java中的接口是类吗
473
2022-10-09
SSL/TLS深度解析--在Nginx上配置证书链及多域名证书(nginx配置ssl证书实现https访问)
SSL/TLS深度解析--在Nginx上配置证书链及多域名证书(nginx配置ssl证书实现https访问)
生成私钥与自签根证书(这次使用aes256加密,密码是redhat)
# 进行简单处理 [root@~]# cd /usr/local/openssl/ [root@openssl]# mkdir root-CA sub-CA [root@openssl]# cp -rf CA/* root-CA/ [root@root-CA]# rm -rf root_cacert_ecc.pem crlnumber.old index.txt.old index.txt.attr.old serial.old private/root_prikey_ecdsa.pem newcerts/* [root@root-CA]# > crl.pem [root@root-CA]# > index.txt [root@root-CA]# openssl rand -hex 16 > crlnumber [root@root-CA]# openssl rand -hex 16 > serial [root@root-CA]# vim root-ca.cnf [default] name = root-ca domain_suffix = a-company.com aia_url = http://$name.$domain_suffix/$name.crt crl_url = http://$name.$domain_suffix/$name.crl ocsp_url = http://ocsp.$name.$domain_suffix:9080 default_ca = ca_default name_opt = utf8,esc_ctrl,multiline,lname,align [ca_dn] countryName = "CN" organizationName = "A-company" commonName = "root-CA" [ca_default] home = /usr/local/openssl/root-CA/ database = $home/index.txt serial = $home/serial crlnumber = $home/crlnumber certificate = $home/root_cacert.crt private_key = $home/private/root_cakey_ecdsa.pem #RANDFILE = $home/private/random new_certs_dir = $home/newcerts unique_subject = no copy_extensions = none default_days = 3650 default_crl_days = 60 default_md = sha384 policy = policy_rootCA_match [policy_rootCA_match] countryName = match stateOrProvinceName = optional localityName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 4096 encrypt_key = yes default_md = sha256 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn req_extensions = ca_ext [ca_ext] basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash [subca_ext] authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true,pathlen:0 crlDistributionPoints = @crl_info extendedKeyUsage = clientAuth,serverAuth keyUsage = critical,keyCertSign,cRLSign nameConstraints = @name_constraints subjectKeyIdentifier = hash [crl_info] URI.0 = $crl_url [issuer_info] caIssuers;URI.0 = $aia_url OCSP;URI.0 = $ocsp_url [name_constraints] permitted;DNS.0=test05.com permitted;DNS.1=test.org excluded;IP.0=0.0.0.0/0.0.0.0 excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 [ocsp_ext] authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false extendedKeyUsage = OCSPSigning keyUsage = critical,digitalSignature subjectKeyIdentifier = hash [root@root-CA]# mkdir test [root@root-CA]# cd test [root@test]# openssl ecparam -genkey -name prime256v1 -out root_cakey_ecdsa.pem [root@test]# ll 总用量 4 -rw-------. 1 root root 302 11月 24 23:12 root_cakey_ecdsa.pem [root@test]# openssl ec -aes256 -in root_cakey_ecdsa.pem -out root_cakey_ecdsa.pem read EC key writing EC key Enter PEM pass phrase: Verifying - Enter PEM pass phrase: [root@test]# ll 总用量 4 -rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem [root@test]# openssl req -new -x509 -sha384 -config /usr/local/openssl/root-CA/root-ca.cnf -extensions ca_ext -key root_cakey_ecdsa.pem -out root_cacert.crt -days 3650 -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=rootca/CN=rootCA/emailAddress=adm@test.com Enter pass phrase for root_cakey_ecdsa.pem: [root@test]# ll 总用量 8 -rw-r--r--. 1 root root 859 11月 24 23:26 root_cacert.crt -rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem [root@test]# mv root_cacert.crt ../ [root@test]# mv root_cakey_ecdsa.pem ../private/ #查看根证书 [root@root-CA]# openssl x509 -in root_cacert.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 0f:b1:e8:38:74:1f:2a:2a:fd:8b:cf:b5:27:c0:20:51:a8:54:ad:ce Signature Algorithm: ecdsa-with-SHA384 Issuer: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = adm@test.com Validity Not Before: Nov 24 15:26:12 2018 GMT Not After : Nov 21 15:26:12 2028 GMT Subject: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:cc:8f:71:cc:11:fe:bb:a9:b0:86:b7:8f:50:89: 3c:65:63:ed:ee:37:4b:6e:3b:e3:d6:77:51:a7:15: be:99:70:ea:45:0f:e3:46:53:dd:46:2d:8d:4b:57: 31:5b:30:e8:91:47:b2:41:a7:54:c8:44:f6:75:37: a3:29:ac:81:ea ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02 Signature Algorithm: ecdsa-with-SHA384 30:45:02:21:00:ac:7f:fb:04:23:ea:c7:77:eb:e8:d3:a4:16: a6:f7:9a:6a:ee:d1:ce:9c:4e:16:ec:2b:dd:86:4e:56:af:2d: cd:02:20:5f:a1:3b:d1:50:a8:4a:30:05:ed:59:1e:1e:99:68: d4:92:af:19:d5:a1:46:e5:ad:4b:d2:f4:0a:dd:89:5d:4d -----BEGIN CERTIFICATE----- MIICTjCCAfSgAwIBAgIUD7HoOHQfKir9i8+1J8AgUahUrc4wCgYIKoZIzj0EAwMw gYQxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlKaW5nMRAwDgYDVQQHDAdCZWlK aW5nMRIwEAYDVQQKDAlBX2NvbXBhbnkxDzANBgNVBAsMBnJvb3RjYTEPMA0GA1UE AwwGcm9vdENBMRswGQYJKoZIhvcNAQkBFgxhZG1AdGVzdC5jb20wHhcNMTgxMTI0 MTUyNjEyWhcNMjgxMTIxMTUyNjEyWjCBhDELMAkGA1UEBhMCQ04xEDAOBgNVBAgM B0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxEjAQBgNVBAoMCUFfY29tcGFueTEP MA0GA1UECwwGcm9vdGNhMQ8wDQYDVQQDDAZyb290Q0ExGzAZBgkqhkiG9w0BCQEW DGFkbUB0ZXN0LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMyPccwR/rup sIa3j1CJPGVj7e43S24749Z3UacVvplw6kUP40ZT3UYtjUtXMVsw6JFHskGnVMhE 9nU3oymsgeqjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G A1UdDgQWBBR2eRRGt3zliuhHd/W2K7MXvC0FAjAKBggqhkjOPQQDAwNIADBFAiEA rH/7BCPqx3fr6NOkFqb3mmru0c6cThbsK92GTlavLc0CIF+hO9FQqEowBe1ZHh6Z aNSSrxnVoUblrUvS9ArdiV1N -----END CERTIFICATE-----
签发私有二级CA
[root@openssl]# cp -rf root-CA/* sub-CA/ [root@openssl]# cd sub-CA/ [root@sub-CA]# rm -rf root-ca.cnf private/* root_cacert.crt [root@sub-CA]# vim sub-ca.cnf [default] name = sub-ca domain_suffix = a-company.com aia_url = http://$name.$domain_suffix/$name.crt crl_url = http://$name.$domain_suffix/$name.crl ocsp_url = http://ocsp.$name.$domain_suffix:9081 default_ca = ca_default name_opt = utf8,esc_ctrl,multiline,lname,align [ca_dn] countryName = "CN" organizationName = "A-company" commonName = "sub-CA" [ca_default] home = /usr/local/openssl/sub-CA database = $home/index.txt serial = $home/serial crlnumber = $home/crlnumber certificate = $home/second_cacert.crt private_key = $home/private/second_cakey_ecdsa.pem #RANDFILE = $home/private/random new_certs_dir = $home/newcerts unique_subject = no copy_extensions = copy default_days = 365 default_crl_days = 30 default_md = sha256 policy = policy_subCA_match [policy_subCA_match] countryName = match stateOrProvinceName = optional localityName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 4096 encrypt_key = yes default_md = sha256 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn #req_extensions = ca_ext [crl_info] URI.0 = $crl_url [issuer_info] caIssuers;URI.0 = $aia_url OCSP;URI.0 = $ocsp_url [ocsp_ext] authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false extendedKeyUsage = OCSPSigning keyUsage = critical,digitalSignature subjectKeyIdentifier = hash [server_ext] authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false crlDistributionPoints = @crl_info extendedKeyUsage = clientAuth,serverAuth keyUsage = critical,digitalSignature,keyEncipherment subjectKeyIdentifier = hash [client_ext] authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false crlDistributionPoints = @crl_info extendedKeyUsage = clientAuth keyUsage = critical,digitalSignature subjectKeyIdentifier = hash [root@sub-CA]# cd test # 生成二级CA私钥 [root@test]# openssl ecparam -genkey -name prime256v1 -out second_cakey_ecdsa.pem # AES256加密(密码redhat) [root@test]# openssl ec -aes256 -in second_cakey_ecdsa.pem -out second_cakey_ecdsa.pem read EC key writing EC key Enter PEM pass phrase: Verifying - Enter PEM pass phrase: # 生成二级CA的证书申请 [root@test]# openssl req -new -config /usr/local/openssl/sub-CA/sub-ca.cnf -key second_cakey_ecdsa.pem -out second_cacert.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=subca/CN=sub01_CA/emailAddress=sub01adm@test.com Enter pass phrase for second_cakey_ecdsa.pem: # 使用根证书签署二级CA证书 [root@test]# openssl ca -config /usr/local/openssl/root-CA/root-ca.cnf -extensions subca_ext -days 730 -in second_cacert.csr -out second_cacert.crt -batch -notext Using configuration from /usr/local/openssl/root-CA/root-ca.cnf Enter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem: Check that the request matches the signature Signature ok Certificate Details: Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = rootca commonName = rootCA emailAddress = adm@test.com Validity Not Before: Nov 28 13:18:46 2018 GMT Not After : Nov 27 13:18:46 2020 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:d7:e4:9d:be:12:50:5b:c4:05:c3:d5:e7:b9:7c: 18:c1:9b:31:a8:c2:8e:08:a7:4b:9c:62:02:25:f9: df:dc:c1:74:64:0e:70:5d:74:22:2e:22:83:06:c0: 7a:70:5e:4b:d5:87:c7:c9:8a:3b:bb:bd:77:91:76: 97:56:c3:2c:e4 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://root-ca.a-company.com/root-ca.crt OCSP - URI:http://ocsp.root-ca.a-company.com:9080 X509v3 Authority Key Identifier: keyid:76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 CRL Distribution Points: Full Name: URI:http://root-ca.a-company.com/root-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Name Constraints: Permitted: DNS:test05.com DNS:test.org Excluded: IP:0.0.0.0/0.0.0.0 IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 X509v3 Subject Key Identifier: 9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 Certificate is to be certified until Nov 27 13:18:46 2020 GMT (730 days) Write out database with 1 new entries Data Base Updated [root@test]# mv second_cakey_ecdsa.pem ../private/ [root@test]# mv second_cacert.crt ../
使用二级CA签发服务器端证书
# 生成私钥和申请(注意这里没加密私钥) [root@test]# openssl ecparam -genkey -name prime256v1 -out server_ecdsa.key [root@test]# openssl req -new -key server_ecdsa.key -config ../sub-ca.cnf -out server.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server/CN=test05.com/emailAddress=test05adm@test.com [root@test]# openssl ca -config ../sub-ca.cnf -in server.csr -out server.crt -extensions server_ext -batch -notext Using configuration from ../sub-ca.cnf Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem: Check that the request matches the signature Signature ok Certificate Details: Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Nov 28 13:40:52 2018 GMT Not After : Nov 28 13:40:52 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = server commonName = test05.com emailAddress = test05adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:cb:0a:18:1e:3f:9f:09:a6:85:1c:a9:26:7b:ee: 41:37:68:5b:e5:89:84:12:93:14:6b:d0:bd:5e:d8: ff:27:e6:dd:f3:43:57:70:0e:ac:43:69:d1:29:9a: 3a:2e:e2:b3:b4:2c:ff:7f:c1:60:c0:6b:de:2a:bd: 72:08:f5:7c:00 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 86:F3:C8:69:7C:0A:00:7E:FF:F6:0C:61:05:6B:83:45:9D:86:40:4B Certificate is to be certified until Nov 28 13:40:52 2019 GMT (365 days) Write out database with 1 new entries Data Base Updated
使用server.crt 与 second_cacert.crt 合成一个证书链
# 要注意顺序,服务器端的证书是放在第一个,二级CA的证书在其后面;如果还有一层三级CA,那么是先追加三级CA证书,再追加二级CA证书。 [root@test]# cat server.crt ../second_cacert.crt > chain.crt [root@test]# ll chain.crt -rw-r--r--. 1 root root 2534 11月 28 21:50 chain.crt [root@test]# cp chain.crt server_ecdsa.key /project/nginx1.15.0/conf/certs/ [root@test]# cd /project/nginx1.15.0/conf/ [root@conf]# vim nginx.conf ...... server_name linuxplus.com test05.com; ssl_certificate certs/chain.crt; ssl_certificate_key certs/server_ecdsa.key; [root@conf]# ../sbin/nginx -t nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful [root@conf]# ../sbin/nginx -s reload [root@~]# cd /usr/local/openssl/root-CA [root@root-CA]# sz -y root_cacert.crt
使用二级CA签发客户端证书
[root@~]# cd /usr/local/openssl/sub-CA/test/ [root@test]# openssl ecparam -genkey -name prime256v1 -out client01_ecdsa.key # 生成申请 [root@test]# openssl req -new -key client01_ecdsa.key -out client01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=client01/CN=test05.com/emailAddress=clientadm@test.com # 签发客户端证书 [root@test]# openssl ca -config ../sub-ca.cnf -days 60 -in client01.csr -out client01.crt -extensions client_ext -batch -notext Using configuration from ../sub-ca.cnf Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem: Check that the request matches the signature Signature ok Certificate Details: Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ae Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Nov 30 15:17:31 2018 GMT Not After : Jan 29 15:17:31 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = client01 commonName = test05.com emailAddress = clientadm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e5:30:48:de:2b:2d:fc:6b:89:d1:9a:fd:f8:62: 72:72:26:e6:ca:82:2b:fd:c0:c5:c2:ce:8d:dc:ba: d0:e0:52:84:75:6b:6a:78:64:c3:09:9b:c8:9d:fe: e1:af:5c:85:b1:c3:a5:6c:6d:fe:b0:57:5a:37:d5: ec:d4:b6:56:2a ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature X509v3 Subject Key Identifier: 29:44:F5:60:40:8C:DD:ED:D2:D0:0E:E8:E7:D5:5C:67:6D:CF:12:9E Certificate is to be certified until Jan 29 15:17:31 2019 GMT (60 days) Write out database with 1 new entries Data Base Updated # 格式转换成pkcs12 [root@test]# openssl pkcs12 -export -clcerts -passout pass:123456 -in client01.crt -inkey client01_ecdsa.key -out client01.p12 [root@test]# cd .. [root@sub-CA]# openssl ca -config sub-ca.cnf -gencrl -out crl.pem Using configuration from sub-ca.cnf Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem: [root@test]# cd [root@~]# cd /project/nginx1.15.0/conf/ [root@conf]# vim nginx.conf # 开启客户端身份验证 ssl_verify_client on; # 指定客户端证书到根证书的深度 ssl_verify_depth 2; # 指定签发客户端证书的CA证书 ssl_client_certificate /usr/local/openssl/sub-CA/second_cacert.crt; # 完整证书链中需要包含的其他CA证书 ssl_trusted_certificate /usr/local/openssl/root-CA/root_cacert.crt; # 证书吊销列表,有更新时Nginx需要重新加载 ssl_crl /usr/local/openssl/sub-CA/crl.pem; [root@conf]# ../sbin/nginx -t nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful [root@conf]# ../sbin/nginx -s reload
注意: 在nginx配置文件那里开启客户端证书验证,将证书安装在客户端就可以正常访问站点。 nginx中的 ssl_crl 这个配置要注意,如果是使用二级CA签署的crl与客户端证书 ,那么ssl_crl 也必须包含根证书签的 crl 列表,与证书链的概念类似, ssl_client_certificate 配置可以是证书链也可以是二级CA(如果只配置二级CA的话 ssl_trusted_certificate 要配置根证书)。 cat ..xx/sub-ca/crl.pem ..xx/root-CA/crl.pem > crl_chain.pem ssl_crl ....xx/xx/crl_chain.pem;
[root@sub-CA]# cd .. [root@openssl]# cd root-CA/ [root@root-CA]# openssl ca -config root-ca.cnf -gencrl -out crl.pem Using configuration from root-ca.cnf Enter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem: [root@root-CA]# cd .. [root@openssl]# cd sub-CA/ [root@sub-CA]# cat crl.pem ../root-CA/crl.pem > crl_chain.pem # 修改Nginx配置 # 证书吊销列表,有更新时Nginx需要重新加载 ssl_crl /usr/local/openssl/sub-CA/crl_chain.pem;
多域名证书与泛域名证书
多域名
[root@~]# cd /usr/local/openssl/sub-CA/ [root@sub-CA]# vim sub-ca.cnf ...... [req] default_bits = 4096 encrypt_key = yes default_md = sha256 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn #req_extensions = ca_ext req_extensions = dns_ext #修改内容 #增加内容 [ dns_ext ] subjectAltName = @alt_names [alt_names] DNS.0=list.test05.com DNS.1=login.test05.com DNS.2=admin.test05.com ...... [root@sub-CA]# cd test # 生成私钥 [root@test]# openssl ecparam -name prime256v1 -genkey -out server01_ecdsa.key [root@test]# openssl req -new -config ../sub-ca.cnf -key server01_ecdsa.key -out server01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server01/CN=server01_multi/emailAddress=server01adm@test.com # 使用二级CA签署多域名证书 [root@test]# openssl ca -config ../sub-ca.cnf -in server01.csr -out server01.crt -extensions server_ext -batch -notext Using configuration from ../sub-ca.cnf Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem: Check that the request matches the signature Signature ok Certificate Details: Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:af Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Dec 1 06:38:21 2018 GMT Not After : Dec 1 06:38:21 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = server01 commonName = server01_multi emailAddress = server01adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:7f:67:e9:70:07:08:0f:0d:0b:a9:46:03:db:35: 16:72:fa:e3:18:2e:40:ee:f4:1a:78:2e:31:30:ce: 55:d4:e5:7c:10:73:67:57:17:01:e2:8b:5c:64:24: 07:da:7b:46:64:25:21:03:a3:d3:3f:7d:30:24:da: d5:e2:76:40:5e ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 86:75:3A:EA:E0:E4:5E:6D:80:AC:5B:FD:56:7C:E0:49:A1:96:05:A6 X509v3 Subject Alternative Name: DNS:list.test05.com, DNS:login.test05.com, DNS:admin.test05.com Certificate is to be certified until Dec 1 06:38:21 2019 GMT (365 days) Write out database with 1 new entries Data Base Updated [root@test]# cat server01.crt ../second_cacert.crt > chain2.crt [root@test]# cp chain2.crt server01_ecdsa.key /project/nginx1.15.0/conf/certs/ [root@~]# cd /project/nginx1.15.0/conf/ [root@conf]# vim nginx.conf ...... server_name *.test05.com; ssl_certificate certs/chain2.crt; ssl_certificate_key certs/server01_ecdsa.key; [root@conf]# ../sbin/nginx -t nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful [root@conf]# ../sbin/nginx -s reload
- 数据库文件 index.txt 说明
[root@CA]# cat index.txt V 190901132740Z 92F43BDFF9AC3B5CAA3189D661C69AFA unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=linuxplus.com/emailAddress=admin@linuxplus.com V 191110141723Z 92F43BDFF9AC3B5CAA3189D661C69AFB unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=DevOps01/CN=linuxplus01.com/emailAddress=admin@linuxplus.com V 191110143215Z 92F43BDFF9AC3B5CAA3189D661C69AFC unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=linuxplus.com/emailAddress=admin@linuxplus.com R 191111060653Z 181111142637Z 92F43BDFF9AC3B5CAA3189D661C69AFD unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=Devops01/CN=linuxplus.com/emailAddress=adm@linuxplus.com V 191111140018Z 92F43BDFF9AC3B5CAA3189D661C69AFE unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops02/OU=Devops02/CN=linuxplus.com/emailAddress=adm@linuxplus.com
每一行包括6个以制表符分隔的值 (1) 状态标记: V 表示有效 valid, R 表示已吊销 revoked, E 表示已过期 expired (2) 过期时间(以 YYMMDDHHMMSSZ 格式表示) (3) 吊销日期,如果没有被吊销则为空 (4) 序列号(十六进制) (5) 文件路径(如果不知道就显示 unknown ) (6) subject (所有者) 名称约束 在根证书配置文件里有一个名称约束 nameConstraints nameConstraints = @name_constraints 名称约束,表示签发的二级CA所签发的证书的CN要符合名称约束的规则, permitted;DNS.0=test05.com 表示所签署的证书的CN 要符合 xxxxtest05.com,例如 test05.com 或 abc.test05.com ,而不能是 test05.com.xxx 。也不能使用通配符 ; 如果名称约束是 .test05.com , 那么 test05.com 也是不行的;而*.test05.com 是可以的,也就是CN的后面必须是名称约束所给定的字符串。 如果是签发客户端证书,名称约束不是非要使用域名,可以自定义一个字符串,例如 cli-admin.a.company 等。 如果是给服务器端签发证书,就要注意签发的证书要在名称约束以内,并且是域名的格式。 [name_constraints] permitted;DNS.0=test05.com permitted;DNS.1=test.org excluded;IP.0=0.0.0.0/0.0.0.0 excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
相关文章
发表评论
暂时没有评论,来抢沙发吧~