[TOC]
本文主要介绍用openssl 工具来进行证书的管理
## **CA私钥与根证书**
生成CA的私钥
```
$ openssl genrsa -out ca.key 1024
```
然后私钥自签名生成CA的证书
```
$ openssl req -x509 -new -nodes -key ca.key -subj "/CN=PENGSHIZHU" -days 3650 -out ca.crt
```
其中`-x509`表示进行自签名,`-nodes`表示不对证书进行加密,`-subj`中CN表示证书的域名,`-days`表示证书的有效期天数。
## **生成与签发服务器证书**
##### **方法一:不使用csr.conf(只能配置一个域名)**
生成服务器的私钥
```
$ openssl genrsa -out server.key 1024
```
生成证书签名请求文件,这里只能通过CN配置一个域名
```
$ openssl req -new -nodes -key server.key -out server.csr -subj "/CN=server.com"
```
查看证书签名请求文件的内容,看subj的信息是否都正确
```
$ openssl req -in server.csr -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=server.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:cb:e0:09:23:93:23:0e:ae:08:10:23:6e:d5:d4:
88:8b:19:ae:68:0c:06:2c:90:2c:a4:03:9e:5f:1f:
d5:0c:c9:92:3a:b3:ae:e2:a2:dc:9c:23:ed:7b:5a:
9d:b6:8c:f9:4a:64:69:b7:c2:81:bf:d1:39:16:ee:
25:43:75:33:af:17:2f:fb:96:f4:b5:41:fe:2a:ea:
b2:16:aa:f6:bf:80:79:20:4f:9f:c1:e9:5c:87:50:
19:c8:e7:a3:d8:93:3c:60:61:77:10:9e:3c:64:d5:
72:13:59:36:c8:44:79:14:b0:10:df:75:a3:97:17:
10:af:be:a4:45:e5:c2:2e:df
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
1a:03:a3:83:cf:cb:eb:71:0d:30:78:76:6b:a1:6c:17:f0:80:
37:59:79:1e:75:28:37:67:bf:9f:cb:1f:9e:3d:37:38:c5:80:
ea:26:16:f7:ba:4c:dc:c0:f3:fb:4a:fa:ec:77:6b:df:ae:51:
40:11:44:a0:d6:a5:a1:40:cc:d5:2a:72:7d:2f:d7:54:1e:4a:
2f:df:4e:61:c8:c5:29:49:8d:62:09:aa:eb:54:50:77:3b:1c:
05:c0:64:af:cb:a9:98:be:3f:b3:ba:1a:16:91:b5:df:07:a3:
79:4e:b5:a8:ae:28:f2:56:de:db:1f:90:51:aa:fb:9f:6d:fa:
66:5b
-----BEGIN CERTIFICATE REQUEST-----
MIIBVDCBvgIBADAVMRMwEQYDVQQDDApzZXJ2ZXIuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDL4AkjkyMOrggQI27V1IiLGa5oDAYskCykA55fH9UMyZI6
s67iotycI+17Wp22jPlKZGm3woG/0TkW7iVDdTOvFy/7lvS1Qf4q6rIWqva/gHkg
T5/B6VyHUBnI56PYkzxgYXcQnjxk1XITWTbIRHkUsBDfdaOXFxCvvqRF5cIu3wID
AQABoAAwDQYJKoZIhvcNAQELBQADgYEAGgOjg8/L63ENMHh2a6FsF/CAN1l5HnUo
N2e/n8sfnj03OMWA6iYW97pM3MDz+0r67Hdr365RQBFEoNaloUDM1SpyfS/XVB5K
L99OYcjFKUmNYgmq61RQdzscBcBkr8upmL4/s7oaFpG13wejeU61qK4o8lbe2x+Q
Uar7n236Zls=
-----END CERTIFICATE REQUEST-----
```
验证一下该文件内容是否正确(主要是验证文件内容是否被修改过)
```
$ openssl req -verify -in server.csr
verify OK
-----BEGIN CERTIFICATE REQUEST-----
MIIBVDCBvgIBADAVMRMwEQYDVQQDDApzZXJ2ZXIuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDL4AkjkyMOrggQI27V1IiLGa5oDAYskCykA55fH9UMyZI6
s67iotycI+17Wp22jPlKZGm3woG/0TkW7iVDdTOvFy/7lvS1Qf4q6rIWqva/gHkg
T5/B6VyHUBnI56PYkzxgYXcQnjxk1XITWTbIRHkUsBDfdaOXFxCvvqRF5cIu3wID
AQABoAAwDQYJKoZIhvcNAQELBQADgYEAGgOjg8/L63ENMHh2a6FsF/CAN1l5HnUo
N2e/n8sfnj03OMWA6iYW97pM3MDz+0r67Hdr365RQBFEoNaloUDM1SpyfS/XVB5K
L99OYcjFKUmNYgmq61RQdzscBcBkr8upmL4/s7oaFpG13wejeU61qK4o8lbe2x+Q
Uar7n236Zls=
-----END CERTIFICATE REQUEST-----
```
使用CA进行签名:
```
$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
Signature ok
subject=/CN=server.com
Getting CA Private Key
```
注意,CA签名时要同时用以ca.key与ca.crt,因为ca.crt中包含了CA的相关信息比如域名CN等;上面的-CAcreateserial表示为该证书创建序列号,用来作为该证书的唯一标识。
使用根证书验证该证书:
```
$ openssl verify -verbose -CAfile ca.crt server.crt
server.crt: OK
```
查看证书的内容:
```
$ openssl x509 -in server.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13682036317016922791 (0xbde05b8a2fc99aa7)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=PENGSHIZHU
Validity
Not Before: Jan 24 15:55:24 2018 GMT
Not After : Jan 22 15:55:24 2028 GMT
Subject: CN=server.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:cb:e0:09:23:93:23:0e:ae:08:10:23:6e:d5:d4:
88:8b:19:ae:68:0c:06:2c:90:2c:a4:03:9e:5f:1f:
d5:0c:c9:92:3a:b3:ae:e2:a2:dc:9c:23:ed:7b:5a:
9d:b6:8c:f9:4a:64:69:b7:c2:81:bf:d1:39:16:ee:
25:43:75:33:af:17:2f:fb:96:f4:b5:41:fe:2a:ea:
b2:16:aa:f6:bf:80:79:20:4f:9f:c1:e9:5c:87:50:
19:c8:e7:a3:d8:93:3c:60:61:77:10:9e:3c:64:d5:
72:13:59:36:c8:44:79:14:b0:10:df:75:a3:97:17:
10:af:be:a4:45:e5:c2:2e:df
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
88:29:a0:50:c4:ec:d9:bd:6f:85:57:3e:bb:94:97:4e:ed:43:
57:10:de:6c:f2:23:5c:82:af:a0:1d:2a:2f:4f:42:af:92:eb:
e2:d0:b2:32:99:7b:c7:06:88:3b:35:dd:6f:b1:a8:14:00:53:
20:ed:22:4f:df:ad:b3:e7:8f:5e:55:c9:60:7c:dc:3b:75:95:
e5:fc:90:b6:9c:d2:fd:61:02:b3:59:55:d1:57:88:a0:2e:49:
0e:c8:dc:68:fd:46:61:92:93:c1:84:8b:e1:42:99:01:8f:1f:
39:f8:d7:4f:4b:41:a0:e1:dc:98:13:09:02:76:e5:f1:69:0c:
26:22
-----BEGIN CERTIFICATE-----
MIIBoTCCAQoCCQC94FuKL8mapzANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDDApQ
RU5HU0hJWkhVMB4XDTE4MDEyNDE1NTUyNFoXDTI4MDEyMjE1NTUyNFowFTETMBEG
A1UEAwwKc2VydmVyLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAy+AJ
I5MjDq4IECNu1dSIixmuaAwGLJAspAOeXx/VDMmSOrOu4qLcnCPte1qdtoz5SmRp
t8KBv9E5Fu4lQ3Uzrxcv+5b0tUH+KuqyFqr2v4B5IE+fwelch1AZyOej2JM8YGF3
EJ48ZNVyE1k2yER5FLAQ33WjlxcQr76kReXCLt8CAwEAATANBgkqhkiG9w0BAQUF
AAOBgQCIKaBQxOzZvW+FVz67lJdO7UNXEN5s8iNcgq+gHSovT0Kvkuvi0LIymXvH
Bog7Nd1vsagUAFMg7SJP362z549eVclgfNw7dZXl/JC2nNL9YQKzWVXRV4igLkkO
yNxo/UZhkpPBhIvhQpkBjx85+NdPS0Gg4dyYEwkCduXxaQwmIg==
-----END CERTIFICATE-----
```
##### **方法二:使用csr.conf(可配置多个域名)**
参考[kubernetes的openssl](https://kubernetes.io/docs/tasks/administer-cluster/certificates/#openssl),需要注意的是,`[ dn ]`下的`Country`只能有两个字母,否则会报错,参考[Country的缩写](https://www.ssl.com/country-codes/)。如下:(**特别注意:如果CN为IP,那么IP.1的值必须为CN的值** )
```
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = CN
ST = GuangDong
L = GuangZhou
O = SYSU
OU = SIST
CN = 192.168.2.200
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 192.168.2.200
IP.2 = 127.0.0.1
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
```
另外需要注意的是,如果使用了csr.conf文件,该文件中的`[v3_ext]`下的内容不能少,且CA在证书签名的时候要指定`-extensions v3_ext -extfile csr.conf`(实验中发现如果没有使用,则请求https服务时会报错),完整的流程如下:
```
# 生成server.key
openssl genrsa -out server.key 2048
# 生成server.csr,csr.conf文件如上面
openssl req -new -key server.key -out server.csr -config csr.conf
# CA进行签名
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -extensions v3_ext -extfile csr.conf
```
## **参考**
* http://www.cnblogs.com/gordon0918/p/5363466.html
* https://linux.cn/article-7248-1.html
* https://kubernetes.io/docs/tasks/administer-cluster/certificates/#openssl
* https://github.com/cnych/admission-webhook-example/blob/master/deployment/webhook-create-signed-cert.sh
- 应用层
- HTTP
- Cookie
- Session
- HTTP报文格式
- HTTP的Header字段
- HTTPS
- 简介
- 原理
- RSA加密与解密
- 证书签名与验证
- TLS双向认证
- openssl命令汇总
- DNS
- DNS的记录类型
- DNS的报文格式
- FAQ
- 传输层
- TCP
- CloseWait
- 网络层
- IPv6
- 链路层
- 链接层基础知识
- VLAN
- FAQ
- Linux网络收发包
- 网卡收包
- 网卡发包
- 收发包FAQ
- LVS
- 安装-DR模式
- 基本原理
- Ipvsadm命令
- Netfilter
- Netfilter简介
- 注册钩子函数
- Netfilter中数据包流向
- Iptables的数据结构
- 连接跟踪
- 初识连接跟踪
- 连接跟踪详解
- 连接跟踪数据结构
- 数据包与连接的状态
- NAT
- IPVS
- KubeProxy的IPVS模式
- Linux虚拟网络设备
- 虚拟网络设备简介
- Tap
- VethPair
- Vlan
- Vxlan
- Flannel的VXLAN原理
- Openstack的VXLAN原理
- VXLAN总结
- Bridge
- 给容器设置主机网段IP
- Macvlan
- Ipvlan
- IPIP
- IPIP使用介绍
- IPIP源码分析
- Limdiag网络
- 详细设计
- kubeovn
- IP命令
- Calico
- Calico常见问题
- ARP无响应
- 其他