RSA证书出现时间比较早,能够兼容的设备非常多,所以兼容性好,是最为普及。
相较于RSA证书,ECC证书加密速度快,安全性高,对服务器资源消耗低。
以下内容均在Ubuntu20.04完成。
生成证书会用到openssl.cnf文件,但是Ubuntu和CentOS的openssl.cnf位置不一样。
Ubuntu的openssl.cnf在/etc/ssl/路径下,而CentOS的openssl.cnf在/etc/pki/tls/路径下。
openssl.cnf配置文件由openssl软件包提供,文件的完整内容如下。
root@k8s-master1:~/ssl/ecc# openssl version
OpenSSL 1.1.1f 31 Mar 2020
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# which openssl
/usr/bin/openssl
root@k8s-master1:~/ssl/ecc# dpkg -S /usr/bin/openssl
openssl: /usr/bin/openssl
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# grep -vE "^$|^#" /etc/ssl/openssl.cnf
HOME = .
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
root@k8s-master1:~/ssl/ecc#
生成自签ECC CA证书
后面的服务器和客户端证书均由该CA进行签发。
root@k8s-master1:~/ssl/ecc# openssl ecparam -out ca.key -name prime256v1 -genkey
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/O=People's Republic of China/CN=China CA"
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# ls
ca.crt ca.key
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# openssl x509 -text -noout -in ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3a:e0:2e:5e:3f:a6:01:c2:ab:f9:9b:e5:1a:87:fd:c5:8c:d0:5f:a8
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, O = People's Republic of China, CN = China CA
Validity
Not Before: Oct 27 13:54:42 2022 GMT
Not After : Oct 24 13:54:42 2032 GMT
Subject: C = CN, O = People's Republic of China, CN = China CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b4:81:d8:e1:a5:d6:1c:40:01:9f:86:23:79:53:
1d:1c:0d:f7:9b:85:f2:78:be:73:85:b6:64:e2:3f:
6c:9b:e3:58:b1:25:e7:f1:2d:a0:be:80:c1:5d:31:
ed:83:2d:64:74:b6:37:5d:2e:85:28:37:29:00:83:
b4:43:fd:24:fc
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
CB:CE:EA:EE:F8:F4:85:D5:46:F2:6C:C8:C0:A8:DD:97:A7:28:4A:3A
X509v3 Authority Key Identifier:
keyid:CB:CE:EA:EE:F8:F4:85:D5:46:F2:6C:C8:C0:A8:DD:97:A7:28:4A:3A
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:97:87:ed:6b:19:82:39:41:ed:e6:47:85:ff:
b5:4f:8f:c0:d5:1a:e3:4f:f7:23:19:db:57:e7:f3:97:ec:c9:
76:02:21:00:be:ff:72:39:0b:2c:88:b3:2d:80:f9:25:25:fe:
8e:49:65:2c:d9:00:4c:e3:0e:72:46:4e:5b:2e:ba:d7:a7:7a
root@k8s-master1:~/ssl/ecc#
生成服务器证书
使用CA签发服务器证书,服务器证书一般部署在服务端,比如Nginx、Apache等。
另外可以用openssl verify校验证书是否由指定CA签发的。
root@k8s-master1:~/ssl/ecc# openssl ecparam -out server.key -name prime256v1 -genkey
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# openssl req -new -key server.key -out server.csr -subj "/C=CN/O=People's Republic of China/CN=example.com"
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -extfile <(sed "/\[ v3_req \]/ a\subjectAltName = @alt_names" /etc/ssl/openssl.cnf <(printf "\n[alt_names]\nDNS.1=example.com\nDNS.2=www.example.com")) -extensions v3_req
Signature ok
subject=C = CN, O = People's Republic of China, CN = example.com
Getting CA Private Key
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# openssl x509 -text -noout -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
51:8d:ef:d5:38:53:41:0e:75:b6:8c:be:20:6e:64:29:40:1e:9e:80
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, O = People's Republic of China, CN = China CA
Validity
Not Before: Oct 27 13:57:37 2022 GMT
Not After : Oct 24 13:57:37 2032 GMT
Subject: C = CN, O = People's Republic of China, CN = example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d1:5b:c4:27:ca:e7:81:5c:0b:fd:44:96:28:60:
d4:1d:85:89:ac:18:b7:67:7c:53:8e:10:73:56:0c:
7f:9f:58:97:8c:11:e7:a0:4a:a2:72:28:51:9d:a3:
aa:7f:a7:46:c7:f0:07:df:65:f2:5c:28:56:90:8e:
dd:81:ad:e6:3c
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:ae:38:4a:92:70:94:df:e6:a7:6e:f2:4d:4f:
fa:b6:4a:08:2a:ad:35:64:53:d8:8a:88:3e:61:b0:79:e1:b3:
cd:02:21:00:87:9c:24:f9:e0:83:a1:21:ae:1e:64:9d:35:49:
b9:22:48:cd:e9:b7:5c:33:d0:d7:65:ee:d5:1f:4d:30:b2:2c
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# openssl verify -CAfile ca.crt server.crt
server.crt: OK
root@k8s-master1:~/ssl/ecc#
生成客户端证书
使用CA签发客户端证书,在SSL双向认证的场景会用到客户端证书。
root@k8s-master1:~/ssl/ecc# openssl ecparam -out client.key -name prime256v1 -genkey
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# openssl req -new -key client.key -out client.csr -sha256 -subj "/C=CN/O=People's Republic of China/CN=Private certificate assigned to Tom"
root@k8s-master1:~/ssl/ecc# openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
Signature ok
subject=C = CN, O = People's Republic of China, CN = Private certificate assigned to Tom
Getting CA Private Key
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# openssl x509 -text -noout -in client.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
51:8d:ef:d5:38:53:41:0e:75:b6:8c:be:20:6e:64:29:40:1e:9e:81
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, O = People's Republic of China, CN = China CA
Validity
Not Before: Oct 27 13:59:11 2022 GMT
Not After : Oct 24 13:59:11 2032 GMT
Subject: C = CN, O = People's Republic of China, CN = Private certificate assigned to Tom
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:02:27:b4:db:89:9a:3b:25:d1:88:01:5f:b8:18:
14:fe:2a:00:72:03:3e:68:83:77:7d:c3:54:5c:99:
a0:cd:5c:8a:d5:f1:da:54:5c:17:bd:ad:18:52:8a:
3b:8c:72:ed:39:f8:b1:b8:c6:f4:d5:95:71:b9:db:
aa:60:6f:92:6e
ASN1 OID: prime256v1
NIST CURVE: P-256
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:3c:96:3a:be:8d:80:b5:a0:15:71:fd:a3:24:d9:
a3:99:73:36:bf:92:59:fa:fe:8a:08:65:cd:75:42:75:01:01:
02:20:2f:0a:5b:f4:9c:46:6d:ce:d2:9d:d0:5c:9a:76:23:61:
a7:7d:e0:a2:e3:3f:50:7c:97:8d:02:bb:2e:33:6c:4f
root@k8s-master1:~/ssl/ecc#
root@k8s-master1:~/ssl/ecc# openssl verify -CAfile ca.crt client.crt
client.crt: OK
root@k8s-master1:~/ssl/ecc#
命令汇总
生成自签CA证书
openssl ecparam -out ca.key -name prime256v1 -genkey
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/O=People's Republic of China/CN=China CA"
使用CA签发服务器证书
openssl ecparam -out server.key -name prime256v1 -genkey
openssl req -new -key server.key -out server.csr -subj "/C=CN/O=People's Republic of China/CN=example.com"
openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -extfile <(sed "/\[ v3_req \]/ a\subjectAltName = @alt_names" /etc/ssl/openssl.cnf <(printf "\n[alt_names]\nDNS.1=example.com\nDNS.2=www.example.com")) -extensions v3_req
使用CA签发客户端证书
openssl ecparam -out client.key -name prime256v1 -genkey
openssl req -new -key client.key -out client.csr -sha256 -subj "/C=CN/O=People's Republic of China/CN=Private certificate assigned to Tom"
openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
校验SSL证书
# 校验server.crt是否由ca.crt签发
openssl verify -CAfile ca.crt server.crt
网友评论