写在后面
撷取许多 Nginx 采用者合格证书、SSL 身份验证实用性的讲义昌明文本牵涉 Nginx 采用者合格证书、SSL 身份验证实用性 Demo透过 OpenSSL 聚合采用 SSL 合格证书、公钥和 CSR Demo认知不足爸爸妈妈帮尖萼这当今世界的另一面至始自始是虚无,正像另一面至始自始是信念 —–《做为信念和虚无的当今世界》(首篇 当今世界做为虚无初论)
采用者合格证书
加装 nginx ,实用性 nginx 的采用者合格证书
┌──[[email protected]]-[~]└─$rpm -ql nginx || yum -y install nginx
加装版
┌──[[email protected]]-[/etc/pki/nginx]└─$nginx -vnginx version: nginx/1.20.1
存储修正实用性文档
┌──[[email protected]]-[~]└─$cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak┌──[[email protected]]-[~]└─$vim /etc/nginx/nginx.conf
合格证书须要 在实用性文档 server 组件上面加进相关联的实用性,auth_basic 为提示,auth_basic_user_File 为账密文档边线
server {auth_basic “auth-liruilong”;auth_basic_user_file /etc/nginx/pass;
加装银穗草辅助工具,http-tools 能建立出访中文网站的采用者名和公钥
┌──[[email protected]]-[~]└─$yum -y install httpd-tools┌──[[email protected]]-[~]└─$htpasswd -c /etc/nginx/pass liruilongNew password:Re-type new password:Adding password for user liruilong
启动服务,确认服务启动
┌──[[email protected]]-[~]└─$systemctl start nginx┌──[[email protected]]-[~]└─$systemctl is-active nginxactive
出访测试
ssl 虚拟主机实用性
修正实用性文档,须要把注释的部分放开,然后在实用性文档的指定的边线建立 SSL 相关密钥,合格证书
┌──[[email protected]]-[/etc/pki/nginx]└─$cat /etc/nginx/nginx.conf# For more information on configuration, see:# * Official English Documentation: http://nginx.org/en/docs/# * Official Russian Documentation: http://nginx.org/ru/docs/user nginx;worker_processes auto;error_log /var/log/nginx/error.log;pid /run/nginx.pid;# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.include /usr/share/nginx/modules/*.conf;events {worker_connections 1024;http {log_format main $remote_addr – $remote_user [$time_local] “$request” $status $body_bytes_sent “$http_referer” “$http_user_agent” “$http_x_forwarded_for”;access_log /var/log/nginx/access.log main;sendfile on;tcp_nopush on;tcp_nodelay on;keepalive_timeout 65;types_hash_max_size 4096;include /etc/nginx/mime.types;default_type application/octet-stream;# Load modular configuration files from the /etc/nginx/conf.d directory.# See http://nginx.org/en/docs/ngx_core_module.html#include# for more information.include /etc/nginx/conf.d/*.conf;# Settings for a TLS enabled server.server {listen 443 ssl http2;listen [::]:443 ssl http2;server_name _;root /usr/share/nginx/html;ssl_certificate “/etc/pki/nginx/server.crt”;ssl_certificate_key “/etc/pki/nginx/private/server.key”;ssl_session_cache shared:SSL:1m;ssl_session_timeout 10m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;error_page 404 /404.html;location = /40x.html {error_page 500 502 503 504 /50x.html;location = /50x.html {┌──[[email protected]]-[/etc/pki/nginx]└─$
建立 ssl 合格证书相关
┌──[[email protected]]-[/etc/nginx/conf.d]└─$mkdir -p /etc/pki/nginx/┌──[[email protected]]-[/etc/pki/nginx]└─$mkdir private┌──[[email protected]]-[/etc/pki/nginx]└─$cd private聚合 RSA 和 ECDSA 密钥
聚合聚合 RSA 密钥,服务器公钥用于对报文进行解密
┌──[[email protected]]-[/etc/pki/nginx/private]└─$openssl genrsa -out server.key 2048Generating RSA private key, 2048 bit long moduluse is 65537 (0x10001)┌──[[email protected]]-[/etc/pki/nginx/private]└─$cd ..其他可选项
聚合 RSA 密钥:
openssl genrsa -out example.key [bits]
打印 RSA 密钥的文本表示:
openssl rsa -in example.key -text -noout
聚合新的 RSA 密钥并采用基于 AES CBC 256 身份验证的公钥短语进行身份验证:
openssl genrsa -aes256 -out example.key [bits]
检查您的公钥。如果密钥有公钥短语,系统会提示您输入公钥:
openssl rsa -check -in example.key
从密钥中删除公钥:
openssl rsa -in example.key -out example.key
采用公钥短语身份验证现有公钥:
openssl rsa -des3 -in example.key -out example_with_pass.key
聚合 ECDSA 密钥。curve 将替换为:prime256v1、secp384r1、secp521r1 或任何其他支持的
openssl ecparam -genkey -name [curve] | openssl ec -out example.ec.key建立合格证书签名请求(CRS)
从现有公钥建立 CSR
┌──[[email protected]]-[/etc/pki/nginx]└─$lsprivate┌──[[email protected]]-[/etc/pki/nginx]└─$openssl req -new -key ./private/server.key -out server.csr -subj “/CN=192.168.26.1″可选项
在单个命令中建立没有公钥短语的 CSR 和公钥:
openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr
在命令行上提供 CSR 主题信息,而不是透过交互式提示。
openssl req -nodes -newkey rsa:[bits] -keyout example.key -out example.csr -subj “/C=UA/ST=Kharkov/L=Kharkov/O=Super Secure Company/OU=IT Department/CN=example.com”
从现有合格证书和公钥建立 CSR:
openssl x509 -x509toreq -in cert.pem -out example.csr -signkey example.key
透过提供 openssl 实用性文档为多域 SAN 合格证书聚合 CSR:
openssl req -new -key example.key -out example.csr -config req.conf
实用性文档 req.conf:
[req]prompt=nodefault_md = sha256distinguished_name = dnreq_extensions = req_ext[dn]CN=example.com[req_ext]subjectAltName= @alt_names[alt_names]DNS.1=example.comDNS.2=www.example.comDNS.3=ftp.example.com建立 X.509 合格证书
聚合合格证书,采用现有的 CSR 和公钥建立自签名合格证书:
┌──[[email protected]]-[/etc/pki/nginx]└─$openssl x509 -req -days 3650 -in server.csr -signkey ./private/server.key -out server.crtSignature oksubject=/CN=192.168.26.1Getting Private key┌──[[email protected]]-[/etc/pki/nginx]└─$lsprivate server.crt server.csr┌──[[email protected]]-[/etc/pki/nginx]└─$可选项
这里也能从头开始建立自签名合格证书和新公钥:
openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.crt -x509 -days 365
采用您自己的“CA”合格证书及其公钥签署子合格证书。如果您是一家 CA 公司,这将显示一个有关如何颁发新合格证书的非常简单的示例。
openssl x509 -req -in child.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out child.crt
打印合格证书的文本表示
openssl x509 -in server.crt -text -noout
将合格证书的指纹打印为 md5、sha1、sha256 摘要:
openssl x509 -in cert.pem -fingerprint -sha256 -noout验证 CSR 或合格证书
验证 CSR 签名:
openssl req -in example.csr -verify
验证公钥是否与合格证书和 CSR 匹配:
openssl rsa -noout -modulus -in example.key | openssl sha256openssl x509 -noout -modulus -in example.crt | openssl sha256openssl req -noout -modulus -in example.csr | openssl sha256
验证合格证书,前提是您在计算机上将根合格证书和任何中间合格证书实用性为受信任:
openssl verify example.crt
当您有中间合格证书链时,验证合格证书。根合格证书不是捆绑包的一部分,应该在您的机器上实用性为受信任的。
openssl verify -untrusted intermediate-ca-chain.pem example.crt
验证合格证书,当您有中间合格证书链和根合格证书时,未实用性为受信任的合格证书。
openssl verify -CAFile root.crt -untrusted intermediate-ca-chain.pem child.crt
验证远程服务器提供的合格证书是否涵盖给定的主机名。有助于检查您的多域合格证书是否正确涵盖了所有主机名。
openssl s_client -verify_hostname www.example.com -connect example.com:443启动 nginx 服务测试┌──[[email protected]]-[/etc/pki/nginx]└─$systemctl start nginx
出访测试,自签名的合格证书
昌明参考
https://dynacont.net/documentation/linux/openssl/
https://medium.com/free-code-camp/openssl-command-cheatsheet-b441be1e8c4a
https://www.sslshopper.com/article-most-common-openssl-commands.html
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/certificates/
