https04_交互流程

https://www.cnblogs.com/blogtech/p/16589237.html

https://blog.csdn.net/yx1166/article/details/124299040

1.      通过自签方式验证

自签方式意思就是我们自己模拟CA机构来颁发证书。

基本流程

  1. 创建一个虚拟的CA机构,生成证书(DME叫做信任证书)
  2. 提供加密私钥,填写申请csr,去虚拟机CA机构签名
  3. 自建CA机构颁发身份证书

1.1    虚拟CA机构,生成信任证书

# 生成CA机构证书密钥key
openssl genrsa –des3 –out ca.key 2048
openssl rsa –in ca.key –out ca.key
# 用私钥ca.key 生成ca机构的证书ca.crt(dme叫做trust.cer)
# 把公钥保证成证书
openssl req –new –x509 –key ca.key –out trust.cer –days 365

1.2    生成csr

req.conf配置

 

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = Guangdong
L = ShenZhen
O = TenCent Technologies
OU = xxx Department
CN = Wechat
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = xxx.xx.xx.x  

 

openssl genrsa -out server_key.pem -aes128 4096
#根据私钥server_key.pem和请求体req.conf生成一个新的证书请求文件server.csr
openssl req -new -key server_key.pem -out server.csr -config req.conf 

1.3    颁发身份证书

v3.ext

[v3_ca]
basicConstraints = critical, CA:FALSE
subjectAltName = @alt_names

[ alt_names ]
IP.1 = xxx.xxx.xx.x
openssl x509 -req -in server.csr -CA trust.cer -CAkey ca.key -CAcreateserial -out server.cer -days 3650 -extensions v3_ca -extfile v3.ext

 

posted @ 2024-09-19 14:30  卡卡西殿  阅读(53)  评论(0)    收藏  举报