我是靠谱客的博主 快乐八宝粥,最近开发中收集的这篇文章主要介绍SSL基础:17:自定义配置文件的使用交互方式配置文件说明配置文件示例生成私钥生成CSR文件确认CSR内容,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
openssl.cnf是openssl命令的配置文件,系统级的配置文件/etc/pki/tls/openssl.cnf对所有用户起作用,在实际使用中可以通过生成特定的配置文件设定用户的缺省配置。
交互方式
| 设定选项 | 设定选项说明 |
|---|---|
| openssl req | 创建证书签名请求等功能 |
| -nodes | 对私钥不进行加密 |
| -new | 创建CSR证书签名文件 |
| -out | 指定CSR输出文件名 |
| -subj | 指定证书Subject内容 |
配置文件说明
| 设定项目 | 设定项目说明 |
|---|---|
| default_bits | 生成证书签名请求CSR时所使用到的RSA私钥的长度,与-newkey选项对应 |
| default_md | 签名使用的默认消息摘要算法 |
| default_keyfile | 默认的密钥文件使用的文件名,比如使用-newkey选项或者-new选项不指定-key时都会自动创建私钥,与-newkey选项对应 |
| distinguished_name | 用户DN信息,在req_distinguished_name段展开 |
| attributes | 证书请求的属性(在req_attributes段展开),但在openssl证书签发工具中并没有用到此扩展选项 |
| input_password | 设定输入密钥的文件密码,对应选项-passin |
| output_password | 设定输出密钥的文件密码,对应选项-passout |
| x509_extensions | 证书请求的扩展项,通过v3_req段进行扩展 |
| string_mask | 定义了证书一些字段的默认字符串类型,比如可设定为utf8only |
- req_distinguished_name段设置
| 设定项目 | 设定项目说明 |
|---|---|
| countryName | 国家代码,(两个字母的国家代码比如 CN) |
| stateOrProvinceName | 州、省份或直辖市名称 |
| localityName | 城市名称 |
| organizationName | 组织或者公司名称 |
| organizationalUnitName | 部门名称 |
| commonName | CN内容 |
| commonName_max | commonName设定值的最大长度 |
| emailAddress | Email地址 |
| emailAddress_max | Email地址设定值的最大长度 |
配置文件示例
[root@host121 csr]# cat openssl.cnf
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = ca.pem
distinguished_name = req_distinguished_name
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = LiaoNing
localityName = Locality Name (eg, city)
localityName_default = DaLian
0.organizationName = Organization Name (eg, company)
0.organizationName_default = devops
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = unicorn
commonName = Common Name (eg, your name or your server's hostname)
commonName_default = devops.com
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[root@host121 csr]#
生成私钥
[root@host121 csr]# openssl genrsa -out ca.key
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................................+++++
.............................+++++
e is 65537 (0x010001)
[root@host121 csr]# ls ca.key
ca.key
[root@host121 csr]#
生成CSR文件
[root@host121 csr]# openssl req -new -config openssl.cnf -key ca.key -out request-using-cnf.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [LiaoNing]:
Locality Name (eg, city) [DaLian]:
Organization Name (eg, company) [devops]:
Organizational Unit Name (eg, section) [unicorn]:
Common Name (eg, your name or your server's hostname) [devops.com]:
Email Address []:
[root@host121 csr]# ls request-using-cnf.csr
request-using-cnf.csr
[root@host121 csr]#
确认CSR内容
[root@host121 csr]# openssl req -text -noout -verify -in request-using-cnf.csr
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cc:9b:68:0c:81:af:60:92:b9:96:73:4f:26:2e:
4d:23:8b:b8:41:41:44:85:a8:5a:74:38:8a:fc:83:
ca:e3:82:f5:51:93:0d:b8:a2:1d:df:b4:08:2f:7c:
7e:85:45:92:a1:cd:87:c8:f4:32:b3:c1:81:42:c7:
32:b9:a7:f4:27:f3:9c:35:c9:ba:07:2c:9a:9d:fa:
e3:f4:52:b3:5d:ff:b8:67:78:93:4b:18:d6:27:c8:
b5:c6:74:3e:0b:f4:01:77:6e:75:30:e7:8e:07:37:
ce:cc:62:dd:56:2c:8f:f1:93:af:49:3a:2a:ea:e2:
39:71:34:f1:bc:6f:47:21:bd:ba:f7:50:8f:0a:34:
5e:6d:02:b7:e2:8b:51:b3:f2:46:fd:54:87:aa:8e:
f8:31:73:b0:69:3e:2f:dc:6f:22:90:a3:2b:89:3a:
8e:55:1e:29:10:7f:2f:2f:25:08:01:93:09:35:d8:
c0:3c:b8:25:1b:88:e6:6d:ac:88:2b:48:a0:0b:3b:
83:65:b2:35:0e:dc:a1:a7:8b:e2:53:69:f5:ac:88:
69:f1:3a:e3:1f:25:2e:10:0b:60:0f:9a:62:bd:c0:
7d:00:a6:67:fc:6e:6a:34:73:d8:0c:40:14:8a:42:
76:9e:07:1d:1f:61:35:ea:73:fd:58:40:e8:2c:6c:
18:79
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
16:b1:6e:28:b9:6c:5b:ab:ba:53:f3:5d:7a:cb:78:f4:0b:92:
2f:b4:66:83:dd:5e:8c:55:db:f1:85:4f:f5:c4:ed:74:da:96:
af:7e:b4:75:9c:3a:b2:1a:38:3b:95:42:c6:95:18:70:27:27:
a3:96:ab:f4:e4:1c:eb:12:c2:14:75:e0:b4:ab:3e:39:7d:cd:
01:8f:b0:92:49:35:18:fa:83:e8:98:30:be:cd:e6:88:71:1b:
35:a6:26:5b:9a:16:52:61:ba:18:02:b0:28:63:1d:20:cd:cc:
c4:00:40:2a:af:c8:fe:86:1e:72:79:ea:f3:fa:01:eb:fc:fe:
11:dc:7d:36:ba:d3:a6:86:ea:ff:23:ec:fa:e6:7f:70:c6:04:
f5:b1:2d:9c:07:78:bb:42:d1:3b:ca:2a:37:48:9d:4f:6d:a8:
69:5e:cc:da:4e:75:00:80:fa:de:6e:79:81:e0:c3:93:49:4e:
c0:03:18:db:9d:57:0a:8d:c0:6f:fe:c9:b0:60:b8:58:cf:d6:
20:6a:11:ea:33:22:77:1a:e5:8d:84:c5:15:91:bc:1a:89:2f:
16:d0:38:31:3d:cc:2d:7d:83:12:ae:a6:01:4b:e7:3d:ed:92:
27:14:d1:0c:01:fb:c0:ed:0f:2e:f3:c2:39:d8:e8:25:34:cb:
0d:32:88:0c
[root@host121 csr]#
最后
以上就是快乐八宝粥为你收集整理的SSL基础:17:自定义配置文件的使用交互方式配置文件说明配置文件示例生成私钥生成CSR文件确认CSR内容的全部内容,希望文章能够帮你解决SSL基础:17:自定义配置文件的使用交互方式配置文件说明配置文件示例生成私钥生成CSR文件确认CSR内容所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复