在cowboy的ssl目录中,我看到3个文件 cowboy-ca.crt,server.crt和server.key。 可能在某处他们有cowboy-ca.key这是不需要的目录。如何生成牛仔SSL证书?
我可以猜测cowboy-ca.crt是一些默认CA的公钥,并且正在使用采用CSR文件服务器的密钥对签署server.crt,当客户端连接到牛仔它下载并安装server.crt这文件建立到服务器的安全连接,我是否正确? 问题是如何使用openssl和我自己的CA生成所有这些文件?
在网上有这个教程,但我碰巧有一个从此之前做过的记录。它比您需要的要多得多,但会告诉您如何实现创建您自己的CA和基于它签名的证书的基础知识。我的记录粘贴在下面,创建一个CA,创建一个由CA签名的中间CA,最后创建一个可在服务器上使用的证书。您显然不需要中间CA,所以您应该跳过中间位,并使用根CA而不是中间CA签署最终/结束证书,例如,在创建end.crt时,而不是使用../inter_ca/inter.key,使用../root_ca/rootca.key等
我假设你在这里提出正确的问题,正确的,而且自签名证书真的是你想要什么。
创建证书和密钥后,还提供了有关配置Apache的指导,以及如何使用OpenSSL工具验证它是否正常工作的说明(在任何SSL TCP连接上,因此适用于牛仔或其他任何东西)。这会告诉你信任链,尽管你的深度是1而不是深度2,因为你会省略中间CA.
创建一些目录一起工作:
mkdir inter_ca_demo
cd inter_ca_demo
mkdir root_ca inter_ca end_cert
cd root_ca
创建密钥:
openssl genrsa -out rootca.key 2048
输出将是这样的:
Generating RSA private key, 2048 bit long modulus
...........................................................+++
.............................+++
e is 65537 (0x10001)
自签署创建你的根CA证书(您将不得不输入将被编码到证书中的各种信息):
openssl req -x509 -new -nodes -key rootca.key -days 1024 -out rootca.pem
它应该是这个样子(在这里你可以看到我输入的内容):
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Method Analysis Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:methodanalysis.com
Email Address []:[email protected]
上移动到中间,你必须重命名,复制或建立链接到根证书,这样之前它可以通过哈希算法找到。这是为了确保在您的CA路径中存在大量可信证书时性能不会降低。要做到这一点,你必须找出散列是用下面的命令是什么:
openssl x509 -noout -hash -in rootca.pem
输出应该是这样的:
03ed4e37
然后创建链接,添加0.0到YOUR HASH(如从前面的命令输出):
ln -s rootca.pem 03ed4e37.0
现在创建中间CA密钥和CSR(C ertificate签名请求)(你必须输入将被编码到证书)的各种信息:
cd ../inter_ca
openssl genrsa -out inter.key 2048
openssl req -new -key inter.key -out inter.csr
它应该是这个样子:
$ openssl genrsa -out inter.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
..............................................................+++
e is 65537 (0x10001)
$ openssl req -new -key inter.key -out inter.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intermediate certificates R US Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecasrus.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
现在创建一个文件(v3x509extensions.txt ),其包括数据,其指示这应该是一个中间CA,然后生成中间证书,用你的根CA签署:
echo 'basicConstraints=CA:TRUE' > v3x509extensions.txt
openssl x509 -req -extfile v3x509extensions.txt -in inter.csr -CA ../root_ca/rootca.pem -CAkey ../root_ca/rootca.key -CAcreateserial -out inter.crt -days 200
它应该看起来SOMET兴这样的:
Signature ok
subject=/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/[email protected]
Getting CA Private Key
现在创建您的最后一个关键(即你要使用的SSL网站(例如))从它,建立一个企业社会责任,并与您的中间证书签名,生成新证书:
cd ../end_cert
openssl genrsa -out end.key 2048
openssl req -new -key end.key -out end.csr
openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
它应该是这个样子:
$ openssl genrsa -out end.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
.....................................................+++
e is 65537 (0x10001)
$ openssl req -new -key end.key -out end.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:End User Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecademo-enduser.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
Signature ok
subject=/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/[email protected]
Getting CA Private Key
在这一点上,你可以检查东西看起来确定通过验证的信任链,在这里我Concat的中间和'end'证书,然后仅使用根CA路径验证它们(请记住,'end'证书不能在没有中间CA的情况下验证,所以它必须与'end'证书一起给出):
cat ../inter_ca/inter.crt end.crt | openssl verify -CApath ../root_ca
输出应该是:
stdin: OK
如果你使用这些按键与Apache例如,你可以这样进行配置:
SSLCertificateFile FULL_PATH_TO/inter_ca_demo/end_cert/end.crt
SSLCertificateKeyFile FULL_PATH_TO/inter_ca_demo/end_cert/end.key
SSLCertificateChainFile FULL_PATH_TO/inter_ca_demo/inter_ca/inter.crt
SSLCACertificatePath FULL_PATH_TO/inter_ca_demo/root_ca
Apache将现在提供中间CER证书以及它自己的证书,这允许网络客户端使用'openssl verify'执行与上述相同的验证(以及其他检查)。
如果您确实在apache中使用了这些证书,并且您创建了名为'intermediatecademo-enduser'的网站。
openssl s_client -connect intermediatecademo-enduser.com:443 -CApath root_ca -verify 5
输出应该是这样的:
verify depth is 5
CONNECTED(00000004)
depth=2 C = GB, ST = London, L = London, O = Method Analysis Ltd, CN = methodanalysis.com, emailAddress = [email protected]
verify return:1
depth=1 C = GB, ST = London, L = London, O = Intermediate certificates R US Ltd, CN = intermediatecasrus.com, emailAddress = [email protected]
verify return:1
depth=0 C = GB, ST = London, L = London, O = End User Ltd, CN = intermediatecademo-enduser.com, emailAddress = [email protected]duser.com
verify return:1
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/[email protected]
i:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/[email protected]
1 s:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/[email protected]
i:/C=GB/ST=London/L=London/O=Method Analysis Ltd/CN=methodanalysis.com/[email protected]
---
Server certificate
...
...
...
Start Time: 1445696823
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
它将“与保持‘你创建的,你也可以使用OpenSSL来验证从客户的角度证书终结’证书COM现在挂起,等待数据被发送。你可以按CTRL + C退出。
你对证书关系基本上是正确的;有一个服务器证书和私钥以及一个CA证书。
由于它们仅用于测试目的,因此我认为牛仔的作者并不打扰包括他用来生成服务器证书的CA私钥。
当涉及到SSL证书时,牛仔没什么特别的。假设您正在查看ssl_hello_world example,您可以在ssl_hello_world_app.erl中看到正在使用的证书。
从那里,那些SSL选项被传递到Erlang SSL应用程序,该应用程序被记录为here。
该文档声明(尽管它并不完全明显),它们是标准的PEM编码证书和密钥文件。例如,您可以使用OpenSSL生成它们。
Stack Overflow是编程和开发问题的网站。这个问题似乎与题目无关,因为它不涉及编程或开发。请参阅帮助中心的[我可以询问哪些主题](http://stackoverflow.com/help/on-topic)。也许[超级用户](http://superuser.com/)或[Unix&Linux堆栈交换](http://unix.stackexchange.com/)会是一个更好的地方。另请参阅[我在哪里发布有关Dev Ops的问题?](http://meta.stackexchange.com/q/134306)。 – jww