OpenSSL 签名认证机制
来源:互联网 发布:好的java培训机构 编辑:程序博客网 时间:2024/06/01 09:31
生成CA证书
#!/bin/sh# Generate the key.openssl genrsa -out private/ca.key 2048# Generate a certificate request.openssl req -new -extensions v3_ca -key private/ca.key -out private/ca.csr -config "/root/ca/conf/openssl.conf"# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this# service will never see the light of an unencrypted Internet see the cheap and lazy remark.# So self sign our root key.echo "01" > serialecho "01" > crlnumbertouch index.txtopenssl ca -extensions v3_ca -selfsign -days 36500 -in private/ca.csr -keyfile private/ca.key -out private/ca.crt -config "/root/ca/conf/openssl.conf"# openssl x509 -extensions v3_ca -days 36500 -in private/ca.csr -signkey private/ca.key -out private/ca.crt# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.# echo FACE > serial# Create the CA's key database.# touch index.txt# Create a Certificate Revocation list for removing 'user certificates.'# openssl ca -gencrl -out /usr/nginx-1.8.0/ca/private/ca.crl -crldays 7 -config "/usr/nginx-1.8.0/ca/conf/openssl.conf"
生成服务端证书
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.openssl genrsa -out server/server.key 2048# Take our key and create a Certificate Signing Request for it.openssl req -new -key server/server.key -out server/server.csr# Sign this bastard key with our bastard CA key.openssl ca -extensions v3_server -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/root/ca/conf/openssl.conf"
生成客户端证书
#!/bin/sh# The base of where our SSL stuff lives.base="/root/ca"# Were we would like to store keys... in this case we take the username given to us and store everything there.mkdir -p $base/client/# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.openssl genrsa -des3 -out $base/client/client.key 2048# Create a Certificate Signing Request for said key.openssl req -new -key $base/client/client.key -out $base/client/client.csr# Sign the key with our CA's key and cert and create the user's certificate out of it.openssl ca -in $base/client/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/client/client.crt -config "/root/ca/conf/openssl.conf"# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.# Take the same precaution with the export password that would take with any other password based authentication scheme.openssl pkcs12 -export -clcerts -in $base/client/client.crt -inkey $base/client/client.key -out $base/client/client.p12
OpenSSL配置文件
HOME = .RANDFILE = $ENV::HOME/.rnd# Extra OBJECT IDENTIFIER info:#oid_file = $ENV::HOME/.oidoid_section = new_oids# To use this configuration file with the "-extfile" option of the# "openssl x509" utility, name here the section containing the# X.509v3 extensions to use:# extensions =# (Alternatively, use a configuration file that has only# X.509v3 extensions in its main [= default] section.)[ new_oids ]# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.# Add a simple OID like this:# testoid1=1.2.3.4# Or use config file substitution like this:# testoid2=${testoid1}.5.6# Policies used by the TSA examples.tsa_policy1 = 1.2.3.4.1tsa_policy2 = 1.2.3.4.5.6tsa_policy3 = 1.2.3.4.5.7[ req ]default_bits = 2048default_md = sha1distinguished_name = req_distinguished_namestring_mask = defaultx509_extensions = v3_req[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_default = CNcountryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = ShangHailocalityName = Locality Name (eg, city)localityName_default = ShangHai0.organizationName = Organization Name (eg, company)0.organizationName_default = IdealGroup# we can do this but it is not needed normally :-)#1.organizationName = Second Organization Name (eg, company)#1.organizationName_default = World Wide Web Pty LtdorganizationalUnitName = Organizational Unit Name (eg, section)organizationalUnitName_default = IdealMobilecommonName = Common Name (e.g. server FQDN or YOUR name)commonName_max = 64emailAddress = Email AddressemailAddress_max = 64[ v3_server ]subjectKeyIdentifier=hashauthorityKeyIdentifig=keyid:always,issuerbasicConstraints = CA:falsekeyUsage = di`italSignature, keyEnciphermentextendedKeyUsage = serverAuth[ v3_ca ]subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuerbasicConstraints = CA:truekeyUsage = cRLSign, keyCertSign#keyUsage = digitalSignature, keyEncipherment#extendedKeyUsage = serverAuth#subjectAltNam=DNS:win.linyiheng.cn[ v3_req ]basicConstraints = CA:FALSE[ ca ]default_ca = foo # The default ca section[ foo ]dir = /root/ca # top dirdatabase = /root/ca/index.txt # index file.new_certs_dir = /root/ca/newcerts # new certs dircertificate = /root/ca/private/ca.crt # The CA certserial = /root/ca/serial # serial no fileprivate_key = /root/ca/private/ca.key # CA private keyRANDFILE = /root/ca/private/.rand # random number filedefault_days = 3650 # how long to certify fordefault_crl_days = 3000 # how long before next CRLdefault_md = sha1 # message digest method to useunique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.policy = policy_any # default policy[ policy_any ]countryName = optionalstateOrProvinceName = optionalorganizationName = optionalorganizationalUnitName = optionallocalityName = optionalcommonName = suppliedemailAddress = optional
0 0
- OpenSSL 签名认证机制
- BouncyCastle签名认证机制
- Openssl自签名和认证技术
- openssl之数字证书签名,CA认证原理及详细操作
- RESTful接口签名认证实现机制
- 使用openssl的认证机制完成版本控制
- 签名认证
- openssl rsa加密签名
- openssl rsa公钥验签名
- openssl rsa加密签名
- openssl rsa公钥验签名
- OpenSSL和CA认证
- OpenSSL 双向认证
- Apache OpenSSL 双向认证
- 双向认证OPENSSL+Jboss7
- openssl 单向认证
- OpenSSL与CA认证
- 签名与认证
- 百练+幻方+按照规则模拟
- java 关于读取excel表内的日期时间
- 二维数组[][]
- android 输入框 实时计算剩余的输入字符数(addTextChangedListener)
- ListView中getView的原理+如何在ListView中放置多个item
- OpenSSL 签名认证机制
- Nginx location命令匹配规则
- linux下使用svn提交代码报错解决办法
- 回顾JavaSE(1)-API、Object(hashCode、getClass)
- java后端发布的接口数据是如何加密传输
- 《深入理解Java虚拟机:JVM高级特性与最佳实践》笔记
- 匹夫细说Unity3D(一)——移动平台动态读取外部文件全解析
- eclipse build path 无法修改问题
- 数据库题以及笔记