HTTPS 加密体系

发表于 更新于 分类于 Disqus:

首先公钥念“gongyue”,而不是公钥,拼音打字打多了就发现得这么读。

HTTPS 是基于 SSL/TLS 的安全 HTTP 协议,其实 HTTPS 主要还是看安全套接字层,在这之上还是一个 HTTP 协议,这里主要总结一下我们现在主流用到的加密体系,比如我们经常看到的 .pem.crt.key.csr 还有 CA 啊之类的是啥东西,并且这些东西都如何工作和应用的。

在密码学里面,有几个角色,类似于中国的甲乙丙丁,一个是 Alice 和 Bob,这是正常通信的两个人,还有一个是 Eve,是信道上具备窃听能力的人,另外一个是 Mallory,这个人可以妨碍网络流量,主动攻击。

对称加密

其实最简单的加密算法就是对称加密

Alice 和 Bob 有一个共有的密码,也就是只有两个人拥有,相互传输的密文只能通过这个密钥解开。

首先加密需要基于密钥,凯撒密码可不可以,可以是可以,但是被人知道算法以后,就可以被所有人破解,并且优秀的加密算法应该被人验证,如果不是公开的算法就没有办法验证,当然一些保守的加密方法会不公开,这样其实也很难解密,但是互联网的加密协议很显然是用在千家万户的,所以一定要是经得起推敲的加密算法。

分组密码

分组密码的作用是,一般会用 128 位一个分组,这样加密的好处是即使一个小的变化也会导致输出大量的变化,这样攻击者很难通过出现频率分析加密方式(比如 HTTP 开头都是一样的,所以使用顺序加密,很容易用 HTTP 的通用开头做输入得出加密方法)。但是分组密码的小影响会导致大改变的特性导致攻击者没办法这么做。

(如果攻击者把有的流量都记录下来,等有一天通过方法获得密钥就能解开这些数据了,可能是未来算力提高,或者通过法律手段,斯诺登的加密信箱就是 FBI 让加密邮箱公司强制提供的)

哈希函数

哈希函数其实很熟悉了,解释一下 MAC。

MAC

MAC 是 message authetication code,是密钥的哈希函数,因为普通哈希函数,如果 Mallory 可以直接用假的数据用哈希算出结果发给 Bob,缺少身份验证,MAC 就是带密钥的哈希函数,HMAC 其实就是把密钥和消息组合在一起的协议。

非对称加密

非对称加密又叫做公钥加密,对称加密固然好,但是对称密钥在团体中使用的话,大家都要共享,密钥给来给去的很容易出问题。对称加密就没有这个问题,可以方便传播,对称密钥分私钥和公钥,一个用于加密一个用于解密,私钥加密的数据只能用公钥解密。公钥的出现使得密钥可以大范围传播。

数字签名

数字签名主要验证消息的真实性,对消息进行验证。主要是对消息进行哈希,然后用私钥加密,追加到文档中做身份验证,这样用公钥解的开的话就能证明消息的发送者。

TLS 的具体协议

PKI 公钥基础设施

PKI 主要是用来保证公钥的可信,通过中间的权威机构(CA)签发的公钥也就是证书才能被认可是合法的证书。

证书

证书包含了版本、序列号、签名算法、颁发者、有效期、使用者、公钥。证书也有证书链,比如 root CA 可以签发 中间 CA 的证书。根证书一般是跟着操作系统一起造就装好了的,大公司的操作系统和浏览器都有自己的根证书库,自带就在电脑上。

应用

RSA 是目前最广泛应用的密钥算法,破解 1024 位的 RSA 密钥的成本大约是 1000 万人民币,现在一般用 2048 位的 RSA,基本无解。

其实公钥体系已经很完全了,但是大部分出问题都情况是私钥泄漏,管理自己的私钥非常重要。

1. 不要用 CA 生成的私钥,尽量自己生成。
2. 不要用刚开机的机器生成随机数,这台机器获得的外界熵不够多。
3. 定期更换私钥
4. 不要随意传播私钥
5. 安全存储私钥,这个主要是中间 CA 可能要用,普通服务直接换私钥就可以。

下面就用 OpenSSL 进行一些实验。

首先我们生成一个 RSA 密钥,前面提到了最好用 2048 位的,用 AES-128 算法来加密保存,会让你输入密码,这个密钥基于这个密码保存,这个文件的格式叫 PEM 所以如果看到 PEM 格式的文件就知道是私钥了。

1
2
3
4
5
6
7
$openssl genrsa -aes128 -out test.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase for test.key:
Verifying - Enter pass phrase for test.key:

可以看这个文件,看起来一通乱七八糟的东西,但是根据开头的信息,我们有办法用密码把私钥解析出来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$cat test.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,52551A2438582E22358335433B7BAEE0

GiVITGQMbkGxzBYestzFNX4KMUgP84A2p49mOBozQWkAol+zU5llumFXrj/bzATq
OiH01+UN7sqKXD+lNwXsvL2bhhWFGe4h80CbCaVhPYnAtNtxU4HNTbAnCFZPmTHg
wC5JCHlJvt6TGIOeOeyTj9qnCeIKd1XJGYypG8syzzaKuNbSwlKN8DrUKGJP/w/8
gCPKT2AA2l53ysxBI6i2jHAxQSs1Y+K1jFrZjgObT3QDN4eqT1Io/waSDAiB8tkl
rW35ZYO0Toe3iJgTOp325v5dvC6mCOvL0QAQWDz7y239l8fAdyDJUO2tSzjXfIii
FM12NaHfw5m+GcT6brqlwbAOL6BSMX8Q+Dj/fdeDoPOF+pKnG4AGW3LPEY6LJgq0
pkExHJ5cl/nEL2Q2H3yekvPjW40XDZfjyQSivwEJGhsmAq3+tfis/7h5f5Rg/2yh
Vb8kkPQTu0SofS1VFkSQN6iJe5A3imjMkacKDoKtafORR1lWu0noaOqr757orcgI
hK847ijdFdwjstycrGBdN1INr0Yx/FnyaPYNR2XZhWD4uQwZ1tMVge5duw8jgHrH
ZwCeBAgfpSynbMy/1GTru1sO2T6qpZj9pfao59jVcN1fka+YKI5oEdxFFc97wcgk
XVX9lVrcPrI0bMyuhje5Vi04HbOxpd4GmtnNPKTwtmMbDsSVVIX+hlFltSBl+0in
PsKlUeBGjAmUapT3x1v7OP5K7K8YvszHMehbctDS2E9bZstCwhnsMog3b+Jxhw40
gXsOc6Vb3kJljkPXu6k7qGGkqzVqUuUMSaWlE87s5Cm4ZyS8c5IPQvmQk4S/1AJP
v5sD3TObRlJAIw0MEItPY4daQBMyIXPr+UXUAKfMoFK8bXG9aNpACKm/pQ1pVMj1
eE0+lzQ1UZUVM0GotBZGce+TtbrU/I/dbhGLA2KKyoohsCSH2yV+wGIMrmmbUiqH
a46FYwJLtFdDZ9m3ZVj1KCMza9/B2ylIetCX98C3/fVd81L3rxpSmbpWvzWYhw+Y
205t8p26WUloAQrkP+kqw0HDsiDeEU2QilvNwtA5qlfd8666rJEJpBg50jM8Sb0R
JYsG8Mc2a9CNpXt5pVi2kHdoRRkiSeGDh9xTnOlvnCc77p4MMlvcC3bqHwGe85ON
0q5xVJMyLwzAXR82X0FunRiiDNBO3Pg6k+UBALmLNrgieet57Jdva90OnkEA0Ihg
sYHHnfsMMJ6EnW4mNov8tdVi7mExK8K+RRe1vu+zAqzx/UuKkjekW0NdzQjHv4Hs
mX/9XzVE2cLG9GLWVojyTS5XUg16NBn7qM3HRQmQoAgXHlfCJUx33xMjTL3glbNH
65jpvG1S7l6U45BGMI3d2eQ0XfiSUHOHh/zHOIGRl7JcHyoK082IzivPbHkrlolv
o1E+4sgpFc09rQYgcW2cb6Nr3H3aYOlC86iPn4Ecxj8M/wznH/JNjjfoKKhmFWcU
EtmrreXjR8QlUCXCHZCA3DOi/MujcPU0qGZkaz+Ttii4NACZoHpedL+XQ9EcXci7
xkFO4NxsezDunpvXNHgkzES+as5lNxSa4wC4tUbC9h4zhgbeiOGBSTL8Aq0MxwX3
-----END RSA PRIVATE KEY-----

解析私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
$openssl rsa -text -in test.key
Enter pass phrase for test.key:
Private-Key: (2048 bit)
modulus:
    00:a0:18:a6:70:ce:65:64:ea:f1:43:30:35:ff:cf:
    b4:5a:8e:20:52:04:84:bf:bf:3a:b4:a7:65:94:a5:
    df:b5:14:09:61:ba:79:8a:43:d1:fe:cc:d9:96:d3:
    81:5b:82:d7:63:e1:e9:6f:30:5e:b0:3f:fe:65:c4:
    e1:d5:b2:e3:ce:ba:fc:7b:5e:b2:83:f0:9f:3f:c2:
    15:39:b4:fa:e7:3c:ff:42:96:e7:a6:7a:29:e1:ba:
    0b:c7:99:aa:ac:07:2a:2b:74:b3:f8:10:8d:0f:91:
    44:a4:fa:48:c1:aa:88:0e:86:ff:c1:da:59:c8:dd:
    32:d5:5b:15:f4:80:3e:2f:d7:d3:92:09:63:54:d0:
    01:46:78:cd:5c:5d:f1:1c:ad:a7:ab:84:5c:86:e1:
    25:69:6d:6c:6c:df:90:5f:af:ca:6f:43:17:50:05:
    b0:77:3d:92:e9:e7:4c:66:c3:58:08:96:60:7a:16:
    02:d3:6f:56:cb:df:41:69:eb:83:f3:28:b7:82:0a:
    c2:c6:b4:a3:6e:f1:2d:7f:ec:ea:87:7b:94:4b:8b:
    b8:e1:72:0d:00:c1:8d:9f:cc:03:32:de:74:6e:26:
    29:0b:4f:f4:41:93:1c:9c:ae:22:41:81:71:b6:9c:
    8c:17:15:63:d5:86:ce:74:b2:99:fb:7f:ff:37:c8:
    03:7b
publicExponent: 65537 (0x10001)
privateExponent:
    1a:ae:40:fe:c7:c6:ea:1c:a5:7c:97:0a:48:c9:aa:
    ba:f4:b8:ba:32:7a:95:22:1f:7c:7f:f1:53:e6:98:
    f3:aa:95:2d:ae:50:17:14:da:68:66:67:54:d5:86:
    d7:63:64:d6:06:8e:4a:b3:7a:f4:50:95:eb:0b:f6:
    bf:10:83:1a:ae:da:e9:0c:8d:1f:a3:f8:46:3d:e8:
    1f:a7:e3:b0:a9:df:b8:8f:41:a7:e2:f0:1b:e8:4f:
    92:42:2f:c9:5f:a0:4d:81:b3:84:81:ed:a0:4c:8b:
    6e:1b:30:08:e6:8c:aa:2f:21:6c:83:21:37:72:75:
    c8:4c:d7:c9:d9:9d:83:87:67:05:4d:6d:28:72:71:
    63:3b:b6:82:f8:42:0f:94:af:f2:b1:d8:c5:d3:3f:
    50:bf:13:61:b2:0b:de:6b:34:42:cd:29:27:04:c9:
    ff:49:14:75:d0:d5:e5:5c:4b:29:a1:95:c3:c5:e5:
    34:46:9e:81:d4:9d:c3:c4:06:c9:96:90:39:90:fb:
    db:06:77:fa:46:73:38:60:0e:e3:40:7b:d0:5d:a0:
    97:0d:6e:0b:39:d6:99:63:a6:ee:67:b7:94:35:e2:
    63:cf:02:a1:eb:0a:f0:50:99:6f:30:ae:6b:ef:1e:
    14:a0:1a:f4:8e:ed:cd:81:bf:3d:2b:9d:b5:9e:b8:
    21
prime1:
    00:cc:ff:e2:f4:39:5d:33:de:96:15:e6:7c:d2:e6:
    a3:56:a9:6a:09:0c:e9:26:94:36:41:92:b9:db:c9:
    09:20:28:9d:bc:c6:76:60:88:93:97:81:16:86:da:
    4d:65:0e:87:ec:ef:15:6d:c9:06:f7:99:12:eb:4a:
    a6:7e:49:9d:1a:68:ca:35:57:5c:4b:2f:32:2e:e4:
    76:87:a5:02:94:27:1a:1f:38:28:58:77:68:2d:5d:
    fa:c2:fd:c4:09:80:e4:eb:14:84:cc:73:06:96:4b:
    08:8e:da:1c:55:38:8d:8c:7f:19:01:fa:54:b3:62:
    d4:cb:4c:df:01:e0:02:d8:c3
prime2:
    00:c7:ec:f1:2b:83:26:d1:35:e3:55:00:3e:a9:7d:
    2e:f0:68:4d:27:77:3f:d5:1c:99:ef:a0:98:3c:fd:
    fd:d7:8f:51:f5:82:e7:8f:37:34:a7:1a:1f:c4:83:
    44:ab:11:62:54:7a:5e:5c:a4:7f:d6:dd:f8:45:3c:
    b6:bc:1e:b5:56:df:60:65:66:aa:43:82:f5:7a:7c:
    72:3b:3d:fe:33:d4:27:b2:c5:9a:07:36:b4:ca:bc:
    1d:a7:7a:5f:9c:1a:75:2b:2c:57:97:5a:b8:a9:de:
    0e:8a:8c:84:ff:51:e9:12:e9:d4:8b:bf:de:5f:98:
    52:9c:08:55:42:e1:70:be:e9
exponent1:
    15:76:dd:7e:90:db:0f:69:48:f1:b6:16:6f:c6:b2:
    67:8a:89:8d:b5:0a:5c:7d:bc:48:95:62:5c:7e:ea:
    33:b1:cd:02:4d:0d:6c:02:20:e2:06:24:23:ae:8b:
    d7:fe:f3:80:7d:70:12:f4:af:84:11:45:07:d9:e3:
    20:e9:f8:47:21:9d:ba:84:11:27:d6:23:3d:01:b2:
    df:75:09:96:15:9a:08:96:ca:b2:a8:9e:01:d2:0b:
    45:8b:68:91:4e:2b:a9:e9:96:16:0a:1d:30:73:5e:
    cc:06:4e:5d:25:f4:bc:37:3a:99:18:6a:f1:f5:71:
    2e:70:38:11:6c:31:20:1d
exponent2:
    00:a6:f0:8f:21:4a:4e:6b:7b:97:ec:2e:5c:24:a2:
    c7:43:2f:94:dd:53:92:15:9d:e0:5c:5b:b9:43:94:
    c3:15:f0:32:fb:d2:e7:10:8b:84:87:d4:24:9a:af:
    11:f3:d6:7c:49:16:35:1d:1e:af:30:f8:00:8b:af:
    fa:d6:72:bd:f1:60:6c:d9:bf:34:85:53:21:2f:ba:
    22:98:9d:57:5a:67:d9:0e:4a:3a:27:b3:e2:9b:37:
    21:7b:eb:8f:52:86:35:38:6b:ba:68:43:f4:d6:c2:
    f9:59:6f:a4:ce:9d:d3:05:5c:03:82:fe:1f:ed:aa:
    ff:b0:12:b5:3f:37:88:31:a1
coefficient:
    09:97:9e:dc:20:fe:c5:e2:34:47:d8:64:de:bb:ad:
    70:65:4d:08:49:c8:cf:28:40:f6:87:43:09:c9:63:
    bc:d8:cd:11:53:78:ba:ad:1a:f0:8b:e7:fa:1c:5f:
    c9:9d:5f:ae:e1:2a:7f:87:7a:7f:1a:e3:c8:b5:8d:
    eb:b2:af:18:c6:1e:07:43:f0:e7:be:4e:bc:c6:1b:
    77:b8:43:36:58:3a:b5:8a:2c:f7:76:37:c7:97:4c:
    8c:fd:47:71:09:f8:76:fe:8d:0f:e1:3a:30:56:5c:
    2b:70:60:9d:fa:53:74:8a:db:b9:04:78:ce:1c:1d:
    28:ca:78:81:53:07:de:5e
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoBimcM5lZOrxQzA1/8+0Wo4gUgSEv786tKdllKXftRQJYbp5
ikPR/szZltOBW4LXY+HpbzBesD/+ZcTh1bLjzrr8e16yg/CfP8IVObT65zz/Qpbn
pnop4boLx5mqrAcqK3Sz+BCND5FEpPpIwaqIDob/wdpZyN0y1VsV9IA+L9fTkglj
VNABRnjNXF3xHK2nq4RchuElaW1sbN+QX6/Kb0MXUAWwdz2S6edMZsNYCJZgehYC
029Wy99BaeuD8yi3ggrCxrSjbvEtf+zqh3uUS4u44XINAMGNn8wDMt50biYpC0/0
QZMcnK4iQYFxtpyMFxVj1YbOdLKZ+3//N8gDewIDAQABAoIBABquQP7HxuocpXyX
CkjJqrr0uLoyepUiH3x/8VPmmPOqlS2uUBcU2mhmZ1TVhtdjZNYGjkqzevRQlesL
9r8Qgxqu2ukMjR+j+EY96B+n47Cp37iPQafi8BvoT5JCL8lfoE2Bs4SB7aBMi24b
MAjmjKovIWyDITdydchM18nZnYOHZwVNbShycWM7toL4Qg+Ur/Kx2MXTP1C/E2Gy
C95rNELNKScEyf9JFHXQ1eVcSymhlcPF5TRGnoHUncPEBsmWkDmQ+9sGd/pGczhg
DuNAe9BdoJcNbgs51pljpu5nt5Q14mPPAqHrCvBQmW8wrmvvHhSgGvSO7c2Bvz0r
nbWeuCECgYEAzP/i9DldM96WFeZ80uajVqlqCQzpJpQ2QZK528kJICidvMZ2YIiT
l4EWhtpNZQ6H7O8VbckG95kS60qmfkmdGmjKNVdcSy8yLuR2h6UClCcaHzgoWHdo
LV36wv3ECYDk6xSEzHMGlksIjtocVTiNjH8ZAfpUs2LUy0zfAeAC2MMCgYEAx+zx
K4Mm0TXjVQA+qX0u8GhNJ3c/1RyZ76CYPP39149R9YLnjzc0pxofxINEqxFiVHpe
XKR/1t34RTy2vB61Vt9gZWaqQ4L1enxyOz3+M9QnssWaBza0yrwdp3pfnBp1KyxX
l1q4qd4OioyE/1HpEunUi7/eX5hSnAhVQuFwvukCgYAVdt1+kNsPaUjxthZvxrJn
iomNtQpcfbxIlWJcfuozsc0CTQ1sAiDiBiQjrovX/vOAfXAS9K+EEUUH2eMg6fhH
IZ26hBEn1iM9AbLfdQmWFZoIlsqyqJ4B0gtFi2iRTiup6ZYWCh0wc17MBk5dJfS8
NzqZGGrx9XEucDgRbDEgHQKBgQCm8I8hSk5re5fsLlwkosdDL5TdU5IVneBcW7lD
lMMV8DL70ucQi4SH1CSarxHz1nxJFjUdHq8w+ACLr/rWcr3xYGzZvzSFUyEvuiKY
nVdaZ9kOSjons+KbNyF7649ShjU4a7poQ/TWwvlZb6TOndMFXAOC/h/tqv+wErU/
N4gxoQKBgAmXntwg/sXiNEfYZN67rXBlTQhJyM8oQPaHQwnJY7zYzRFTeLqtGvCL
5/ocX8mdX67hKn+Hen8a48i1jeuyrxjGHgdD8Oe+TrzGG3e4QzZYOrWKLPd2N8eX
TIz9R3EJ+Hb+jQ/hOjBWXCtwYJ36U3SK27kEeM4cHSjKeIFTB95e
-----END RSA PRIVATE KEY-----

这个私钥是我自己生成的,没用来干什么,所以直接展示了,但是生产环境的私钥要妥善保管,现在我们生成共钥,输入密码,读取密钥,然后 -pubout 表示生成公钥。

1
2
3
4
5
6
7
8
9
10
11
12
13
$openssl rsa -in test.key -pubout -out test-public.key
Enter pass phrase for test.key:
writing RSA key
$cat test-public.key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoBimcM5lZOrxQzA1/8+0
Wo4gUgSEv786tKdllKXftRQJYbp5ikPR/szZltOBW4LXY+HpbzBesD/+ZcTh1bLj
zrr8e16yg/CfP8IVObT65zz/Qpbnpnop4boLx5mqrAcqK3Sz+BCND5FEpPpIwaqI
Dob/wdpZyN0y1VsV9IA+L9fTkgljVNABRnjNXF3xHK2nq4RchuElaW1sbN+QX6/K
b0MXUAWwdz2S6edMZsNYCJZgehYC029Wy99BaeuD8yi3ggrCxrSjbvEtf+zqh3uU
S4u44XINAMGNn8wDMt50biYpC0/0QZMcnK4iQYFxtpyMFxVj1YbOdLKZ+3//N8gD
ewIDAQAB
-----END PUBLIC KEY-----

创建证书需要发起 CSR(certificate signing request),到 CA 那里,这个 csr 包含了申请者的信息和申请者的公钥。下面就是创建 csr 的命令,其中比较重要的是要配置好 Common Name,这个会拿来和访问的 host 进行匹配。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$openssl req -new -key test.key -out test.csr
Enter pass phrase for test.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) []:SH
Organization Name (eg, company) []:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, fully qualified host name) []:www.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234

可以查看里面的信息是否正确,req 表示处理 csr 文件,-text 一般是用于展示文件内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
$openssl req -text -in test.csr -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CN, ST=SH, L=SH, CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a0:18:a6:70:ce:65:64:ea:f1:43:30:35:ff:cf:
                    b4:5a:8e:20:52:04:84:bf:bf:3a:b4:a7:65:94:a5:
                    df:b5:14:09:61:ba:79:8a:43:d1:fe:cc:d9:96:d3:
                    81:5b:82:d7:63:e1:e9:6f:30:5e:b0:3f:fe:65:c4:
                    e1:d5:b2:e3:ce:ba:fc:7b:5e:b2:83:f0:9f:3f:c2:
                    15:39:b4:fa:e7:3c:ff:42:96:e7:a6:7a:29:e1:ba:
                    0b:c7:99:aa:ac:07:2a:2b:74:b3:f8:10:8d:0f:91:
                    44:a4:fa:48:c1:aa:88:0e:86:ff:c1:da:59:c8:dd:
                    32:d5:5b:15:f4:80:3e:2f:d7:d3:92:09:63:54:d0:
                    01:46:78:cd:5c:5d:f1:1c:ad:a7:ab:84:5c:86:e1:
                    25:69:6d:6c:6c:df:90:5f:af:ca:6f:43:17:50:05:
                    b0:77:3d:92:e9:e7:4c:66:c3:58:08:96:60:7a:16:
                    02:d3:6f:56:cb:df:41:69:eb:83:f3:28:b7:82:0a:
                    c2:c6:b4:a3:6e:f1:2d:7f:ec:ea:87:7b:94:4b:8b:
                    b8:e1:72:0d:00:c1:8d:9f:cc:03:32:de:74:6e:26:
                    29:0b:4f:f4:41:93:1c:9c:ae:22:41:81:71:b6:9c:
                    8c:17:15:63:d5:86:ce:74:b2:99:fb:7f:ff:37:c8:
                    03:7b
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :unable to print attribute
    Signature Algorithm: sha256WithRSAEncryption
         33:83:fa:d3:a1:7d:1b:5c:cc:cb:b1:19:99:79:e4:b8:29:fc:
         0e:ac:e6:40:f5:13:f0:d7:f7:2b:67:d4:32:39:78:3f:0b:f0:
         5e:2c:f4:5c:c1:14:f0:f7:82:5d:1e:c5:bf:00:3e:87:d2:b5:
         ed:a7:46:75:70:da:db:53:f1:19:37:15:63:09:63:a8:4d:74:
         19:ed:c5:3a:50:7b:db:5a:68:f0:88:37:54:23:0d:bb:4d:c3:
         b6:1a:3f:1d:93:24:17:f3:c5:66:c8:9c:43:67:e8:3b:cc:48:
         20:8e:9e:da:a6:a0:48:90:6d:b1:bc:ff:0d:39:62:7b:8c:5c:
         cb:ec:ce:e1:de:0c:f3:5b:51:3e:5c:ab:ad:6f:f5:96:9c:e5:
         12:9e:1b:a7:27:90:fe:d3:9f:f9:c2:9d:7e:b5:62:ac:f9:45:
         33:6a:a7:b5:c2:ab:b7:18:a8:a6:91:15:26:27:a4:c9:84:26:
         88:85:3e:68:99:8c:f4:c6:32:8d:61:71:83:cb:86:96:92:2e:
         c7:bc:76:e0:59:82:e8:fe:47:39:da:f0:57:72:f7:59:c4:ba:
         7a:51:23:13:bc:8c:75:07:d7:2d:cf:2b:69:07:20:80:27:6d:
         6d:ae:cb:27:5d:ef:0c:92:99:a4:02:45:5b:58:ac:e9:71:1e:
         ee:5f:54:78

可以看到里面的信息,还有签名算法,以及公钥等等。

我们可以用自己的私钥给自己签名,比如 x509 是证书的格式。

1
2
3
4
5
$openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=CN/ST=SH/L=SH/CN=www.example.com
Getting Private key
Enter pass phrase for test.key:

也可以把两步结合起来,直接创建自签名的证书,openssl req -new -x509 -days 365 -key test.key -out test.crt,如果不想要交互式的可以直接

1
2
openssl req -new -x509 -days 365 -key test.key -out test.crt \
-subj "/C=CN/L=BJ/O=HaiDian/CN=www.example.com"

CN 只能写一个,虽然可以写泛域名,但是要支持多个域名可以通过扩展字段 SAN(Subject Alternative Name)来解决。