yanbin's Blog
为 Android 程序创建 CA keystore 以及 self-signed keystore 的方法
自签发 SSL/TLS 证书的方法以及遇到的一些问题
0. 目的
如果签章是正确的,而用户可以相信签署者,之后用户就知道他们可以使用这个密钥,来与密钥的拥有者进行通信。在X.509中规范了这个认证的过程与标准。①
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = ShangHai localityName = Locality Name (eg, city) localityName_default = ShangHai 0.organizationName = Organization Name (eg, company) 0.organizationName_default = My Company Name organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = May Project
1. 生成 CA root key (根密钥); CA root key 非常重要。
a) 不仅签发或更新 CA root 证书需要。
b) 签发通信双方数字证书时也需要。
$ openssl genrsa -des3 -out root-ca.key 1024
0) 指定了 -des3 选项,openssl 要求输入 pass phrase;
pass phrase 是 root key 的密码;
CA 签发数字证书时需要输入这个密码,算是一种防范措施吧。
程序使用证书和 key 时, 一般会要求输入密码,可以作为用户密码用吗?
2) FIXME: 1024 是 key 的长度目前也支持 2048, 这两个值有很大的区别吗?
key 的长度为 2048 会耗费更多的 CPU 资源吧。
$ openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -config openssl.cnf
1) 这条命令将两个步骤合二为一。
a) 使用 private key 生成 certificate request; 需要填写证书持有者的信息;
b) 使用 certificate request 签发证书(singed)或自签发证书(self-signed);
任意创建一个目录,创建配置文件(比如: openssl.cnf),也可以签发根证书。
$ mkdir demoCA && cd demoCA
$ touch index.txt
$ echo 01 > serial
$ mkdir private #指定 private_key=/path/to/demoCA/myCA/private/root-ca.key
$ mkdir myCA # 指定 CA_default:dir=/path/to/demoCA/myCA
$ openssl x509 -noout -text -in root-ca.crt
签发服务器证书
0.生成一个 private key, 并且直接用新生成 private key 创建一个 certificate request.
NOTE: -nodes 参数,使用这个参数生成的 key 不需要密码
$ openssl req -newkey rsa:1024 -keyout server01.key -nodes -config openssl.cnf -out server01.req
Country Name (2 letter code) [CN]: State or Province Name (full name) [ShangHai]: Locality Name (eg, city) [ShangHai]: Organization Name (eg, company) [My Company Name]: Second Organization Name (eg, company) [My Company Name]: Organizational Unit Name (eg, section) [My Project]: Common Name (eg, YOUR name) []:*.example.com #CN Email Address []:server01@example.com
NOTE: CN(common name) 可以是 hostname,IP 或者 domain, 与主机信息对应;
也可以用这种形式: *.example.com
CN 指的是 common name, 别与中国的代码弄混了。
# Using configuration from openssl.cnf
Enter pass phrase for /etc/pki/CA/private/root-ca.key: # 输入root key 文件的密码 DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity # FIXME: 默认是一年的有效期吗? # 默认是 365 days 的有效期, 润年会是 366 days. Not Before: Apr 29 15:18:20 2015 GMT Not After : Apr 29 15:18:20 2016 GMT Subject: countryName = CN stateOrProvinceName = ShangHai localityName = ShangHai organizationName = My Company Name organizationName = My Company Name organizationalUnitName = My Project commonName = *.example.com emailAddress = server01@example.com ....... Certificate is to be certified until Apr 29 15:18:20 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
c)-nodes 不需要 key 文件有密码
Country Name (2 letter code) [CN]: State or Province Name (full name) [ShangHai]: Locality Name (eg, city) [ShangHai]: Organization Name (eg, company) [My Company Name]: Second Organization Name (eg, company) [My Company Name]: Organizational Unit Name (eg, section) [My Project]: Common Name (eg, YOUR name) []:client001 EmailAddress []: client001@example.com
Enter pass phrase for /etc/pki/CA/private/root-ca.key: DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity: Not Before: Apr 29 15:18:20 2015 GMT Not After : Apr 29 15:18:20 2016 GMT Subject: countryName = CN stateOrProvinceName = ShangHai localityName = ShangHai organizationName = My Company Name organizationName = My Company Name organizationalUnitName = My Project commonName = client001 emailAddress = client001@example.com ....... Certificate is to be certified until Apr 29 15:18:20 2015 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
参考:
使用 libmosquitto 遇到的几个问题
mqtt 基础