https代理服务器(二)浏览器如何验证证书
https://www.cnblogs.com/iiiiher/p/8085698.html
证书生成工具
- 1,openssl
- 2,jdk自带的keystone
- 3,cfssl
证书中各个字段的含义
- 查看证书的内容
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text|egrep -i "issuer|subject|serial|dates"
openssl x509 -noout -text -in kubernetes.pem
cfssl-certinfo -cert kubernetes.pem
数字证书中主题(Subject)中字段的含义
- 一般的数字证书产品的主题通常含有如下字段:
字段名 | 字段值 |
---|---|
公用名称 (Common Name) | 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名; |
单位名称 (Organization Name) | 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称; |
- 证书申请单位所在地
字段名 | 字段值 |
---|
所在城市 (Locality)| 简称:L 字段
所在省份 (State/Provice)| 简称:S 字段
所在国家 (Country)| 简称:C 字段,只能是国家字母缩写,如中国:CN
- 其他一些字段
字段名 | 字段值 |
---|
电子邮件 (Email)| 简称:E 字段
多个姓名字段 | 简称:G 字段
介绍 | Description 字段
电话号码:|Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888
地址:|STREET 字段
邮政编码: |PostalCode 字段
显示其他内容| 简称:OU 字段
浏览器如何验证证书
当浏览器使用HTTPS连接到您的服务器时,他们会检查以确保您的SSL证书与地址栏中的主机名称匹配。
浏览器有三种找到匹配的方法:
-
1.主机名(在地址栏中)与证书主题(Subject)中的通用名称(Common Name)完全匹配。
-
2.主机名称与通配符通用名称相匹配。例如,www.example.com匹配通用名称* .example.com。
-
3.主机名 在主题备用名称(SAN: Subject Alternative Name)字段中列出
-
1.The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
-
2.The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.
-
3.The host name is listed in the Subject Alternative Name field.
客户端使用服务端返回的信息验证服务器的合法性,包括:
证书是否过期
发型服务器证书的CA是否可靠
返回的公钥是否能正确解开返回证书中的数字签名
服务器证书上的域名是否和服务器的实际域名相匹配 -- 要核对CN或SAN,见上
验证通过后,将继续进行通信,否则,终止通信
HTTPS证书生成原理和部署细节
使用rsa一键生成:
openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout java-demo.key -out java-demo.crt
国家 省份 城市 公司 部门 名字
[root@test52 registry]# openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout docker-registry.key -out docker-registry.crt
Generating a 2048 bit RSA private key
............................................+++
.....................................................................................................................................................................................+++
writing new private key to 'docker-registry.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Locality Name (eg, city) [Default City]:guangdong
Organization Name (eg, company) [Default Company Ltd]:pp100
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.maotai.com
Email Address []:ihorse@foxmail.com
证书格式查看
主要留意:
- Subject中: CN(common name)
- X509v3 extensions中: Subject Alternative Name (SAN)
从我safari和chrome实践下来,都用SAN来验证了
- X509v3的扩展
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
62:EA:5A:DC:13:C4:5F:D5:EC:DB:13:77:DA:E1:90:1F:C9:4B:10:14
X509v3 Authority Key Identifier:
keyid:6E:45:FB:5F:1F:73:87:3E:C3:0C:54:AB:74:95:2A:FB:44:E0:9B:D8
X509v3 Subject Alternative Name:
DNS:, DNS:, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster,
使用xca(一款windows上的ca证书生成器)生成证书请求csr 的时候也会有类似字段,因此要搞清的X509v3的扩展含义
[root@n3 keys]# openssl x509 -noout -text -in kubernetes.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2a:b2:26:a4:7d:9f:b1:21:d8:3a:c0:dc:a7:71:73:3e:66:13:d0:3b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
Validity
Not Before: Dec 23 10:27:00 2017 GMT
Not After : Dec 23 10:27:00 2018 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a7:d3:96:63:5e:17:11:7e:d6:b5:73:15:2a:aa:
ea:69:67:48:c3:f1:10:83:03:4d:99:09:88:ec:b7:
27:12:68:20:2b:95:d3:bf:ce:3f:9a:1c:c4:88:31:
ad:cf:d2:d9:d1:7c:39:20:f5:4f:d9:e9:8f:28:e2:
44:d0:df:69:29:10:15:da:c3:12:d5:4e:c5:24:a3:
88:b9:ab:0a:93:6b:1a:e5:0b:2d:5a:13:4f:8c:37:
52:fa:33:52:bd:a1:6f:4f:73:00:5a:0e:74:2d:f0:
fa:ff:05:80:9d:28:95:e2:bf:64:03:d7:df:f9:df:
10:86:06:af:66:f4:97:d7:d2:82:91:ea:cf:d1:88:
e3:9f:6b:a3:0f:a9:0d:b4: