关于Certificate的一切-概念及工具

摘要:本文力求从理论到工具,从工具到代码,从代码到实际应用介绍所有和 Certificate (广义)相关的知识。

JKS (Java KeyStore)

KeyStore 介绍

JKS 说起 (Java KeyStore),首先我们看一下 Wiki:

A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.

In IBM WebSphere Application Server and Oracle WebLogic Server, a file with extension jks serves as keystore.

The Java Development Kit maintains a CA keystore in folder jre/lib/security/cacerts. JDKs provide a tool named keytool[1] to manipulate the keystore. keytool has no functionality to extract the private key out of the keystore, but this is possible with third-party tools like jksExportKey, CERTivity,[2] Portecle[3] and KeyStore Explorer.[4]

直观的说,KeyStore 只是一个载体,是 Certificate 的载体,在一个 KeyStore 文件中可以有多个公钥和私钥对。每对公私钥通过别名 alias 来区分。对于 KeyStore, 我们使用 KeyTool 工具来进行操作。

关键点:

  1. keystore 包含若干对公私钥,通过别名区分及提取
  2. keystore 工具是 keytool
  3. keystore 本身有密码

使用 keytool 生成 JKS,并且生成公钥和私钥对:

1
keytool -genkey -alias  mydomain  -keyalg RSA -keystore  keystore.jks -keysize 2048

说明:

  1. -genkey 生成公私钥
  2. -alias 指定公私钥对的别名
  3. -keyalg 指定算法
  4. -keystore 指定输出的文件名
  5. -keysize 指定密钥长度

该命令是一个交互式的,需要用户指定以下内容,这里需要两个密码:

  1. keystore password (JKS 文件本身密码)
  2. key password (私钥密码)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
keytool -genkey -alias mengxin.science -keyalg RSA -keystore  mxsci.jks -keysize 2048
Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
[Unknown]: Xin Meng
What is the name of your organizational unit?
[Unknown]: mengxin
What is the name of your organization?
[Unknown]: mengxin
What is the name of your City or Locality?
[Unknown]: London
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: UK
Is CN=Xin Meng, OU=mengxin, O=mengxin, L=London, ST=Unknown, C=UK correct?
[no]: yes

Enter key password for <mengxin.science>
(RETURN if same as keystore password): changeitkey
Re-enter new password: changeitkey

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mxsci.jks -destkeystore mxsci.jks -deststoretype pkcs12".

查看 keystore 内的公私钥信息

1
2
3
4
5
6
7
8
# Check a stand-alone certificate**
keytool -printcert -v -file mydomain.crt

# Check which certificates are in a Java keystore**
keytool -list -v -keystore keystore.jks

#Check a particular keystore entry using an alias**
keytool -list -v -keystore keystore.jks -alias mydomain

CSR (Certificate Signing Request)

介绍

In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature). The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge SPKAC format generated by some web browsers.

也就是说 CSR 是一个概念,其通常承载的文件格式是 PKCS #10SPKACCSR 本质上是一个消息,这个消息一般是包含公钥,唯一身份信息和数字签名,用来向 CA 申请数字认证的。

我们要知道,一个证书 (或者说是一对公私钥),理论上只有被某个 CA 信任了,才能在实际中真正的发挥作用。

JKS 生成 CSR

1
keytool -certreq -alias  mydomain  -keystore  keystore.jks  -file  mydomain.csr

说明

  1. certreq 表示生成 CSR
  2. alias 指定使用哪个key 对
  3. keystore 指定 jks 文件
  4. file 指定说出的额 csr 文件

在执行过程中需要输入 keystore 和 key 的 password,如果输入错误,将会得到错误。比如 key 密码输入错误,则会报错: keytool error: java.security.UnrecoverableKeyException: Cannot recover key

1
2
3
4
5
6
keytool -certreq -alias  mengxin.science  -keystore  mxsci.jks  -file  mxsci.csr
Enter keystore password:
Enter key password for <mengxin.science>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mxsci.jks -destkeystore mxsci.jks -deststoretype pkcs12".

这时候生成的 CSR

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# cat mxsci.csr 
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC3DCCAcQCAQAwZzELMAkGA1UEBhMCVUsxEDAOBgNVBAgTB1Vua25vd24xDzAN
BgNVBAcTBkxvbmRvbjEQMA4GA1UEChMHbWVuZ3hpbjEQMA4GA1UECxMHbWVuZ3hp
bjERMA8GA1UEAxMIWGluIE1lbmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDmIRw5CEHyjiGDbZvapGYeeGQ0tgMZB9ImZBv4p3mmhV1fZQ3Y0G7czJaa
21X5y/tz/H5q97pjIm/SPICME5JH8xR1ZzOuLvpmGSlZ/YYMPGu8osAXm8g6UhJm
tKZhVh1JM2bkysOW10GJKQdl2stdwq5wIqmqtTBtlVpDFfoDhCXEwciO6vQJt+8A
vy4Wt2kX7Np5BtGSra6HRpySpZ3Fy2grWlkNw8OwRtl3PNpF5uloKi5QvcVzipNd
g+UhfebWGW7BIm1/Q9l9o0EHnSGpCgA7NFpV+RUEGM+ITjb1kgOx/YCkQZfgH2pA
/38fPzCKjwRwvcRQGhPJIlJ/DZWfAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0G
A1UdDgQWBBTLMfWKkadT2P6bt7y9kRVgIAVwujANBgkqhkiG9w0BAQsFAAOCAQEA
pbNaOemKIwI9sJmvmMY7EBlUc7g4KJlPt1CAYaUIhi32vRT+GutNmjFLgqXIt5lB
F+jDXkTBD1JmqSmES1xcfa7+TPN9SL+fYSl0Z7fWI5A80RyjJj+Lp4EQsE95+u12
H1jiX4iwtySLnu1fvU4+qzy0TmvFKzdPnRrzfZeZnGEMDT7sgyaFcR9Ac3nhswo5
q8wVux0MDvSC/8NnVday15r71dAn3dpJyy+rs1ZkZEPhu7IfZ7UYJjw6X2wKBxbY
gJj7cJfeL1hlrGrZ0FxVb6/xh5wMPQSPiPyiOPSs4KBy4hfsJn0w0lUM5eoO1wyo
IJsTZhDtlDLL1mZAxm+Eog==
-----END NEW CERTIFICATE REQUEST-----

公私钥及证书系统

在开始介绍之前,我们需要首先明确,我们需要哪些知识,这些知识将会有什么用?

  1. 需要知道各种文件格式的意义
  2. 需要知道各种文件格式中包含的内容
  3. 需要知道各种文件格式之间的转化
  4. 需要知道各种文件格式一般的用途

标准:

  1. PKCS stands for “Public Key Cryptography Standards”

编码:

  1. PEM
  2. DER

文件后缀

  1. jks: Java KeyStore
  2. csr: Certificate Signing Request (PKCS1 #10)
  3. p12: (PKCS1 #12) same with pfx, change extention name, see this
  4. pfx: Personal Information Exchange Format (PFX)
  5. pem: Privacy-Enhanced Mail
  6. key: The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
  7. key.unsecure
  8. crt: certificate, The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
  9. srl:
  10. cer: certificate, alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
  11. der: Distinguished Encoding Rules, The DER file extension is primarily associated with a DER- (Distinguished Encoding Rules) encoded X509 digital certificate file.

crt 和 cer

.crt stands simply for certificate, usually an X509v3 certificate, again the encoding could be PEM or DER; a certificate contains the public key, but it contains much more information (most importantly the signature by the Certificate Authority over the data and public key, of course).

这个就是 General 的 Certificate 文件,一般就是 X509v3 的证书 (只有公钥和签名等信息,没有私钥),其编码可以是 PEMDER

1
2
keytool -export -alias server-alias -storepass changeit
-file server.cer -keystore keystore.jks

结果

1
2
3
4
5
keytool -export -alias mengxin.science -storepass changeit -file mxsci.cer -keystore mxsci.jks
Certificate stored in file <mxsci.cer>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mxsci.jks -destkeystore mxsci.jks -deststoretype pkcs12".

这个 cerDER 格式,我们可以用 openssl 来查看该证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
openssl x509 -in mxsci.cer -inform der -text -noout

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 888298787 (0x34f25d23)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = UK, ST = Unknown, L = London, O = mengxin, OU = mengxin, CN = Xin Meng
Validity
Not Before: Oct 4 09:05:47 2018 GMT
Not After : Jan 2 09:05:47 2019 GMT
Subject: C = UK, ST = Unknown, L = London, O = mengxin, OU = mengxin, CN = Xin Meng
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e6:21:1c:39:08:41:f2:8e:21:83:6d:9b:da:a4:
66:1e:78:64:34:b6:03:19:07:d2:26:64:1b:f8:a7:
79:a6:85:5d:5f:65:0d:d8:d0:6e:dc:cc:96:9a:db:
55:f9:cb:fb:73:fc:7e:6a:f7:ba:63:22:6f:d2:3c:
80:8c:13:92:47:f3:14:75:67:33:ae:2e:fa:66:19:
29:59:fd:86:0c:3c:6b:bc:a2:c0:17:9b:c8:3a:52:
12:66:b4:a6:61:56:1d:49:33:66:e4:ca:c3:96:d7:
41:89:29:07:65:da:cb:5d:c2:ae:70:22:a9:aa:b5:
30:6d:95:5a:43:15:fa:03:84:25:c4:c1:c8:8e:ea:
f4:09:b7:ef:00:bf:2e:16:b7:69:17:ec:da:79:06:
d1:92:ad:ae:87:46:9c:92:a5:9d:c5:cb:68:2b:5a:
59:0d:c3:c3:b0:46:d9:77:3c:da:45:e6:e9:68:2a:
2e:50:bd:c5:73:8a:93:5d:83:e5:21:7d:e6:d6:19:
6e:c1:22:6d:7f:43:d9:7d:a3:41:07:9d:21:a9:0a:
00:3b:34:5a:55:f9:15:04:18:cf:88:4e:36:f5:92:
03:b1:fd:80:a4:41:97:e0:1f:6a:40:ff:7f:1f:3f:
30:8a:8f:04:70:bd:c4:50:1a:13:c9:22:52:7f:0d:
95:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
CB:31:F5:8A:91:A7:53:D8:FE:9B:B7:BC:BD:91:15:60:20:05:70:BA
Signature Algorithm: sha256WithRSAEncryption
62:70:b2:9b:35:5c:cd:df:2e:bb:e0:fb:1c:6c:a8:fa:7c:e7:
49:82:c7:cf:1e:7e:99:d8:3e:dd:e4:8b:be:af:6e:1a:da:68:
f2:48:60:05:3c:9b:d6:be:3e:e0:e3:60:ae:6d:fe:f6:6c:7f:
8e:1a:6a:a3:65:f5:0e:ea:e6:74:dc:8f:59:8b:39:2c:49:36:
49:51:40:4f:bc:0a:01:0d:56:4a:e7:0a:b8:8b:11:27:7c:98:
31:53:40:a7:f7:8c:a9:59:41:f9:67:a1:41:7c:bc:2f:4d:18:
7c:32:84:a1:ee:9b:9a:6a:8a:c2:df:f8:6d:27:d1:ae:9c:07:
76:8d:1d:b5:10:81:9d:d5:c2:06:f8:5f:fe:23:cd:3f:de:73:
de:4e:91:85:8f:ab:84:01:85:25:81:ff:dd:32:33:24:89:e0:
72:b1:90:b8:88:71:6a:7d:52:c0:fc:10:f1:a1:82:9b:ec:05:
ed:6e:1b:b5:d7:38:7b:26:62:76:b2:9d:f6:f1:c4:3c:ec:a2:
8c:42:d4:b8:c3:60:51:f9:fb:f8:d2:9f:4b:87:ea:28:d4:15:
dc:28:65:7e:90:86:b1:3b:02:e6:69:d8:13:f6:a9:47:f1:b4:
90:e5:d9:d6:73:01:05:63:b7:e9:01:c7:df:84:7b:58:88:55:
3a:7b:d6:5c

我们参考该文章,可以转换格式

DER exchange PEM

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
openssl x509 -in mxsci.cer -inform der -outform pem -out mxsci.pem
# cat mxsci.pem
-----BEGIN CERTIFICATE-----
MIIDbTCCAlWgAwIBAgIENPJdIzANBgkqhkiG9w0BAQsFADBnMQswCQYDVQQGEwJV
SzEQMA4GA1UECBMHVW5rbm93bjEPMA0GA1UEBxMGTG9uZG9uMRAwDgYDVQQKEwdt
ZW5neGluMRAwDgYDVQQLEwdtZW5neGluMREwDwYDVQQDEwhYaW4gTWVuZzAeFw0x
ODEwMDQwOTA1NDdaFw0xOTAxMDIwOTA1NDdaMGcxCzAJBgNVBAYTAlVLMRAwDgYD
VQQIEwdVbmtub3duMQ8wDQYDVQQHEwZMb25kb24xEDAOBgNVBAoTB21lbmd4aW4x
EDAOBgNVBAsTB21lbmd4aW4xETAPBgNVBAMTCFhpbiBNZW5nMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5iEcOQhB8o4hg22b2qRmHnhkNLYDGQfSJmQb
+Kd5poVdX2UN2NBu3MyWmttV+cv7c/x+ave6YyJv0jyAjBOSR/MUdWczri76Zhkp
Wf2GDDxrvKLAF5vIOlISZrSmYVYdSTNm5MrDltdBiSkHZdrLXcKucCKpqrUwbZVa
QxX6A4QlxMHIjur0CbfvAL8uFrdpF+zaeQbRkq2uh0ackqWdxctoK1pZDcPDsEbZ
dzzaRebpaCouUL3Fc4qTXYPlIX3m1hluwSJtf0PZfaNBB50hqQoAOzRaVfkVBBjP
iE429ZIDsf2ApEGX4B9qQP9/Hz8wio8EcL3EUBoTySJSfw2VnwIDAQABoyEwHzAd
BgNVHQ4EFgQUyzH1ipGnU9j+m7e8vZEVYCAFcLowDQYJKoZIhvcNAQELBQADggEB
AGJwsps1XM3fLrvg+xxsqPp850mCx88efpnYPt3ki76vbhraaPJIYAU8m9a+PuDj
YK5t/vZsf44aaqNl9Q7q5nTcj1mLOSxJNklRQE+8CgENVkrnCriLESd8mDFTQKf3
jKlZQflnoUF8vC9NGHwyhKHum5pqisLf+G0n0a6cB3aNHbUQgZ3Vwgb4X/4jzT/e
c95OkYWPq4QBhSWB/90yMySJ4HKxkLiIcWp9UsD8EPGhgpvsBe1uG7XXOHsmYnay
nfbxxDzsooxC1LjDYFH5+/jSn0uH6ijUFdwoZX6QhrE7AuZp2BP2qUfxtJDl2dZz
AQVjt+kBx9+Ee1iIVTp71lw=
-----END CERTIFICATE-----

查看 PEM 证书信息,该信息和上面的是一致的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
openssl x509 -in mxsci.pem -text -noout

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 888298787 (0x34f25d23)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = UK, ST = Unknown, L = London, O = mengxin, OU = mengxin, CN = Xin Meng
Validity
Not Before: Oct 4 09:05:47 2018 GMT
Not After : Jan 2 09:05:47 2019 GMT
Subject: C = UK, ST = Unknown, L = London, O = mengxin, OU = mengxin, CN = Xin Meng
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e6:21:1c:39:08:41:f2:8e:21:83:6d:9b:da:a4:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
CB:31:F5:8A:91:A7:53:D8:FE:9B:B7:BC:BD:91:15:60:20:05:70:BA
Signature Algorithm: sha256WithRSAEncryption
62:70:b2:9b:35:5c:cd:df:2e:bb:e0:fb:1c:6c:a8:fa:7c:e7:
...

同理我们也可以把 PEM 转化为 DER

1
2
3
openssl x509 -in mxsci.pem -inform pem -outform der  -out mxsci-from-pem.der
# view generate der file
openssl x509 -in mxsci-from-pem.der -inform der -text -noout

我们会发现 mxsci-from-pem.der 实际上和原来的 mxsci.cer 是一样的。

crt 和 cer 的转化

参考该回答

File extensions for cryptographic certificates aren’t really as standardized as you’d expect. Windows by default treats double-clicking a .crt file as a request to import the certificate into the Windows Root Certificate store, but treats a .cer file as a request just to view the certificate. So, they’re different in that sense, at least, that Windows has some inherent different meaning for what happens when you double click each type of file.

But the way that Windows handles them when you double-click them is about the only difference between the two. Both extensions just represent that it contains a public certificate. You can rename a file or use one in place of the other in any system or configuration file that I’ve seen. And on non-Windows platforms (and even on Windows), people aren’t particularly careful about which extension they use, and treat them both interchangeably, as there’s no difference between them as long as the contents of the file are correct.

实际上这两个文件是一样的,只是不同的操作系统的传统定义方式和打开方式的动作有所不同,我们同样可以用 openssl 来转化,这里我们可以针对 pemder 两个格式转化。

1
openssl x509 -in mxsci.cer -inform DER -outform DER -out mxsci.crt

同样生成的 mxsci.crtmxsci.cer 也是完全一样的文件。

我们也可以直接转化为 pem 格式的 crt

1
openssl x509 -in mxsci.cer -inform DER -outform PEM -out mxsci.pem.crt

然后我们会发现,这个文件 mxsci.pem.crt 和之前的 mxsci.pem 是一样的。

总之我们需要区分来

  1. PEM 和 DER:编码格式,在 openssl 工具中,需要通过 -inform 指定 (PEM 默认, DER 需要显式的指定)
  2. CRT 和 CER:都是 x509 certificate,基本是相同,理论上改个后缀就行了。

key

该文件一般存放私钥

我们可以通过 keytooljks 中提取出私钥。

这里需要指出,之前我们在使用 keytool 总是会有一个警告,这是告诉我们,jks不是一个标准,而 PKCS12 才是一个标准,keytool 推荐我们将其转化为标准文件,这样可以使用其他工具,比如 openssl 对其进行进一步操作。

1
2
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore mxsci.jks -destkeystore mxsci.jks -deststoretype pkcs12".

这里还需要说明一个问题,就是 jks 支持 storepasswordkeypassword 是两个密码,但是 PKCS12 理论上并不支持,因为这个文件被其他工具使用的时候,只接受一样的密码,所以 keytool 在转化 jskpkcs12 的时候,如果密码不一样,会报错,这一点,我们可以参考该 issue

1
2
3
4
keytool error: java.lang.Exception: The destination pkcs12 keystore has different storepass and keypass. Please retry with -destkeypass specified.
[[email protected] Certificates]$ keytool -importkeystore -srckeystore mxsci.jks -storepass changeit -destkeystore mxsci.jks -deststoretype pkcs12 -destkeypass changeitkey
Enter source keystore password:
Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -destkeypass value.

所以我们需要将密码改成一致,这里改 key 或者 store 的 password 都可以。

修改 jks 的 key 和 keystore 的密码

keystore 密码
1
2
keytool -storepasswd -new newpassword -keystore server.keystore
-storepass changeit
key 密码
1
keytool -keypasswd -alias server -keypass changeit -new newpassword -keystore server.keystore -storepass newpassword
实践
1
2
keytool -storepasswd -new changeit1 -keystore mxsci.jks -storepass changeit
keytool -keypasswd -alias mengxin.science -keypass changeitkey -new changeit1 -keystore mxsci.jks -storepass changeit1

jks 生成 key

这时候,两个密码都改为了 changeit1,下面我们就可以开始将其转化为 pkcs12 进而生成 key

1
2
3
keytool -importkeystore -srckeystore mxsci.jks -storepass changeit1 -destkeystore mxsci.jks -deststoretype pkcs12

keytool -importkeystore -srckeystore mxsci.jks -storepass changeit1 -destkeystore mxsci.p12 -deststoretype pkcs12

通过这两个命令发现,其目标的keystore 可以是任意文件扩展,虽然扩展名一样 (都是 jks),但是实际上内容格式已经不一样,因为如果使用 keytool 查看该 jks 发现,旧的 jks 会有一个警告,但是新的 jks 没有警告,然后我们还可以指定成 p12 格式的文件。

有了 p12,我们就可以使用 openssl 生成 key 了。

1
2
# concert PKCS12 key to unencrypted PEM:
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out mydomain.key

生成的 key 是非加密的私钥,并且是 PEM 格式,生成过程需要输入密码。

当然这里我们还可以生成 crt 证书文件

1
openssl pkcs12 -in keystore.p12 -nokeys -out my_key_store.crt

我们会发现这个生成的 crt 也是 PEM 格式的,比之前生成的 crt 多了个头部信息,证书的 base64 字符串是一样的:

1
2
3
4
5
Bag Attributes
friendlyName: mengxin.science
localKeyID: 54 69 6D 65 20 31 35 33 38 37 36 38 35 34 37 34 33 33
subject=/C=UK/ST=Unknown/L=London/O=mengxin/OU=mengxin/CN=Xin Meng
issuer=/C=UK/ST=Unknown/L=London/O=mengxin/OU=mengxin/CN=Xin Meng

https://serverfault.com/a/715856/398427

Nginx 配置 SSL

公私钥的使用场景最典型的就是 SSL (TSL) 安全套接字,其构建了整个网络世界的安全基础。

http://www.ruanyifeng.com/blog/2014/02/ssl_tls.html

http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html

https://www.cnblogs.com/chjbbs/p/5748369.html

一般在 Nginx 配置文件中配置 SSL 的时候,需要分别配置 keycertificate

1
2
3
4
5
6
7
8
9
10
11
server {  
listen 80;
listen [::]:80 ssl ipv6only=on;
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
server_name example.com;

ssl on;
ssl_certificate /etc/ssl/private/example_com.crt;
ssl_certificate_key /etc/ssl/private/example_com.key;
}

其中 key 需要保密,而 crt 是需要公开出去的。一般情况下,这个 crt 是需要某个权威的 CA 认证的,从而保证这个证书无法被篡改。对于如何使用这对公私钥保证数据传输安全保密,参考该文,概括的讲就是浏览器需要从服务器获取证书也就是公钥,首先验证公钥的有效性,然后使用公钥对数据进行加密再传输到服务器,服务器使用私钥解密获取明文。当然这个过程需要考虑很多细节,比如加密本身资源消耗大,所以采用和对称加密结合的方式,只是用公钥加密对称密钥,然后数据使用对称密钥加密,而服务通过私钥获取对称密钥,然后在解密密文。

刚才我们提到 crt 一般是通过某个 CA 认证,这个认证过程是通过使用 csr 文件向 CA 申请的。

CA 签发证书

首先我们先生成一个 CA 证书。

Subject: C = UK, ST = London, L = London, O = Deepnet Security Ltd, OU = Certificate Authority, CN = Deepnet CA

https://gist.github.com/Soarez/9688998#ca-key-and-self-signed-certificate

1
2
3
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt
openssl x509 -req -in example.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.org.crt

key + crt to pfx

https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

1
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt

https://www.sslshopper.com/article-most-common-openssl-commands.html

NetScaler Certificate

enter description here

对于 NetScaler 的配置,配置面板中给出了一张图,我们可以看到它所需要的 certificate-key pair 文件,所以我们需要自己生成这个问题。

openssl/keytool 总结

实际中,我们最常用的主要是通过命令查看转换证书文件等。下面我们对这些命令进行一下总结:

openssl

该命令有二级子命令,目前我们用到的有: x509,rsa,req,genrsa,pkcs12。下面我们总结一下每个子命令通用的选项:

  1. -in 输入的文件
  2. -inform 主要制定输入的格式 PEM/DER
  3. -out 输出的文件
  4. -outform 主要制定输出的格式 PEM/DER
  5. -text 用于输出内容,和 -noout 组合使用查看
  6. -noout 不输出任何文件

典型应用

  1. openssl x509 -in mxsci.cer -inform der -text -noout
  1. DER 转 PEM:openssl x509 -in mxsci.cer -inform der -outform pem -out mxsci.pem
  2. 查看 PEM:openssl x509 -in mxsci.pem -text -noout
  3. PEM 转 DER:openssl x509 -in mxsci.pem -inform pem -outform der -out mxsci-from-pem.der
  4. 查看 DER:openssl x509 -in mxsci-from-pem.der -inform der -text -noout
  5. 生成 key:openssl genrsa -out ca.key 2048
  6. 生成 self sign 证书:openssl req -new -x509 -key ca.key -out ca.crt
  7. 通过 csr 签发 crt openssl x509 -req -in example.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.org.crt
  8. crt+key 生成 pfx:openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
  9. pfx 生成 key:openssl pkcs12 -in keystore.p12 -nodes -nocerts -out mydomain.key
  10. pfx 生成 crt:openssl pkcs12 -in keystore.p12 -nokeys -out my_key_store.crt

keytool

主要是各个选项的组合使用

  1. -keystore keystore.jks 指定 keystore 文件,一般为 jks 或 p12
  2. -alias mydomain 指定别名
  3. -storepass changeit 指定 store password
  4. -export 输出证书
  5. -file 输出文件名
  6. -storepasswd -new 修改 store password
  7. -keypasswd 修改 key password
  8. -keypass 指定 key password
  9. -importkeystore 用于转换 keystore 格式,import
  10. -destkeystore 用于转换 keystore 格式,destination 文件名
  11. -deststoretype 用于转换 keystore 格式,destination store 类型,比如 pkcs12
  12. -genkey 生成 key pair
  13. -keyalg 生成使用的算法
  14. -keysize 生成 key 的 size
  15. -printcert 打印 certificate
  16. -v it signifies “verbose” mode; more information will be output.
  17. -list Prints (to stdout) the contents of the keystore entry identified by alias. If no alias is specified, the contents of the entire keystore are printed.
  18. -certreq 创建 csr

典型应用

  1. 生成 key: keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
  2. 导出证书: keytool -printcert -v -file mydomain.crt
  3. 查看所有:keytool -list -v -keystore keystore.jks
  4. 查看某一个: keytool -list -v -keystore keystore.jks -alias mydomain
  5. 创建 csr:keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
  6. 都出 cer:keytool -export -alias server-alias -storepass changeit -file server.cer -keystore keystore.jks
  7. 修改 store pass: keytool -storepasswd -new newpassword -keystore server.keystore -storepass
  8. 修改 key pass: keytool -keypasswd -alias mengxin.science -keypass changeitkey -new changeit1 -keystore mxsci.jks -storepass changeit1
  9. 生成 p12: keytool -importkeystore -srckeystore mxsci.jks -storepass changeit1 -destkeystore mxsci.p12 -deststoretype pkcs12