Red Hat 資料安全(五)

使用 openssl 製作數位憑證

一、先製作一把私密金鑰 (Private Key)

# openssl genrsa -out server1.key.pem 1024 (以 1024 位元長度製作一把 RSA 加密的金鑰,名稱為 server1.key.pem)
Generating RSA private key, 1024 bit long modulus
.++++++
……………………++++++
e is 65537 (0x10001)

看一下產生的金鑰長得什麼樣子……

# cat server1.key.pem
—–BEGIN RSA PRIVATE KEY—–
MIICXAIBAAKBgQC1jRHdwB6FVlBjcQLtBaL+k7MfSWFZd5AtroeqtjKdz04k0GDy
8438ZCUYvfqbSsU9i4jF6y3pFph3049e5DMo0jJTY+y2CPcLeQeG3gaLEzeVu569
/prE4cWjs6WrXF+jVqiZW4NkOwCStCk1BGgjXk6bd7OeOVwXjbUNVxwsKQIDAQAB
AoGAHrMOFFtKTe28hjQz9HSBjV7YaS/1YDWRkcfzdPB+OqU1Z5A89JguqEEe7MIj
QGMyWyffJuiPyNxjR8/kbH1WEQXwNW+SUAOMsm4BWVN2N5ov0nw8udPdRi6SpSTD
/RkM91cNc7M2UJ4xt+yJGU4WPkSs2u/OKU6Yew8O6A3O5aECQQDnyHYRZNIT9prv
sQ2HPUy+SbuTBYw2+zzVHW4K8UG8wl7/Mv4sUrOoeLrWsCafx5th1fYjnx/uxN+W
1zTc1M5tAkEAyIULkyAtvkiDgkYuModh5bC2cZ1CNrYTlIPm8i8310j8usX6hygZ
3a6qA6iiY+ZmMQhbGakNG6s8MWp0FREpmjeDu0lcE0ukDPvFQWzgSBvkat0CQFwz
yTG6ry36+/WQPbfgRqSuUAYIEKVFrdUxnaUpDx1AI23ikSNKzhqzPjZ2zFWAC57A
Jt+TUaobDRaiutl/dHUCQCWLBQZBzuEEOhI/LouvZCGsBP2o1zachK8KYXMAsw9j
y9b+rztho8U4qUt3FXUzeYb1EaIWpQbTHWLLKQUJSjo=
—–END RSA PRIVATE KEY—–

二、製作憑證申請書

# openssl req -new -key server1.key.pem -out server1.csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:ISHM Studio
Organizational Unit Name (eg, section) []:ISHM
Common Name (eg, your name or your server’s hostname) []:ishm.idv.tw
Email Address []:admin@ishm.idv.tw

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

憑證申請書製作完成!

來看一下申請書的樣子……
# cat server1.csr.pem
—–BEGIN CERTIFICATE REQUEST—–
MIIBzTCCATYCAQAwgYwxCzAJBgNVBAYTAlRXMQ8wDQYDVQQIEwZUYWl3YW4xDzAN
BgNVBAcTBlRhaXBlaTEUMBIGA1UEChMLSVNITSBTdHVkaW8xDTALBgNVBAsTBElT
SE0xFDASBgNVBAMTC2lzaG0uaWR2LnR3MSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBp
c2htLmlkdi50dzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtY0R3cAehVZQ
Y3EC7QWi/pOzH0lhWXeQLa6HqrYync9OJNBg8vON/GQlGL36m0rFPYuIxest6RaY
d9OPXuQzKNIyU2Pstgj3C3kHht4GixM3lbuevf6axOHFo7Olq1xfo1aomVuDZDsA
AKJ56Q1rFhgZB3XyfWesDHGnyLyGYTOtgsDiBt6m1DXkyDb8XrWpaZ1+irCnNYDo
LzKrvNEsDenTAzE6g3NgicMdssp9S9xdC2EYCfVL7mGONQueTlf6tJzM6Rm6ViXk
cjvygDpp7iKLCt56gxA6+/clYGbYXw5FmcRXz/befWWz
—–END CERTIFICATE REQUEST—–

還原一下,看看申請書到底寫什麼:

# openssl req -noout -text -in server1.csr.pem
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=TW, ST=Taiwan, L=Taipei, O=ISHM Studio, OU=ISHM, CN=ishm.idv.tw/emailAddress=admin@ishm.idv.tw
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b5:8d:11:dd:c0:1e:85:56:50:63:71:02:ed:05:
a2:fe:93:b3:1f:49:61:59:77:90:2d:ae:87:aa:b6:
32:9d:cf:4e:24:d0:60:f2:f3:8d:fc:64:25:18:bd:
fa:9b:4a:c5:3d:8b:88:c5:eb:2d:e9:16:98:77:d3:
8f:5e:e4:33:28:d2:32:53:63:ec:b6:08:f7:0b:79:
c5:a3:b3:a5:ab:5c:5f:a3:56:a8:99:5b:83:64:3b:
00:92:b4:29:35:04:68:23:5e:4e:9b:77:b3:9e:39:
5c:17:8d:b5:0d:57:1c:2c:29
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
a2:79:e9:0d:6b:16:18:19:07:75:f2:7d:67:ac:0c:71:a7:c8:
bc:86:61:33:ad:82:c0:e2:06:de:a6:d4:35:e4:c8:36:fc:5e:
b5:a9:69:9d:7e:8a:b0:a7:35:80:e8:2f:32:ab:bc:d1:2c:0d:
e9:d3:03:31:3a:83:73:60:89:c3:1d:b2:ca:7d:4b:dc:5d:0b:
19:ba:56:25:e4:72:3b:f2:80:3a:69:ee:22:8b:0a:de:7a:83:
10:3a:fb:f7:25:60:66:d8:5f:0e:45:99:c4:57:cf:f6:de:7d:
65:b3
如 Red Hat 資料安全(四)所述,將該申請書貼到 CA 組織的申請網頁中,即可靜待憑證的回來。

三、簽署憑證

如果要自己認證,以 -x509 的參數來製作一個 x509 的自我簽署數位憑證:

# openssl req -new -key server1.key.pem -out myCA.pem -x509
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:ISHM Studio
Organizational Unit Name (eg, section) []:ISHM
Common Name (eg, your name or your server’s hostname) []:ishm.idv.tw
Email Address []:admin@ishm.idv.tw

看一下加密過後的憑證檔:

# cat myCA.pem
—–BEGIN CERTIFICATE—–
MIIDjTCCAvagAwIBAgIJAPxr4vuRUHgiMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
VQQGEwJUVzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxFDASBgNV
BAoTC0lTSE0gU3R1ZGlvMQ0wCwYDVQQLEwRJU0hNMRQwEgYDVQQDEwtpc2htLmlk
di50dzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AaXNobS5pZHYudHcwHhcNMDkwMzIw
MTU0OTQ4WhcNMDkwNDE5MTU0OTQ4WjCBjDELMAkGA1UEBhMCVFcxDzANBgNVBAgT
BlRhaXdhbjEPMA0GA1UEBxMGVGFpcGVpMRQwEgYDVQQKEwtJU0hNIFN0dWRpbzEN
MAsGA1UECxMESVNITTEUMBIGA1UEAxMLaXNobS5pZHYudHcxIDAeBgkqhkiG9w0B
CQEWEWFkbWluQGlzaG0uaWR2LnR3MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC1jRHdwB6FVlBjcQLtBaL+k7MfSWFZd5AtroeqtjKdz04k0GDy8438ZCUYvfqb
XF+jVqiZW4NkOwCStCk1BGgjXk6bd7OeOVwXjbUNVxwsKQIDAQABo4H0MIHxMB0G
A1UdDgQWBBRqZlCsLZ/V3FErib/7s+H79MtmgjCBwQYDVR0jBIG5MIG2gBRqZlCs
LZ/V3FErib/7s+H79MtmgqGBkqSBjzCBjDELMAkGA1UEBhMCVFcxDzANBgNVBAgT
BlRhaXdhbjEPMA0GA1UEBxMGVGFpcGVpMRQwEgYDVQQKEwtJU0hNIFN0dWRpbzEN
MAsGA1UECxMESVNITTEUMBIGA1UEAxMLaXNobS5pZHYudHcxIDAeBgkqhkiG9w0B
CQEWEWFkbWluQGlzaG0uaWR2LnR3ggkA/Gvi+5FQeCIwDAYDVR0TBAUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOBgQCTnZAXiTUQaOsuG6J6ZpK1PWD8x+pFjjRuArrsqgp0
qmpNGxhAQ3+2ocIJ9HGbjcWVIiik6RFQUE8H8xH9A1hqWh/L1NwDV26f1S0i+ZLl
9rtfRXponCG5GYkyTzw0udtWBoDhcL60gNb2us9Z+QZFybkroVWFUUunapF6/8It
HQ==
—–END CERTIFICATE—–

真是在看無字天書,現在來檢視一下實際內容是什麼:

# openssl x509 -in myCA.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fc:6b:e2:fb:91:50:78:22
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TW, ST=Taiwan, L=Taipei, O=ISHM Studio, OU=ISHM, CN=ishm.idv.tw/emailAddress=admin@ishm.idv.tw
Validity
Not Before: Mar 20 15:49:48 2009 GMT
Not After : Apr 19 15:49:48 2009 GMT
Subject: C=TW, ST=Taiwan, L=Taipei, O=ISHM Studio, OU=ISHM, CN=ishm.idv.tw/emailAddress=admin@ishm.idv.tw
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b5:8d:11:dd:c0:1e:85:56:50:63:71:02:ed:05:
a2:fe:93:b3:1f:49:61:59:77:90:2d:ae:87:aa:b6:
32:9d:cf:4e:24:d0:60:f2:f3:8d:fc:64:25:18:bd:
8f:5e:e4:33:28:d2:32:53:63:ec:b6:08:f7:0b:79:
07:86:de:06:8b:13:37:95:bb:9e:bd:fe:9a:c4:e1:
c5:a3:b3:a5:ab:5c:5f:a3:56:a8:99:5b:83:64:3b:
00:92:b4:29:35:04:68:23:5e:4e:9b:77:b3:9e:39:
5c:17:8d:b5:0d:57:1c:2c:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6A:66:50:AC:2D:9F:D5:DC:51:2B:89:BF:FB:B3:CB:66:82
X509v3 Authority Key Identifier:
keyid:6A:66:50:AC:2D:9F:D5:DC:51:2B:89:BF:FB:F4:CB:66:82
DirName:/C=TW/ST=Taiwan/L=Taipei/O=ISHM Studio/OU=ISHM/CN=ishm.idv.tw/emailAddress=admin@ishm.idv.tw
serial:FC:6B:E2:FB:91:50:78:22

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
93:9d:90:17:89:35:10:68:eb:2e:1b:a2:7a:66:92:b5:3d:60:
fc:c7:ea:45:8e:34:6e:02:ba:ec:aa:0a:74:aa:6a:4d:1b:18:
40:43:7f:b6:a1:c2:09:f4:71:9b:8d:c5:95:22:28:a4:e9:11:
50:50:4f:07:f3:11:fd:03:58:6a:5a:1f:cb:d4:dc:03:57:6e:
32:4f:3c:34:b9:db:56:06:80:e1:70:be:b4:80:d6:f6:ba:cf:
59:f9:06:45:c9:b9:2b:a1:55:85:51:4b:a7:6a:91:7a:ff:c2:
2d:1d

使用下列指令調閱我們想要看的資訊:

# openssl x509 -in myCA.pem -noout -serial
serial=FC6BE2FB91507822 (調閱紅色部份內容)

# openssl x509 -in myCA.pem -noout -subject
subject= /C=TW/ST=Taiwan/L=Taipei/O=ISHM Studio/OU=ISHM/CN=ishm.idv.tw/emailAddress=admin@ishm.idv.tw (調閱綠色部份內容)

計算出 myCA.pem 的 fingerprint

# openssl x509 -in myCA.pem -noout -fingerprint
SHA1 Fingerprint=AE:A6:75:17:FA:0E:6F:AF:18:F2:0D:33:01:A9:02:27:20:8B

=========================================

四、快速產生憑證及私密金鑰

在主機服務使用 SSL 加密時,該服務就要調用數位憑證以及本機的私密金鑰,這時可使用以下方法:

# cd /etc/pki/tls/certs (進入 /etc/pki/tls/certs 目錄)
# make dovecot.pem (製作 pop3s 使用的加密憑證,檔名可以自己取)
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 >  dovecot.pem ; \
echo “”    >> dovecot.pem ; \
cat $PEM2 >> dovecot.pem ; \

(其實就是將上述製作私密金鑰以及自我簽署憑證的結果結合成一個檔案)

rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
…..++++++
…….++++++
writing new private key to ‘/tmp/openssl.z10734’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:ISHM Studio
Organizational Unit Name (eg, section) []:ISHM
Common Name (eg, your name or your server’s hostname) []:ishm.idv.tw
Email Address []:admin@ishm.idv.tw

看一下,其實就是用「私密金鑰」和「自我簽署憑證」組合起來的檔案。

# cat dovecot.pem
—–BEGIN RSA PRIVATE KEY—–
MIICXwIBAAKBgQC+c1ODbMJrRdYA972H8MJDM/4sYMDSjpNrWIMsttC+tPpE2IeV
5+ctBlMz71Vx2GfQI1FXPwdaTQUN8KL0ZeLQXir3x31mydmVuPHAIHGSAQ4QEFJY
QmZuY1Ng1dy6aMLEqNuDMB03GZGVM/bcAqe2wablzfZKzEl8sw0A4CBf/wIDAQAB
AoGBAIv/2vRRjtmsjJRJiVnU8fjUz5NvzE774AKZHlRQT0LhZtgVFBZuUtIWRDN5
TCZUHnwyeijYfF81HvIQYrml7ARarhMTF9+V4nCUUET6ZfwhAcjxQJAUo63ziNAl
OExHnbjBAAS4crJzv8c9U7e37yBQET0JvRlgL9VW+JBseMOBAkEA7dBDLUC4UhnX
HlMUEAh9KqvoQI7uIPqKuNT1igBR5secKAXeUsRKbe/oYC/m8iy8MjrN+XWhTAjW
nj8MEFFhf+2ACUX0kXAJyQ70cHHncEQbFHUCQQCL3xxDt3cxwsUFrvNz4qpLuMRn
hCmG+BUzVP395uZFCE5OM/VpVM46Dwrr2ADLm4gtOuz+tjLiV6iSktWhlMdlAkEA
sjcjEu+YtG8XBbXui4wZKAr8+S3fi+AuylYdiZiU1S3KNx7+P7MztMa94KCK3mAw
r3kcfHJlLvTaUonHk8yeiQJBAL+Ngl5t1XL8NG65uGUZq38ohpfcVBHJnmOvu3A0
Bksl6MjQIVEKMWj5MI18hqehBK58DftkLddC57/gAyTfhfY=
—–END RSA PRIVATE KEY—–

—–BEGIN CERTIFICATE—–
MIIDfTCCAuagAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCVFcx
DzANBgNVBAgTBlRhaXdhbjEPMA0GA1UEBxMGVGFpcGVpMRQwEgYDVQQKEwtJU0hN
IFN0dWRpbzENMAsGA1UECxMESVNITTEUMBIGA1UEAxMLaXNobS5pZHYudHcxIDAe
BgkqhkiG9w0BCQEWEWFkbWluQGlzaG0uaWR2LnR3MB4XDTA5MDMyMDE2MDIzMFoX
DTEwMDMyMDE2MDIzMFowgYwxCzAJBgNVBAYTAlRXMQ8wDQYDVQQIEwZUYWl3YW4x
DzANBgNVBAcTBlRhaXBlaTEUMBIGA1UEChMLSVNITSBTdHVkaW8xDTALBgNVBAsT
BElTSE0xFDASBgNVBAMTC2lzaG0uaWR2LnR3MSAwHgYJKoZIhvcNAQkBFhFhZG1p
bkBpc2htLmlkdi50dzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvnNTg2zC
a0XWAPe9h/DCQzP+LGDA0o6Ta1iDLLbQvrT6RNiHlefnLQZTM+9Vcdhn0CNRVz8H
NxmRlTP23AKntsGm5c32SsxJfLMNAOAgX/8CAwEAAaOB7DCB6TAdBgNVHQ4EFgQU
Rcx90b1sk+FghOeH20oOVw5lX6YwgbkGA1UdIwSBsTCBroAURcx90b1sk+FghOeH
20oOVw5lX6ahgZKkgY8wgYwxCzAJBgNVBAYTAlRXMQ8wDQYDVQQIEwZUYWl3YW4x
DzANBgNVBAcTBlRhaXBlaTEUMBIGA1UEChMLSVNITSBTdHVkaW8xDTALBgNVBAsT
BElTSE0xFDASBgNVBAMTC2lzaG0uaWR2LnR3MSAwHgYJKoZIhvcNAQkBFhFhZG1p
bkBpc2htLmlkdi50d4IBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GB
AKHLcoIyv5aZNah+14Uxeqj/Pj/OeVzv6WNXTR3vLVbvE93Ju77dx4EFRSc6I9TX
AJmBvGtlzWLxevGGVtM1TMXdAKcX1PJTKamEOn9hWOF6zlHIzB0Jel+2MmTdHwVX
apmdOvbLFwOTXfiQ2v4ITQ4hXn7nFDkFE3+uawiLiGV6
—–END CERTIFICATE—–

=========================================

在〈Red Hat 資料安全(五)〉中有 1 則留言

  1. 自動引用通知: ISHM Blog » 網路郵件存取及郵局通訊協定 (POP and IMAP)

留言功能已關閉。