHIZHU Validity Not Before: Jan 24 15:55:24 2018 GMT Not After : Jan 22 15:55:24 2028 GMT Subject: CN=server.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:cb:e0:09:23:93:23:0e:ae:08:10:23:6e:d5:d4: 88:8b:19:ae:68:0c:06:2c:90:2c:a4:03:9e:5f:1f: d5:0c:c9:92:3a:b3:ae:e2:a2:dc:9c:23:ed:7b:5a: 9d:b6:8c:f9:4a:64:69:b7:c2:81:bf:d1:39:16:ee: 25:43:75:33:af:17:2f:fb:96:f4:b5:41:fe:2a:ea: b2:16:aa:f6:bf:80:79:20:4f:9f:c1:e9:5c:87:50: 19:c8:e7:a3:d8:93:3c:60:61:77:10:9e:3c:64:d5: 72:13:59:36:c8:44:79:14:b0:10:df:75:a3:97:17: 10:af:be:a4:45:e5:c2:2e:df Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 88:29:a0:50:c4:ec:d9:bd:6f:85:57:3e:bb:94:97:4e:ed:43: 57:10:de:6c:f2:23:5c:82:af:a0:1d:2a:2f:4f:42:af:92:eb: e2:d0:b2:32:99:7b:c7:06:88:3b:35:dd:6f:b1:a8:14:00:53: 20:ed:22:4f:df:ad:b3:e7:8f:5e:55:c9:60:7c:dc:3b:75:95: e5:fc:90:b6:9c:d2:fd:61:02:b3:59:55:d1:57:88:a0:2e:49: 0e:c8:dc:68:fd:46:61:92:93:c1:84:8b:e1:42:99:01:8f:1f: 39:f8:d7:4f:4b:41:a0:e1:dc:98:13:09:02:76:e5:f1:69:0c: 26:22 -----BEGIN CERTIFICATE----- MIIBoTCCAQoCCQC94FuKL8mapzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDDApQ RU5HU0hJWkhVMB4XDTE4MDEyNDE1NTUyNFoXDTI4MDEyMjE1NTUyNFowFTETMBEG A1UEAwwKc2VydmVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy+AJ I5MjDq4IECNu1dSIixmuaAwGLJAspAOeXx/VDMmSOrOu4qLcnCPte1qdtoz5SmRp t8KBv9E5Fu4lQ3Uzrxcv+5b0tUH+KuqyFqr2v4B5IE+fwelch1AZyOej2JM8YGF3 EJ48ZNVyE1k2yER5FLAQ33WjlxcQr76kReXCLt8CAwEAATANBgkqhkiG9w0BAQUF AAOBgQCIKaBQxOzZvW+FVz67lJdO7UNXEN5s8iNcgq+gHSovT0Kvkuvi0LIymXvH Bog7Nd1vsagUAFMg7SJP362z549eVclgfNw7dZXl/JC2nNL9YQKzWVXRV4igLkkO yNxo/UZhkpPBhIvhQpkBjx85+NdPS0Gg4dyYEwkCduXxaQwmIg== -----END CERTIFICATE----- ``` ##### **方法二:使用csr.conf(可配置多个域名)** 参考[kubernetes的openssl](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#openssl),需要注意的是,`[ dn ]`下的`Country`只能有两个字母,否则会报错,参考[Country的缩写](https://www.ssl.com/country-codes/)。如下:(**特别注意:如果CN为IP,那么IP.1的值必须为CN的值** ) ``` [ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = CN ST = GuangDong L = GuangZhou O = SYSU OU = SIST CN = 192.168.2.200 [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster DNS.5 = kubernetes.default.svc.cluster.local IP.1 = 192.168.2.200 IP.2 = 127.0.0.1 [ v3_ext ] authorityKeyIdentifier=keyid,issuer:always basicConstraints=CA:FALSE keyUsage=keyEncipherment,dataEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName=@alt_names ``` 另外需要注意的是,如果使用了csr.conf文件,该文件中的`[v3_ext]`下的内容不能少,且CA在证书签名的时候要指定`-extensions v3_ext -extfile csr.conf`(实验中发现如果没有使用,则请求https服务时会报错),完整的流程如下: ``` # 生成server.key openssl genrsa -out server.key 2048 # 生成server.csr,csr.conf文件如上面 openssl req -new -key server.key -out server.csr -config csr.conf # CA进行签名 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -extensions v3_ext -extfile csr.conf ``` ## **参考** * http://www.cnblogs.com/gordon0918/p/5363466.html * https://linux.cn/article-7248-1.html * https://kubernetes.io/docs/tasks/administer-cluster/certificates/#openssl * https://github.com/cnych/admission-webhook-example/blob/master/deployment/webhook-create-signed-cert.sh