使用OpenSSL生成ECC证书

RSA证书出现时间比较早,能够兼容的设备非常多,所以兼容性好,是最为普及。
相较于RSA证书,ECC证书加密速度快,安全性高,对服务器资源消耗低。

以下内容均在Ubuntu20.04完成。
生成证书会用到openssl.cnf文件,但是Ubuntu和CentOS的openssl.cnf位置不一样。
Ubuntu的openssl.cnf在/etc/ssl/路径下,而CentOS的openssl.cnf在/etc/pki/tls/路径下。

openssl.cnf配置文件由openssl软件包提供,文件的完整内容如下。

root@k8s-master1:~/ssl/ecc# openssl version
OpenSSL 1.1.1f  31 Mar 2020
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# which openssl
/usr/bin/openssl
root@k8s-master1:~/ssl/ecc# dpkg -S /usr/bin/openssl
openssl: /usr/bin/openssl
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# grep -vE "^$|^#" /etc/ssl/openssl.cnf
HOME            = .
oid_section     = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca  = CA_default        # The default ca section
[ CA_default ]
dir     = ./demoCA      # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
                    # several certs with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.
certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert      # The extensions to add to the cert
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options
default_days    = 365           # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering
policy      = policy_match
[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = AU
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName            = Locality Name (eg, city)
0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = Internet Widgits Pty Ltd
organizationalUnitName      = Organizational Unit Name (eg, section)
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64
[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20
unstructuredName        = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment           = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment           = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1   # the default TSA section
[ tsa_config1 ]
dir     = ./demoCA      # TSA root directory
serial      = $dir/tsaserial    # The current serial number (mandatory)
crypto_device   = builtin       # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem  # The TSA signing certificate
                    # (optional)
certs       = $dir/cacert.pem   # Certificate chain to include in reply
                    # (optional)
signer_key  = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest  = sha256         # Signing digest to use. (Optional)
default_policy  = tsa_policy1       # Policy if request did not specify it
                    # (optional)
other_policies  = tsa_policy2, tsa_policy3  # acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0 # number of digits after dot. (optional)
ordering        = yes   # Is ordering defined for timestamps?
                # (optional, default: no)
tsa_name        = yes   # Must the TSA name be included in the reply?
                # (optional, default: no)
ess_cert_id_chain   = no    # Must the ESS cert id chain be included?
                # (optional, default: no)
ess_cert_id_alg     = sha1  # algorithm to compute certificate
                # identifier (optional, default: sha1)
root@k8s-master1:~/ssl/ecc#
生成自签ECC CA证书

后面的服务器和客户端证书均由该CA进行签发。

root@k8s-master1:~/ssl/ecc# openssl ecparam -out ca.key -name prime256v1 -genkey
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/O=People's Republic of China/CN=China CA"
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# ls
ca.crt  ca.key
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# openssl x509 -text -noout -in ca.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3a:e0:2e:5e:3f:a6:01:c2:ab:f9:9b:e5:1a:87:fd:c5:8c:d0:5f:a8
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CN, O = People's Republic of China, CN = China CA
        Validity
            Not Before: Oct 27 13:54:42 2022 GMT
            Not After : Oct 24 13:54:42 2032 GMT
        Subject: C = CN, O = People's Republic of China, CN = China CA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:b4:81:d8:e1:a5:d6:1c:40:01:9f:86:23:79:53:
                    1d:1c:0d:f7:9b:85:f2:78:be:73:85:b6:64:e2:3f:
                    6c:9b:e3:58:b1:25:e7:f1:2d:a0:be:80:c1:5d:31:
                    ed:83:2d:64:74:b6:37:5d:2e:85:28:37:29:00:83:
                    b4:43:fd:24:fc
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                CB:CE:EA:EE:F8:F4:85:D5:46:F2:6C:C8:C0:A8:DD:97:A7:28:4A:3A
            X509v3 Authority Key Identifier: 
                keyid:CB:CE:EA:EE:F8:F4:85:D5:46:F2:6C:C8:C0:A8:DD:97:A7:28:4A:3A

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:97:87:ed:6b:19:82:39:41:ed:e6:47:85:ff:
         b5:4f:8f:c0:d5:1a:e3:4f:f7:23:19:db:57:e7:f3:97:ec:c9:
         76:02:21:00:be:ff:72:39:0b:2c:88:b3:2d:80:f9:25:25:fe:
         8e:49:65:2c:d9:00:4c:e3:0e:72:46:4e:5b:2e:ba:d7:a7:7a
root@k8s-master1:~/ssl/ecc#
生成服务器证书

使用CA签发服务器证书,服务器证书一般部署在服务端,比如Nginx、Apache等。
另外可以用openssl verify校验证书是否由指定CA签发的。

root@k8s-master1:~/ssl/ecc# openssl ecparam -out server.key -name prime256v1 -genkey
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# openssl req -new -key server.key -out server.csr -subj "/C=CN/O=People's Republic of China/CN=example.com"
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -extfile <(sed "/\[ v3_req \]/ a\subjectAltName = @alt_names" /etc/ssl/openssl.cnf <(printf "\n[alt_names]\nDNS.1=example.com\nDNS.2=www.example.com")) -extensions v3_req
Signature ok
subject=C = CN, O = People's Republic of China, CN = example.com
Getting CA Private Key
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# openssl x509 -text -noout -in server.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:8d:ef:d5:38:53:41:0e:75:b6:8c:be:20:6e:64:29:40:1e:9e:80
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CN, O = People's Republic of China, CN = China CA
        Validity
            Not Before: Oct 27 13:57:37 2022 GMT
            Not After : Oct 24 13:57:37 2032 GMT
        Subject: C = CN, O = People's Republic of China, CN = example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:d1:5b:c4:27:ca:e7:81:5c:0b:fd:44:96:28:60:
                    d4:1d:85:89:ac:18:b7:67:7c:53:8e:10:73:56:0c:
                    7f:9f:58:97:8c:11:e7:a0:4a:a2:72:28:51:9d:a3:
                    aa:7f:a7:46:c7:f0:07:df:65:f2:5c:28:56:90:8e:
                    dd:81:ad:e6:3c
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:www.example.com
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:ae:38:4a:92:70:94:df:e6:a7:6e:f2:4d:4f:
         fa:b6:4a:08:2a:ad:35:64:53:d8:8a:88:3e:61:b0:79:e1:b3:
         cd:02:21:00:87:9c:24:f9:e0:83:a1:21:ae:1e:64:9d:35:49:
         b9:22:48:cd:e9:b7:5c:33:d0:d7:65:ee:d5:1f:4d:30:b2:2c
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# openssl verify -CAfile ca.crt server.crt
server.crt: OK
root@k8s-master1:~/ssl/ecc#
生成客户端证书

使用CA签发客户端证书,在SSL双向认证的场景会用到客户端证书。

root@k8s-master1:~/ssl/ecc# openssl ecparam -out client.key -name prime256v1 -genkey
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# openssl req -new -key client.key -out client.csr -sha256 -subj "/C=CN/O=People's Republic of China/CN=Private certificate assigned to Tom"
root@k8s-master1:~/ssl/ecc# openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
Signature ok
subject=C = CN, O = People's Republic of China, CN = Private certificate assigned to Tom
Getting CA Private Key
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# openssl x509 -text -noout -in client.crt 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            51:8d:ef:d5:38:53:41:0e:75:b6:8c:be:20:6e:64:29:40:1e:9e:81
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CN, O = People's Republic of China, CN = China CA
        Validity
            Not Before: Oct 27 13:59:11 2022 GMT
            Not After : Oct 24 13:59:11 2032 GMT
        Subject: C = CN, O = People's Republic of China, CN = Private certificate assigned to Tom
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:02:27:b4:db:89:9a:3b:25:d1:88:01:5f:b8:18:
                    14:fe:2a:00:72:03:3e:68:83:77:7d:c3:54:5c:99:
                    a0:cd:5c:8a:d5:f1:da:54:5c:17:bd:ad:18:52:8a:
                    3b:8c:72:ed:39:f8:b1:b8:c6:f4:d5:95:71:b9:db:
                    aa:60:6f:92:6e
                ASN1 OID: prime256v1
                NIST CURVE: P-256
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:3c:96:3a:be:8d:80:b5:a0:15:71:fd:a3:24:d9:
         a3:99:73:36:bf:92:59:fa:fe:8a:08:65:cd:75:42:75:01:01:
         02:20:2f:0a:5b:f4:9c:46:6d:ce:d2:9d:d0:5c:9a:76:23:61:
         a7:7d:e0:a2:e3:3f:50:7c:97:8d:02:bb:2e:33:6c:4f
root@k8s-master1:~/ssl/ecc# 
root@k8s-master1:~/ssl/ecc# openssl verify -CAfile ca.crt client.crt 
client.crt: OK
root@k8s-master1:~/ssl/ecc#
命令汇总
生成自签CA证书
openssl ecparam -out ca.key -name prime256v1 -genkey
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/O=People's Republic of China/CN=China CA"
使用CA签发服务器证书
openssl ecparam -out server.key -name prime256v1 -genkey
openssl req -new -key server.key -out server.csr -subj "/C=CN/O=People's Republic of China/CN=example.com"
openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -extfile <(sed "/\[ v3_req \]/ a\subjectAltName = @alt_names" /etc/ssl/openssl.cnf <(printf "\n[alt_names]\nDNS.1=example.com\nDNS.2=www.example.com")) -extensions v3_req
使用CA签发客户端证书
openssl ecparam -out client.key -name prime256v1 -genkey
openssl req -new -key client.key -out client.csr -sha256 -subj "/C=CN/O=People's Republic of China/CN=Private certificate assigned to Tom"
openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
校验SSL证书
# 校验server.crt是否由ca.crt签发
openssl verify -CAfile ca.crt server.crt
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 194,670评论 5 460
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 81,928评论 2 371
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 141,926评论 0 320
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 52,238评论 1 263
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 61,112评论 4 356
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 46,138评论 1 272
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 36,545评论 3 381
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 35,232评论 0 253
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 39,496评论 1 290
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 34,596评论 2 310
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 36,369评论 1 326
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 32,226评论 3 313
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 37,600评论 3 299
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 28,906评论 0 17
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 30,185评论 1 250
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 41,516评论 2 341
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 40,721评论 2 335

推荐阅读更多精彩内容