SSL/TLS深度解析--在Nginx上配置证书链及多域名证书
发表于:2024-11-28 作者:千家信息网编辑
千家信息网最后更新 2024年11月28日,生成私钥与自签根证书(这次使用aes256加密,密码是redhat)# 进行简单处理[root@www ~]# cd /usr/local/openssl/[root@www openssl]# mk
千家信息网最后更新 2024年11月28日SSL/TLS深度解析--在Nginx上配置证书链及多域名证书
生成私钥与自签根证书(这次使用aes256加密,密码是redhat)
# 进行简单处理[root@www ~]# cd /usr/local/openssl/[root@www openssl]# mkdir root-CA sub-CA[root@www openssl]# cp -rf CA/* root-CA/[root@www root-CA]# rm -rf root_cacert_ecc.pem crlnumber.old index.txt.old index.txt.attr.old serial.old private/root_prikey_ecdsa.pem newcerts/*[root@www root-CA]# > crl.pem[root@www root-CA]# > index.txt[root@www root-CA]# openssl rand -hex 16 > crlnumber [root@www root-CA]# openssl rand -hex 16 > serial[root@www root-CA]# vim root-ca.cnf[default]name = root-cadomain_suffix = a-company.comaia_url = http://$name.$domain_suffix/$name.crtcrl_url = http://$name.$domain_suffix/$name.crlocsp_url = http://ocsp.$name.$domain_suffix:9080default_ca = ca_defaultname_opt = utf8,esc_ctrl,multiline,lname,align[ca_dn]countryName = "CN"organizationName = "A-company"commonName = "root-CA"[ca_default]home = /usr/local/openssl/root-CA/database = $home/index.txtserial = $home/serialcrlnumber = $home/crlnumbercertificate = $home/root_cacert.crtprivate_key = $home/private/root_cakey_ecdsa.pem#RANDFILE = $home/private/randomnew_certs_dir = $home/newcertsunique_subject = nocopy_extensions = nonedefault_days = 3650default_crl_days = 60default_md = sha384policy = policy_rootCA_match[policy_rootCA_match]countryName = matchstateOrProvinceName = optionallocalityName = optionalorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional[req]default_bits = 4096encrypt_key = yesdefault_md = sha256utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = ca_dnreq_extensions = ca_ext[ca_ext]basicConstraints = critical,CA:truekeyUsage = critical,keyCertSign,cRLSignsubjectKeyIdentifier = hash[subca_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:true,pathlen:0crlDistributionPoints = @crl_infoextendedKeyUsage = clientAuth,serverAuthkeyUsage = critical,keyCertSign,cRLSignnameConstraints = @name_constraintssubjectKeyIdentifier = hash[crl_info]URI.0 = $crl_url[issuer_info]caIssuers;URI.0 = $aia_urlOCSP;URI.0 = $ocsp_url[name_constraints]permitted;DNS.0=test05.compermitted;DNS.1=test.orgexcluded;IP.0=0.0.0.0/0.0.0.0excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0[ocsp_ext]authorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falseextendedKeyUsage = OCSPSigningkeyUsage = critical,digitalSignaturesubjectKeyIdentifier = hash[root@www root-CA]# mkdir test[root@www root-CA]# cd test[root@www test]# openssl ecparam -genkey -name prime256v1 -out root_cakey_ecdsa.pem[root@www test]# ll总用量 4-rw-------. 1 root root 302 11月 24 23:12 root_cakey_ecdsa.pem[root@www test]# openssl ec -aes256 -in root_cakey_ecdsa.pem -out root_cakey_ecdsa.pem read EC keywriting EC keyEnter PEM pass phrase:Verifying - Enter PEM pass phrase:[root@www test]# ll总用量 4-rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem[root@www test]# openssl req -new -x509 -sha384 -config /usr/local/openssl/root-CA/root-ca.cnf -extensions ca_ext -key root_cakey_ecdsa.pem -out root_cacert.crt -days 3650 -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=rootca/CN=rootCA/emailAddress=adm@test.comEnter pass phrase for root_cakey_ecdsa.pem:[root@www test]# ll总用量 8-rw-r--r--. 1 root root 859 11月 24 23:26 root_cacert.crt-rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem[root@www test]# mv root_cacert.crt ../[root@www test]# mv root_cakey_ecdsa.pem ../private/#查看根证书[root@www root-CA]# openssl x509 -in root_cacert.crt -textCertificate: Data: Version: 3 (0x2) Serial Number: 0f:b1:e8:38:74:1f:2a:2a:fd:8b:cf:b5:27:c0:20:51:a8:54:ad:ce Signature Algorithm: ecdsa-with-SHA384 Issuer: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = adm@test.com Validity Not Before: Nov 24 15:26:12 2018 GMT Not After : Nov 21 15:26:12 2028 GMT Subject: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:cc:8f:71:cc:11:fe:bb:a9:b0:86:b7:8f:50:89: 3c:65:63:ed:ee:37:4b:6e:3b:e3:d6:77:51:a7:15: be:99:70:ea:45:0f:e3:46:53:dd:46:2d:8d:4b:57: 31:5b:30:e8:91:47:b2:41:a7:54:c8:44:f6:75:37: a3:29:ac:81:ea ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02 Signature Algorithm: ecdsa-with-SHA384 30:45:02:21:00:ac:7f:fb:04:23:ea:c7:77:eb:e8:d3:a4:16: a6:f7:9a:6a:ee:d1:ce:9c:4e:16:ec:2b:dd:86:4e:56:af:2d: cd:02:20:5f:a1:3b:d1:50:a8:4a:30:05:ed:59:1e:1e:99:68: d4:92:af:19:d5:a1:46:e5:ad:4b:d2:f4:0a:dd:89:5d:4d-----BEGIN CERTIFICATE-----MIICTjCCAfSgAwIBAgIUD7HoOHQfKir9i8+1J8AgUahUrc4wCgYIKoZIzj0EAwMwgYQxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlKaW5nMRAwDgYDVQQHDAdCZWlKaW5nMRIwEAYDVQQKDAlBX2NvbXBhbnkxDzANBgNVBAsMBnJvb3RjYTEPMA0GA1UEAwwGcm9vdENBMRswGQYJKoZIhvcNAQkBFgxhZG1AdGVzdC5jb20wHhcNMTgxMTI0MTUyNjEyWhcNMjgxMTIxMTUyNjEyWjCBhDELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxEjAQBgNVBAoMCUFfY29tcGFueTEPMA0GA1UECwwGcm9vdGNhMQ8wDQYDVQQDDAZyb290Q0ExGzAZBgkqhkiG9w0BCQEWDGFkbUB0ZXN0LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMyPccwR/rupsIa3j1CJPGVj7e43S24749Z3UacVvplw6kUP40ZT3UYtjUtXMVsw6JFHskGnVMhE9nU3oymsgeqjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR2eRRGt3zliuhHd/W2K7MXvC0FAjAKBggqhkjOPQQDAwNIADBFAiEArH/7BCPqx3fr6NOkFqb3mmru0c6cThbsK92GTlavLc0CIF+hO9FQqEowBe1ZHh7ZaN***xnVoUblrUvS9ArdiV1N-----END CERTIFICATE-----
签发私有二级CA
[root@www openssl]# cp -rf root-CA/* sub-CA/[root@www openssl]# cd sub-CA/[root@www sub-CA]# rm -rf root-ca.cnf private/* root_cacert.crt[root@www sub-CA]# vim sub-ca.cnf[default]name = sub-cadomain_suffix = a-company.comaia_url = http://$name.$domain_suffix/$name.crtcrl_url = http://$name.$domain_suffix/$name.crlocsp_url = http://ocsp.$name.$domain_suffix:9081default_ca = ca_defaultname_opt = utf8,esc_ctrl,multiline,lname,align[ca_dn]countryName = "CN"organizationName = "A-company"commonName = "sub-CA"[ca_default]home = /usr/local/openssl/sub-CAdatabase = $home/index.txtserial = $home/serialcrlnumber = $home/crlnumbercertificate = $home/second_cacert.crtprivate_key = $home/private/second_cakey_ecdsa.pem#RANDFILE = $home/private/randomnew_certs_dir = $home/newcertsunique_subject = nocopy_extensions = copydefault_days = 365default_crl_days = 30default_md = sha256policy = policy_subCA_match[policy_subCA_match]countryName = matchstateOrProvinceName = optionallocalityName = optionalorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional[req]default_bits = 4096encrypt_key = yesdefault_md = sha256utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = ca_dn#req_extensions = ca_ext[crl_info]URI.0 = $crl_url[issuer_info]caIssuers;URI.0 = $aia_urlOCSP;URI.0 = $ocsp_url[ocsp_ext]authorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falseextendedKeyUsage = OCSPSigningkeyUsage = critical,digitalSignaturesubjectKeyIdentifier = hash[server_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falsecrlDistributionPoints = @crl_infoextendedKeyUsage = clientAuth,serverAuthkeyUsage = critical,digitalSignature,keyEnciphermentsubjectKeyIdentifier = hash[client_ext]authorityInfoAccess = @issuer_infoauthorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falsecrlDistributionPoints = @crl_infoextendedKeyUsage = clientAuthkeyUsage = critical,digitalSignaturesubjectKeyIdentifier = hash[root@www sub-CA]# cd test# 生成二级CA私钥[root@www test]# openssl ecparam -genkey -name prime256v1 -out second_cakey_ecdsa.pem# AES256加密(密码redhat)[root@www test]# openssl ec -aes256 -in second_cakey_ecdsa.pem -out second_cakey_ecdsa.pem read EC keywriting EC keyEnter PEM pass phrase:Verifying - Enter PEM pass phrase:# 生成二级CA的证书申请[root@www test]# openssl req -new -config /usr/local/openssl/sub-CA/sub-ca.cnf -key second_cakey_ecdsa.pem -out second_cacert.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=subca/CN=sub01_CA/emailAddress=sub01adm@test.com Enter pass phrase for second_cakey_ecdsa.pem:# 使用根证书签署二级CA证书[root@www test]# openssl ca -config /usr/local/openssl/root-CA/root-ca.cnf -extensions subca_ext -days 730 -in second_cacert.csr -out second_cacert.crt -batch -notextUsing configuration from /usr/local/openssl/root-CA/root-ca.cnfEnter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = rootca commonName = rootCA emailAddress = adm@test.com Validity Not Before: Nov 28 13:18:46 2018 GMT Not After : Nov 27 13:18:46 2020 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:d7:e4:9d:be:12:50:5b:c4:05:c3:d5:e7:b9:7c: 18:c1:9b:31:a8:c2:8e:08:a7:4b:9c:62:02:25:f9: df:dc:c1:74:64:0e:70:5d:74:22:2e:22:83:06:c0: 7a:70:5e:4b:d5:87:c7:c9:8a:3b:bb:bd:77:91:76: 97:56:c3:2c:e4 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://root-ca.a-company.com/root-ca.crt OCSP - URI:http://ocsp.root-ca.a-company.com:9080 X509v3 Authority Key Identifier: keyid:76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 CRL Distribution Points: Full Name: URI:http://root-ca.a-company.com/root-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Name Constraints: Permitted: DNS:test05.com DNS:test.org Excluded: IP:0.0.0.0/0.0.0.0 IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 X509v3 Subject Key Identifier: 9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94Certificate is to be certified until Nov 27 13:18:46 2020 GMT (730 days)Write out database with 1 new entriesData Base Updated[root@www test]# mv second_cakey_ecdsa.pem ../private/[root@www test]# mv second_cacert.crt ../使用二级CA签发服务器端证书
# 生成私钥和申请(注意这里没加密私钥)[root@www test]# openssl ecparam -genkey -name prime256v1 -out server_ecdsa.key[root@www test]# openssl req -new -key server_ecdsa.key -config ../sub-ca.cnf -out server.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server/CN=www.test05.com/emailAddress=test05adm@test.com[root@www test]# openssl ca -config ../sub-ca.cnf -in server.csr -out server.crt -extensions server_ext -batch -notextUsing configuration from ../sub-ca.cnfEnter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Nov 28 13:40:52 2018 GMT Not After : Nov 28 13:40:52 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = server commonName = www.test05.com emailAddress = test05adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:cb:0a:18:1e:3f:9f:09:a6:85:1c:a9:26:7b:ee: 41:37:68:5b:e5:89:84:12:93:14:6b:d0:bd:5e:d8: ff:27:e6:dd:f3:43:57:70:0e:ac:43:69:d1:29:9a: 3a:2e:e2:b3:b4:2c:ff:7f:c1:60:c0:6b:de:2a:bd: 72:08:f5:7c:00 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 86:F3:C8:69:7C:0A:00:7E:FF:F6:0C:61:05:6B:83:45:9D:86:40:4BCertificate is to be certified until Nov 28 13:40:52 2019 GMT (365 days)Write out database with 1 new entriesData Base Updated使用server.crt 与 second_cacert.crt 合成一个证书链
# 要注意顺序,服务器端的证书是放在第一个,二级CA的证书在其后面;如果还有一层三级CA,那么是先追加三级CA证书,再追加二级CA证书。[root@www test]# cat server.crt ../second_cacert.crt > chain.crt[root@www test]# ll chain.crt -rw-r--r--. 1 root root 2534 11月 28 21:50 chain.crt[root@www test]# cp chain.crt server_ecdsa.key /project/nginx1.15.0/conf/certs/[root@www test]# cd /project/nginx1.15.0/conf/[root@www conf]# vim nginx.conf......server_name www.linuxplus.com www.test05.com;ssl_certificate certs/chain.crt;ssl_certificate_key certs/server_ecdsa.key;[root@www conf]# ../sbin/nginx -tnginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful[root@www conf]# ../sbin/nginx -s reload[root@www ~]# cd /usr/local/openssl/root-CA[root@www root-CA]# sz -y root_cacert.crt使用二级CA签发客户端证书
[root@www ~]# cd /usr/local/openssl/sub-CA/test/[root@www test]# openssl ecparam -genkey -name prime256v1 -out client01_ecdsa.key# 生成申请[root@www test]# openssl req -new -key client01_ecdsa.key -out client01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=client01/CN=www.test05.com/emailAddress=clientadm@test.com# 签发客户端证书[root@www test]# openssl ca -config ../sub-ca.cnf -days 60 -in client01.csr -out client01.crt -extensions client_ext -batch -notext Using configuration from ../sub-ca.cnfEnter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ae Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Nov 30 15:17:31 2018 GMT Not After : Jan 29 15:17:31 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = client01 commonName = www.test05.com emailAddress = clientadm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:e5:30:48:de:2b:2d:fc:6b:89:d1:9a:fd:f8:62: 72:72:26:e6:ca:82:2b:fd:c0:c5:c2:ce:8d:dc:ba: d0:e0:52:84:75:6b:6a:78:64:c3:09:9b:c8:9d:fe: e1:af:5c:85:b1:c3:a5:6c:6d:fe:b0:57:5a:37:d5: ec:d4:b6:56:2a ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature X509v3 Subject Key Identifier: 29:44:F5:60:40:8C:DD:ED:D2:D0:0E:E8:E7:D5:5C:67:6D:CF:12:9ECertificate is to be certified until Jan 29 15:17:31 2019 GMT (60 days)Write out database with 1 new entriesData Base Updated# 格式转换成pkcs12[root@www test]# openssl pkcs12 -export -clcerts -passout pass:123456 -in client01.crt -inkey client01_ecdsa.key -out client01.p12[root@www test]# cd ..[root@www sub-CA]# openssl ca -config sub-ca.cnf -gencrl -out crl.pem Using configuration from sub-ca.cnfEnter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:[root@www test]# cd [root@www ~]# cd /project/nginx1.15.0/conf/[root@www conf]# vim nginx.conf# 开启客户端身份验证ssl_verify_client on;# 指定客户端证书到根证书的深度ssl_verify_depth 2;# 指定签发客户端证书的CA证书ssl_client_certificate /usr/local/openssl/sub-CA/second_cacert.crt;# 完整证书链中需要包含的其他CA证书ssl_trusted_certificate /usr/local/openssl/root-CA/root_cacert.crt;# 证书吊销列表,有更新时Nginx需要重新加载ssl_crl /usr/local/openssl/sub-CA/crl.pem;[root@www conf]# ../sbin/nginx -tnginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful[root@www conf]# ../sbin/nginx -s reload注意:
在nginx配置文件那里开启客户端证书验证,将证书安装在客户端就可以正常访问站点。
nginx中的 ssl_crl 这个配置要注意,如果是使用二级CA签署的crl与客户端证书 ,那么ssl_crl 也必须包含根证书签的 crl 列表,与证书链的概念类似, ssl_client_certificate 配置可以是证书链也可以是二级CA(如果只配置二级CA的话 ssl_trusted_certificate 要配置根证书)。
cat ..xx/sub-ca/crl.pem ..xx/root-CA/crl.pem > crl_chain.pem
ssl_crl ....xx/xx/crl_chain.pem;
[root@www sub-CA]# cd ..[root@www openssl]# cd root-CA/[root@www root-CA]# openssl ca -config root-ca.cnf -gencrl -out crl.pem Using configuration from root-ca.cnfEnter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem:[root@www root-CA]# cd ..[root@www openssl]# cd sub-CA/[root@www sub-CA]# cat crl.pem ../root-CA/crl.pem > crl_chain.pem# 修改Nginx配置# 证书吊销列表,有更新时Nginx需要重新加载ssl_crl /usr/local/openssl/sub-CA/crl_chain.pem;多域名证书与泛域名证书
多域名
[root@www ~]# cd /usr/local/openssl/sub-CA/[root@www sub-CA]# vim sub-ca.cnf......[req]default_bits = 4096encrypt_key = yesdefault_md = sha256utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = ca_dn#req_extensions = ca_extreq_extensions = dns_ext #修改内容#增加内容[ dns_ext ]subjectAltName = @alt_names[alt_names]DNS.0=list.test05.comDNS.1=login.test05.comDNS.2=admin.test05.com......[root@www sub-CA]# cd test# 生成私钥[root@www test]# openssl ecparam -name prime256v1 -genkey -out server01_ecdsa.key[root@www test]# openssl req -new -config ../sub-ca.cnf -key server01_ecdsa.key -out server01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server01/CN=server01_multi/emailAddress=server01adm@test.com# 使用二级CA签署多域名证书[root@www test]# openssl ca -config ../sub-ca.cnf -in server01.csr -out server01.crt -extensions server_ext -batch -notext Using configuration from ../sub-ca.cnfEnter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:af Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Dec 1 06:38:21 2018 GMT Not After : Dec 1 06:38:21 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = server01 commonName = server01_multi emailAddress = server01adm@test.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:7f:67:e9:70:07:08:0f:0d:0b:a9:46:03:db:35: 16:72:fa:e3:18:2e:40:ee:f4:1a:78:2e:31:30:ce: 55:d4:e5:7c:10:73:67:57:17:01:e2:8b:5c:64:24: 07:da:7b:46:64:25:21:03:a3:d3:3f:7d:30:24:da: d5:e2:76:40:5e ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt OCSP - URI:http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 86:75:3A:EA:E0:E4:5E:6D:80:AC:5B:FD:56:7C:E0:49:A1:96:05:A6 X509v3 Subject Alternative Name: DNS:list.test05.com, DNS:login.test05.com, DNS:admin.test05.comCertificate is to be certified until Dec 1 06:38:21 2019 GMT (365 days)Write out database with 1 new entriesData Base Updated[root@www test]# cat server01.crt ../second_cacert.crt > chain2.crt[root@www test]# cp chain2.crt server01_ecdsa.key /project/nginx1.15.0/conf/certs/[root@www ~]# cd /project/nginx1.15.0/conf/[root@www conf]# vim nginx.conf......server_name *.test05.com;ssl_certificate certs/chain2.crt;ssl_certificate_key certs/server01_ecdsa.key;[root@www conf]# ../sbin/nginx -tnginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful[root@www conf]# ../sbin/nginx -s reload- 数据库文件 index.txt 说明
[root@www CA]# cat index.txtV 190901132740Z 92F43BDFF9AC3B5CAA3189D661C69AFA unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.comV 191110141723Z 92F43BDFF9AC3B5CAA3189D661C69AFB unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=DevOps01/CN=www.linuxplus01.com/emailAddress=admin@linuxplus.comV 191110143215Z 92F43BDFF9AC3B5CAA3189D661C69AFC unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.comR 191111060653Z 181111142637Z 92F43BDFF9AC3B5CAA3189D661C69AFD unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=Devops01/CN=www.linuxplus.com/emailAddress=adm@linuxplus.comV 191111140018Z 92F43BDFF9AC3B5CAA3189D661C69AFE unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops02/OU=Devops02/CN=www.linuxplus.com/emailAddress=adm@linuxplus.com每一行包括6个以制表符分隔的值
(1) 状态标记: V 表示有效 valid, R 表示已吊销 revoked, E 表示已过期 expired
(2) 过期时间(以 YYMMDDHHMMSSZ 格式表示)
(3) 吊销日期,如果没有被吊销则为空
(4) 序列号(十六进制)
(5) 文件路径(如果不知道就显示 unknown )
(6) subject (所有者)
名称约束
在根证书配置文件里有一个名称约束 nameConstraints nameConstraints = @name_constraints 名称约束,表示签发的二级CA所签发的证书的CN要符合名称约束的规则, permitted;DNS.0=test05.com 表示所签署的证书的CN 要符合 xxxxtest05.com,例如 www.test05.com 或 abc.test05.com ,而不能是 test05.com.xxx 。也不能使用通配符 ; 如果名称约束是 .test05.com , 那么 www.test05.com 也是不行的;而www.*.test05.com 是可以的,也就是CN的后面必须是名称约束所给定的字符串。
如果是签发客户端证书,名称约束不是非要使用域名,可以自定义一个字符串,例如 cli-admin.a.company 等。
如果是给服务器端签发证书,就要注意签发的证书要在名称约束以内,并且是域名的格式。
[name_constraints]
permitted;DNS.0=test05.com
permitted;DNS.1=test.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
证书
客户
客户端
名称
配置
生成
文件
多域名
域名
服务器
格式
用量
加密
服务
内容
字符
字符串
密码
更新
验证
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
网络安全模式qq不能上网
安全数据库的特点
网络安全周的成效是什么意思
多媒体通信网络技术英文
数据库的三要素不包括什么
小米ai手机软件开发版
苏州网络技术外包
网页在线代理服务器
雅之网络技术有限公司
服务器基本管理
哪些数据库数据加引号
网络安全小视频 百度网盘
网络安全宣传周是做什么
ms数据库运行命令
哪个服务器适合新手玩魔兽世界
联银金融互联网科技佛山公司
提取手机app数据库
阐述软件开发的流程
欧卡2几个服务器的区别
顾客用开票软件开发票
南通软件开发售后保障
电厂sis系统数据库
关于软件开发公司的名字
北京邮电 网络安全比赛
提高网络技术的研究
数据库中程序单词flag
数据库多表关联的增删改查
青岛手机软件开发公司
数据库不同字段怎样同步
中专软件开发前景
