如何生成牛仔 SSL 证书?
How to generate cowboy SSL certificates?
在 cowboy 的 ssl 目录中我看到 3 个文件
cowboy-ca.crt、server.crt 和 server.key。
可能在目录的某个地方他们有不需要的 cowboy-ca.key。
我可以猜测 cowboy-ca.crt 是一些默认 CA 的 public 密钥,它被用来签署 server.crt 使用服务器密钥对的 csr 文件,当客户端连接到 cowboy,它下载并安装 server.crt 文件以建立与服务器的安全连接,我说得对吗?
问题是如何使用 openssl 和我自己的 CA 生成所有这些文件?
网上有这方面的教程,不过我正好有做过的记录。它比您需要的要多得多,但会向您展示如何实现创建自己的 CA 和从中签名的证书的基础知识。我的记录,贴在下面,创建一个CA,创建一个由CA签名的中间CA,最后创建一个可以在服务器上使用的证书。您显然不需要中间 CA,因此您应该跳过中间位并使用根 CA 而不是中间 CA 签署最终/结束证书,例如,在创建 end.crt 时,而不是用 ../inter_ca/inter.key 签名,使用 ../root_ca/rootca.key等
我假设您在这里问的是正确的正确问题,并且自签名证书确实是您想要的。
创建证书和密钥后,还有关于配置 Apache 的指南,以及如何使用 OpenSSL 工具验证其是否正常工作的说明(在任何 SSL TCP 连接上,因此适用于牛仔或其他任何东西)。这将向您显示信任链,但您的信任链将是深度 1 而不是深度 2,因为您将省略中间 CA。
创建一些要使用的目录:
mkdir inter_ca_demo
cd inter_ca_demo
mkdir root_ca inter_ca end_cert
cd root_ca
创建密钥:
openssl genrsa -out rootca.key 2048
输出将类似于:
Generating RSA private key, 2048 bit long modulus
...........................................................+++
.............................+++
e is 65537 (0x10001)
自行签署以创建您的根 CA 证书(您必须输入将被编码到证书中的各种信息):
openssl req -x509 -new -nodes -key rootca.key -days 1024 -out rootca.pem
它应该看起来像(在这里你可以看到我输入的内容):
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Method Analysis Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:methodanalysis.com
Email Address []:ca_admin@methodanalysis.com
在继续使用中间证书之前,您必须重命名、复制或创建一个 link 到根证书,以便可以通过哈希算法找到它。这是为了确保如果您的 CA 路径中有很多受信任的证书,性能不会降低。为此,您必须使用以下命令找出散列是什么:
openssl x509 -noout -hash -in rootca.pem
输出应该是这样的:
03ed4e37
然后创建 link,将 .0 添加到 YOUR HASH(作为上一个命令的输出):
ln -s rootca.pem 03ed4e37.0
现在创建中间 CA 密钥和 CSR(证书签名请求)(您必须输入将编码到证书中的各种信息):
cd ../inter_ca
openssl genrsa -out inter.key 2048
openssl req -new -key inter.key -out inter.csr
它应该看起来像这样:
$ openssl genrsa -out inter.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
..............................................................+++
e is 65537 (0x10001)
$ openssl req -new -key inter.key -out inter.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intermediate certificates R US Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecasrus.com
Email Address []:ca_admin@intermediatecasrus.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
现在创建一个文件 (v3x509extensions.txt),其中包含指示这应该是中间 CA 的数据,然后生成中间证书,并使用您的根 CA 签名:
echo 'basicConstraints=CA:TRUE' > v3x509extensions.txt
openssl x509 -req -extfile v3x509extensions.txt -in inter.csr -CA ../root_ca/rootca.pem -CAkey ../root_ca/rootca.key -CAcreateserial -out inter.crt -days 200
它应该看起来像这样:
Signature ok
subject=/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
Getting CA Private Key
现在创建您的最终密钥(您将用于 SSL 网站(例如)),从中创建一个 CSR,并使用您的中间证书对其进行签名,生成一个新证书:
cd ../end_cert
openssl genrsa -out end.key 2048
openssl req -new -key end.key -out end.csr
openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
它应该看起来像这样:
$ openssl genrsa -out end.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
.....................................................+++
e is 65537 (0x10001)
$ openssl req -new -key end.key -out end.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:End User Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecademo-enduser.com
Email Address []:support@intermediatecademo-enduser.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
Signature ok
subject=/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
Getting CA Private Key
此时,您可以通过验证信任链来检查事情是否正常,这里我连接了中间证书和 'end' 证书,然后仅使用根 CA 路径验证它们(记住 'end'证书没有中间CA无法验证,所以必须和'end'证书一起给:
cat ../inter_ca/inter.crt end.crt | openssl verify -CApath ../root_ca
输出应该是:
stdin: OK
例如,如果您将这些键与 apache 一起使用,则可以这样配置它们:
SSLCertificateFile FULL_PATH_TO/inter_ca_demo/end_cert/end.crt
SSLCertificateKeyFile FULL_PATH_TO/inter_ca_demo/end_cert/end.key
SSLCertificateChainFile FULL_PATH_TO/inter_ca_demo/inter_ca/inter.crt
SSLCACertificatePath FULL_PATH_TO/inter_ca_demo/root_ca
Apache 现在将提供中间证书及其自己的证书,这允许 Web 客户端使用 'openssl verify'.
执行与上述相同类型的验证(以及其他检查)
如果您确实将这些证书与 apache 一起使用,并且您创建了一个名称为 'intermediatecademo-enduser.com' 的网站,与您创建的 'end' 证书一致,您还可以使用 openssl 来验证来自客户视角:
openssl s_client -connect intermediatecademo-enduser.com:443 -CApath root_ca -verify 5
输出应该是这样的:
verify depth is 5
CONNECTED(00000004)
depth=2 C = GB, ST = London, L = London, O = Method Analysis Ltd, CN = methodanalysis.com, emailAddress = ca_admin@methodanalysis.com
verify return:1
depth=1 C = GB, ST = London, L = London, O = Intermediate certificates R US Ltd, CN = intermediatecasrus.com, emailAddress = ca_admin@intermediatecasrus.com
verify return:1
depth=0 C = GB, ST = London, L = London, O = End User Ltd, CN = intermediatecademo-enduser.com, emailAddress = support@intermediatecademo-enduser.com
verify return:1
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
i:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
1 s:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
i:/C=GB/ST=London/L=London/O=Method Analysis Ltd/CN=methodanalysis.com/emailAddress=ca_admin@methodanalysis.com
---
Server certificate
...
...
...
Start Time: 1445696823
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
现在会挂起,等待发送数据。您可以直接按 CTRL+C 退出。
你说的证书关系基本上是对的;有一个服务器证书和私钥,还有一个 CA 证书。
由于它们仅用于测试目的,我认为 cowboy 的作者没有费心包括他用来生成服务器证书的 CA 私钥。
就 SSL 证书而言,cowboy 没有什么特别之处。假设您正在查看 ssl_hello_world example, you can see the certificates being used in ssl_hello_world_app.erl.
从那里,这些 SSL 选项被传递到记录在案的 Erlang SSL 应用程序 here。
文档指出(虽然不是很明显)这些是标准的 PEM 编码证书和密钥文件。例如,您可以使用 OpenSSL 生成它们。
在 cowboy 的 ssl 目录中我看到 3 个文件
cowboy-ca.crt、server.crt 和 server.key。
可能在目录的某个地方他们有不需要的 cowboy-ca.key。
我可以猜测 cowboy-ca.crt 是一些默认 CA 的 public 密钥,它被用来签署 server.crt 使用服务器密钥对的 csr 文件,当客户端连接到 cowboy,它下载并安装 server.crt 文件以建立与服务器的安全连接,我说得对吗?
问题是如何使用 openssl 和我自己的 CA 生成所有这些文件?
网上有这方面的教程,不过我正好有做过的记录。它比您需要的要多得多,但会向您展示如何实现创建自己的 CA 和从中签名的证书的基础知识。我的记录,贴在下面,创建一个CA,创建一个由CA签名的中间CA,最后创建一个可以在服务器上使用的证书。您显然不需要中间 CA,因此您应该跳过中间位并使用根 CA 而不是中间 CA 签署最终/结束证书,例如,在创建 end.crt 时,而不是用 ../inter_ca/inter.key 签名,使用 ../root_ca/rootca.key等
我假设您在这里问的是正确的正确问题,并且自签名证书确实是您想要的。
创建证书和密钥后,还有关于配置 Apache 的指南,以及如何使用 OpenSSL 工具验证其是否正常工作的说明(在任何 SSL TCP 连接上,因此适用于牛仔或其他任何东西)。这将向您显示信任链,但您的信任链将是深度 1 而不是深度 2,因为您将省略中间 CA。
创建一些要使用的目录:
mkdir inter_ca_demo
cd inter_ca_demo
mkdir root_ca inter_ca end_cert
cd root_ca
创建密钥:
openssl genrsa -out rootca.key 2048
输出将类似于:
Generating RSA private key, 2048 bit long modulus
...........................................................+++
.............................+++
e is 65537 (0x10001)
自行签署以创建您的根 CA 证书(您必须输入将被编码到证书中的各种信息):
openssl req -x509 -new -nodes -key rootca.key -days 1024 -out rootca.pem
它应该看起来像(在这里你可以看到我输入的内容):
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Method Analysis Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:methodanalysis.com
Email Address []:ca_admin@methodanalysis.com
在继续使用中间证书之前,您必须重命名、复制或创建一个 link 到根证书,以便可以通过哈希算法找到它。这是为了确保如果您的 CA 路径中有很多受信任的证书,性能不会降低。为此,您必须使用以下命令找出散列是什么:
openssl x509 -noout -hash -in rootca.pem
输出应该是这样的:
03ed4e37
然后创建 link,将 .0 添加到 YOUR HASH(作为上一个命令的输出):
ln -s rootca.pem 03ed4e37.0
现在创建中间 CA 密钥和 CSR(证书签名请求)(您必须输入将编码到证书中的各种信息):
cd ../inter_ca
openssl genrsa -out inter.key 2048
openssl req -new -key inter.key -out inter.csr
它应该看起来像这样:
$ openssl genrsa -out inter.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
..............................................................+++
e is 65537 (0x10001)
$ openssl req -new -key inter.key -out inter.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intermediate certificates R US Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecasrus.com
Email Address []:ca_admin@intermediatecasrus.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
现在创建一个文件 (v3x509extensions.txt),其中包含指示这应该是中间 CA 的数据,然后生成中间证书,并使用您的根 CA 签名:
echo 'basicConstraints=CA:TRUE' > v3x509extensions.txt
openssl x509 -req -extfile v3x509extensions.txt -in inter.csr -CA ../root_ca/rootca.pem -CAkey ../root_ca/rootca.key -CAcreateserial -out inter.crt -days 200
它应该看起来像这样:
Signature ok
subject=/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
Getting CA Private Key
现在创建您的最终密钥(您将用于 SSL 网站(例如)),从中创建一个 CSR,并使用您的中间证书对其进行签名,生成一个新证书:
cd ../end_cert
openssl genrsa -out end.key 2048
openssl req -new -key end.key -out end.csr
openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
它应该看起来像这样:
$ openssl genrsa -out end.key 2048
Generating RSA private key, 2048 bit long modulus
................................................+++
.....................................................+++
e is 65537 (0x10001)
$ openssl req -new -key end.key -out end.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:End User Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:intermediatecademo-enduser.com
Email Address []:support@intermediatecademo-enduser.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -in end.csr -CA ../inter_ca/inter.crt -CAkey ../inter_ca/inter.key -CAcreateserial -out end.crt -days 500
Signature ok
subject=/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
Getting CA Private Key
此时,您可以通过验证信任链来检查事情是否正常,这里我连接了中间证书和 'end' 证书,然后仅使用根 CA 路径验证它们(记住 'end'证书没有中间CA无法验证,所以必须和'end'证书一起给:
cat ../inter_ca/inter.crt end.crt | openssl verify -CApath ../root_ca
输出应该是:
stdin: OK
例如,如果您将这些键与 apache 一起使用,则可以这样配置它们:
SSLCertificateFile FULL_PATH_TO/inter_ca_demo/end_cert/end.crt
SSLCertificateKeyFile FULL_PATH_TO/inter_ca_demo/end_cert/end.key
SSLCertificateChainFile FULL_PATH_TO/inter_ca_demo/inter_ca/inter.crt
SSLCACertificatePath FULL_PATH_TO/inter_ca_demo/root_ca
Apache 现在将提供中间证书及其自己的证书,这允许 Web 客户端使用 'openssl verify'.
执行与上述相同类型的验证(以及其他检查)如果您确实将这些证书与 apache 一起使用,并且您创建了一个名称为 'intermediatecademo-enduser.com' 的网站,与您创建的 'end' 证书一致,您还可以使用 openssl 来验证来自客户视角:
openssl s_client -connect intermediatecademo-enduser.com:443 -CApath root_ca -verify 5
输出应该是这样的:
verify depth is 5
CONNECTED(00000004)
depth=2 C = GB, ST = London, L = London, O = Method Analysis Ltd, CN = methodanalysis.com, emailAddress = ca_admin@methodanalysis.com
verify return:1
depth=1 C = GB, ST = London, L = London, O = Intermediate certificates R US Ltd, CN = intermediatecasrus.com, emailAddress = ca_admin@intermediatecasrus.com
verify return:1
depth=0 C = GB, ST = London, L = London, O = End User Ltd, CN = intermediatecademo-enduser.com, emailAddress = support@intermediatecademo-enduser.com
verify return:1
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=End User Ltd/CN=intermediatecademo-enduser.com/emailAddress=support@intermediatecademo-enduser.com
i:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
1 s:/C=GB/ST=London/L=London/O=Intermediate certificates R US Ltd/CN=intermediatecasrus.com/emailAddress=ca_admin@intermediatecasrus.com
i:/C=GB/ST=London/L=London/O=Method Analysis Ltd/CN=methodanalysis.com/emailAddress=ca_admin@methodanalysis.com
---
Server certificate
...
...
...
Start Time: 1445696823
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
现在会挂起,等待发送数据。您可以直接按 CTRL+C 退出。
你说的证书关系基本上是对的;有一个服务器证书和私钥,还有一个 CA 证书。
由于它们仅用于测试目的,我认为 cowboy 的作者没有费心包括他用来生成服务器证书的 CA 私钥。
就 SSL 证书而言,cowboy 没有什么特别之处。假设您正在查看 ssl_hello_world example, you can see the certificates being used in ssl_hello_world_app.erl.
从那里,这些 SSL 选项被传递到记录在案的 Erlang SSL 应用程序 here。
文档指出(虽然不是很明显)这些是标准的 PEM 编码证书和密钥文件。例如,您可以使用 OpenSSL 生成它们。