집 >운영 및 유지보수 >리눅스 운영 및 유지 관리 >의사 명령 req 기능에 대한 자세한 소개
Re Pseudo -command REQ에는 인증서 요청 파일 생성, 확인 인증서 요청 파일 생성, 루트 CA 생성의 세 가지 기능이 있습니다. openssl req 명령에는 많은 옵션이 있으므로 먼저 몇 가지 예를 제시한 다음 openssl req의 옵션에 중점을 두겠습니다.
먼저 인증서 요청을 생성하는 데 필요한 것이 무엇인지 설명하겠습니다. 신청자는 자신의 정보와 공개 키를 인증서 요청에 입력해야 합니다. 하지만 실제 작업에서는 개인 키에서 공개 키를 자동으로 추출하기 때문에 공개 키 대신 개인 키를 제공해야 합니다. 또한, 제공된 데이터는 인증서 요청 파일의 무결성과 일관성을 보장하고 www.baidu를 신청하는 해커와 같은 다른 사람이 이를 훔치거나 변조하는 것을 방지하기 위해 디지털 서명(단방향 암호화 사용)이 필요합니다. com 인증서 요청 파일의 회사명이 상대방의 회사명으로 변경됩니다. 변조에 성공하면 인증서 요청 서명 시 발급된 인증서 정보가 타인의 정보가 됩니다.
첫 번째 단계는 개인 키 pri_key.pem을 만드는 것입니다. 실제로 개인 키 파일은 필요하지 않습니다. 왜냐하면 openssl req는 필요할 때 특정 경로에 자동으로 생성하기 때문입니다. 이 파일은 설명을 위해 여기에 생성됩니다.
[root@xuexi tmp]# openssl genrsa -out pri_key.pem
[root@xuexi tmp]# openssl req -new -key pri_key.pem -out req1.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:FJ Locality Name (eg, city) [Default City]:XM Organization Name (eg, company) [Default Company Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, your name or your server's hostname) []:www.youwant.comEmail Address []: Please enter the following 'extra' attributes # 下面两项几乎不用考虑,留空即可 to be sent with your certificate request A challenge password []:. An optional company name []:.
"-new" 옵션 외에도 "-newkey" 옵션을 사용하여 인증서 요청 파일을 생성할 수도 있습니다. 여기서는 "-newkey" 사용 예를 제공하지 않습니다.
(2) 인증서 요청 파일의 내용을 봅니다.새 인증서 요청 파일 req1.csr이 생성되었습니다. 인증서 요청 파일의 내용을 확인하세요.
[root@xuexi tmp]# cat req1.csr-----BEGIN CERTIFICATE REQUEST----- # 证书请求的内容 MIIBgDCB6gIBADBBMQswCQYDVQQGEwJDTjELMAkGA1UECAwCRkoxCzAJBgNVBAcM AlhNMRgwFgYDVQQDDA93d3cueW91d2FudC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAMbx9bfsC0GTn7DijfGFs56Fb8atX9ABRDE/wmE74jXjdfbH4ZOg Te0Orlu5pA4jqXDgSLzlQvjD6QsyhToyvtyQbgGSfXSVOPcgfAohDNo9t6+mnvs/5rFQJ1+uI6gsLMbwQBJidLGnM1pOvFo2671Vm2jewDLVweGP5wmIfDyLAgMBAAGg ADANBgkqhkiG9w0BAQUFAAOBgQAqKYjNKKpNCvwDNeDeYynOx1XD/OYgAU43Sq03 aRUcKenqICkvkXkUE+H0lYMtXcDL/rgDyjlKvwartgZ/ngoKSwtXhd4UivII2hNN jolE3gfe8KGjMpnX/8oxkJIoSTETqee+11ez8E2fya1DwoQnKpXjTt5qya8VWflt DG8WmA== -----END CERTIFICATE REQUEST-----
[root@xuexi tmp]# openssl req -in req1.csr-----BEGIN CERTIFICATE REQUEST----- # 证书请求的内容 MIIBgDCB6gIBADBBMQswCQYDVQQGEwJDTjELMAkGA1UECAwCRkoxCzAJBgNVBAcM AlhNMRgwFgYDVQQDDA93d3cueW91d2FudC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAMbx9bfsC0GTn7DijfGFs56Fb8atX9ABRDE/wmE74jXjdfbH4ZOg Te0Orlu5pA4jqXDgSLzlQvjD6QsyhToyvtyQbgGSfXSVOPcgfAohDNo9t6+mnvs/5rFQJ1+uI6gsLMbwQBJidLGnM1pOvFo2671Vm2jewDLVweGP5wmIfDyLAgMBAAGg ADANBgkqhkiG9w0BAQUFAAOBgQAqKYjNKKpNCvwDNeDeYynOx1XD/OYgAU43Sq03 aRUcKenqICkvkXkUE+H0lYMtXcDL/rgDyjlKvwartgZ/ngoKSwtXhd4UivII2hNN jolE3gfe8KGjMpnX/8oxkJIoSTETqee+11ez8E2fya1DwoQnKpXjTt5qya8VWflt DG8WmA== -----END CERTIFICATE REQUEST-----
[root@xuexi tmp]# openssl req -in req1.csr -text Certificate Request: # 此为证书请求文件头 Data: Version: 0 (0x0)Subject: C=CN, ST=FJ, L=XM, CN=www.youwant.com # 此为提供的个人信息,注意左侧标头为"Subject",这是很重要的一项 Subject Public Key Info: Public Key Algorithm: rsaEncryption # 使用的公钥算法 Public-Key: (1024 bit) # 公钥的长度 Modulus:00:c6:f1:f5:b7:ec:0b:41:93:9f:b0:e2:8d:f1:85: b3:9e:85:6f:c6:ad:5f:d0:01:44:31:3f:c2:61:3b: e2:35:e3:75:f6:c7:e1:93:a0:4d:ed:0e:ae:5b:b9: a4:0e:23:a9:70:e0:48:bc:e5:42:f8:c3:e9:0b:32:85:3a:32:be:dc:90:6e:01:92:7d:74:95:38:f7:20: 7c:0a:21:0c:da:3d:b7:af:a6:9e:fb:3f:e6:b1:50:27:5f:ae:23:a8:2c:2c:c6:f0:40:12:62:74:b1:a7:33:5a:4e:bc:5a:36:eb:bd:55:9b:68:de:c0:32:d5: c1:e1:8f:e7:09:88:7c:3c:8b Exponent: 65537 (0x10001) Attributes: a0:00Signature Algorithm: sha1WithRSAEncryption # 为请求文件数字签名时使用的算法 2a:29:88:cd:28:aa:4d:0a:fc:03:35:e0:de:63:29:ce:c7:55: c3:fc:e6:20:01:4e:37:4a:ad:37:69:15:1c:29:e9:ea:20:29: 2f:91:79:14:13:e1:f4:95:83:2d:5d:c0:cb:fe:b8:03:ca:39: 4a:bf:06:ab:b6:06:7f:9e:0a:0a:4b:0b:57:85:de:14:8a:f2: 08:da:13:4d:8e:89:44:de:07:de:f0:a1:a3:32:99:d7:ff:ca: 31:90:92:28:49:31:13:a9:e7:be:d7:57:b3:f0:4d:9f:c9:ad: 43:c2:84:27:2a:95:e3:4e:de:6a:c9:af:15:59:f9:6d:0c:6f: 16:98-----BEGIN CERTIFICATE REQUEST----- MIIBgDCB6gIBADBBMQswCQYDVQQGEwJDTjELMAkGA1UECAwCRkoxCzAJBgNVBAcM AlhNMRgwFgYDVQQDDA93d3cueW91d2FudC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAMbx9bfsC0GTn7DijfGFs56Fb8atX9ABRDE/wmE74jXjdfbH4ZOg Te0Orlu5pA4jqXDgSLzlQvjD6QsyhToyvtyQbgGSfXSVOPcgfAohDNo9t6+mnvs/5rFQJ1+uI6gsLMbwQBJidLGnM1pOvFo2671Vm2jewDLVweGP5wmIfDyLAgMBAAGg ADANBgkqhkiG9w0BAQUFAAOBgQAqKYjNKKpNCvwDNeDeYynOx1XD/OYgAU43Sq03 aRUcKenqICkvkXkUE+H0lYMtXcDL/rgDyjlKvwartgZ/ngoKSwtXhd4UivII2hNN jolE3gfe8KGjMpnX/8oxkJIoSTETqee+11ez8E2fya1DwoQnKpXjTt5qya8VWflt DG8WmA== -----END CERTIFICATE REQUEST-----
[root@xuexi tmp]# openssl req -in req1.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=CN, ST=FJ, L=XM, CN=www.youwant.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus:00:c6:f1:f5:b7:ec:0b:41:93:9f:b0:e2:8d:f1:85: b3:9e:85:6f:c6:ad:5f:d0:01:44:31:3f:c2:61:3b: e2:35:e3:75:f6:c7:e1:93:a0:4d:ed:0e:ae:5b:b9: a4:0e:23:a9:70:e0:48:bc:e5:42:f8:c3:e9:0b:32:85:3a:32:be:dc:90:6e:01:92:7d:74:95:38:f7:20: 7c:0a:21:0c:da:3d:b7:af:a6:9e:fb:3f:e6:b1:50:27:5f:ae:23:a8:2c:2c:c6:f0:40:12:62:74:b1:a7:33:5a:4e:bc:5a:36:eb:bd:55:9b:68:de:c0:32:d5: c1:e1:8f:e7:09:88:7c:3c:8b Exponent: 65537 (0x10001) Attributes: a0:00Signature Algorithm: sha1WithRSAEncryption # 为请求文件数字签名时使用的算法 2a:29:88:cd:28:aa:4d:0a:fc:03:35:e0:de:63:29:ce:c7:55: c3:fc:e6:20:01:4e:37:4a:ad:37:69:15:1c:29:e9:ea:20:29: 2f:91:79:14:13:e1:f4:95:83:2d:5d:c0:cb:fe:b8:03:ca:39: 4a:bf:06:ab:b6:06:7f:9e:0a:0a:4b:0b:57:85:de:14:8a:f2: 08:da:13:4d:8e:89:44:de:07:de:f0:a1:a3:32:99:d7:ff:ca: 31:90:92:28:49:31:13:a9:e7:be:d7:57:b3:f0:4d:9f:c9:ad: 43:c2:84:27:2a:95:e3:4e:de:6a:c9:af:15:59:f9:6d:0c:6f: 16:98
[root@xuexi tmp]# openssl req -in req2.csr -subject -noout subject=/C=CN/ST=FJ/L=XM/CN=www.youwant.com
[root@xuexi tmp]# openssl req -in req1.csr -pubkey -noout-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8fW37AtBk5+w4o3xhbOehW/G rV/QAUQxP8JhO+I143X2x+GToE3tDq5buaQOI6lw4Ei85UL4w+kLMoU6Mr7ckG4B kn10lTj3IHwKIQzaPbevpp77P+axUCdfriOoLCzG8EASYnSxpzNaTrxaNuu9VZto 3sAy1cHhj+cJiHw8iwIDAQAB-----END PUBLIC KEY-----
[root@xuexi tmp]# openssl rsa -in pri_key.pem -pubout writing RSA key-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8fW37AtBk5+w4o3xhbOehW/G rV/QAUQxP8JhO+I143X2x+GToE3tDq5buaQOI6lw4Ei85UL4w+kLMoU6Mr7ckG4B kn10lTj3IHwKIQzaPbevpp77P+axUCdfriOoLCzG8EASYnSxpzNaTrxaNuu9VZto 3sAy1cHhj+cJiHw8iwIDAQAB-----END PUBLIC KEY-----
인증서 요청 파일의 헤더에 있는 항목 중 하나는 "서명 알고리즘"이며, 이는 어떤 디지털 서명 알고리즘이 사용되는지 나타냅니다. 기본값은 sha1이며, md5, sha512 등도 지원됩니다. 지원되는 서명 알고리즘에 대해서는 "openssl dgst --help"에 나열된 내용을 참조하세요. 예를 들어 md5 알고리즘이 여기에 지정됩니다.
[root@xuexi tmp]# openssl req -new -key pri_key.pem -out req2.csr -md5 [root@xuexi tmp]# openssl req -in req2.csr -noout -text | grep Algo Public Key Algorithm: rsaEncryption Signature Algorithm: md5WithRSAEncryption
[root@xuexi tmp]# openssl req -verify -in req2.csrverify OK-----BEGIN CERTIFICATE REQUEST-----MIIBgDCB6gIBADBBMQswCQYDVQQGEwJDTjELMAkGA1UECAwCRkoxCzAJBgNVBAcM AlhNMRgwFgYDVQQDDA93d3cueW91d2FudC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAMbx9bfsC0GTn7DijfGFs56Fb8atX9ABRDE/wmE74jXjdfbH4ZOg Te0Orlu5pA4jqXDgSLzlQvjD6QsyhToyvtyQbgGSfXSVOPcgfAohDNo9t6+mnvs/5rFQJ1+uI6gsLMbwQBJidLGnM1pOvFo2671Vm2jewDLVweGP5wmIfDyLAgMBAAGg ADANBgkqhkiG9w0BAQQFAAOBgQCcvWuwmeAowbqLEsSpBVGnRfDEeH897v1r/SaX 9yYhpc3Kp5HKQ3LpSZBYGxlIsE6I3DMT5d1wcPeKRi8B6BIfemYOEbhLVGLmhNAg iHyV/s1/TaOc31QZMY1HvD5BTOlhed+MpevWAFX2CRXuhKYBOimCrGNJxrFj4srJ M1zDOA== -----END CERTIFICATE REQUEST-----
[root@xuexi tmp]# openssl req -verify -in req2.csr -noout verify OK
(5).自签署证书,可用于自建根CA时。
使用openssl req自签署证书时,需要使用"-x509"选项,由于是签署证书请求文件,所以可以指定"-days"指定所颁发的证书有效期。
[root@xuexi tmp]# openssl req -x509 -key pri_key.pem -in req1.csr -out CA1.crt -days 365
由于openssl req命令的主要功能是创建和管理证书请求文件,所以没有提供对证书文件的管理能力,暂时也就只能通过cat来查看证书文件CA1.crt了。
[root@xuexi tmp]# cat CA1.crt-----BEGIN CERTIFICATE-----MIICUDCCAbmgAwIBAgIJAIrxQ+zicLzIMA0GCSqGSIb3DQEBBQUAMEExCzAJBgNV BAYTAkNOMQswCQYDVQQIDAJGSjELMAkGA1UEBwwCWE0xGDAWBgNVBAMMD3d3dy55 b3V3YW50LmNvbTAeFw0xNzA2MjcwNzU0NTJaFw0xODA2MjcwNzU0NTJaMEExCzAJ BgNVBAYTAkNOMQswCQYDVQQIDAJGSjELMAkGA1UEBwwCWE0xGDAWBgNVBAMMD3d3 dy55b3V3YW50LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxvH1t+wL QZOfsOKN8YWznoVvxq1f0AFEMT/CYTviNeN19sfhk6BN7Q6uW7mkDiOpcOBIvOVC+MPpCzKFOjK+3JBuAZJ9dJU49yB8CiEM2j23r6ae+z/msVAnX64jqCwsxvBAEmJ0 saczWk68WjbrvVWbaN7AMtXB4Y/nCYh8PIsCAwEAAaNQME4wHQYDVR0OBBYEFMLa Dm9yZeRh3Bu+zmpU2iKbQBQgMB8GA1UdIwQYMBaAFMLaDm9yZeRh3Bu+zmpU2iKb QBQgMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd2CJPe987RO34ySA 7EC0zQkhDz9d2vvvPWYjq0XA/frntlKKhgFwypWPBwwFTBwfvLHMnNpKy0zXXAkB 1ttgzMgka/qv/gcKoLN3dwM7Hz+eCl/cXVJmVG7PqAjfqSr6IyM7v/B6dC0Xv49m h5mv24HqKtJoEeI0iARaNmOxKeE= -----END CERTIFICATE-----
实际上,"-x509"选项和"-new"或"-newkey"配合使用时,可以不指定证书请求文件,它在自签署过程中将在内存中自动创建证书请求文件,当然,既然要创建证书请求文件,就需要人为输入申请者的信息了。例如:
[root@xuexi tmp]# openssl req -new -x509 -key pri_key.pem -out CA1.crt -days 365
其实,使用"-x509"选项后,"-new"或"-newkey"将表示创建一个证书文件而不是一个证书请求文件。
(6).让openssl req自动创建所需的私钥文件。
在前面的所有例子中,在需要私钥的时候都明确使用了"-key"选项提供私钥。其实如果不提供,openssl req会在任何需要私钥的地方自动创建私钥,并保存在特定的位置,默认的保存位置为当前目录,文件名为privkey.pem,具体保存的位置和文件名由配置文件(默认为/etc/pki/tls/openssl.cnf)决定,此处不讨论该文件。当然,openssl req命令的"-keyout"选项可以指定私钥保存位置。
例如:
[root@xuexi tmp]# openssl req -new -out req3.csrGenerating a 2048 bit RSA private key # 自动创建私钥 ..................+++ .....................................+++ writing new private key to 'privkey.pem' Enter PEM pass phrase: # 要求输入加密私钥文件的密码,且要求长度为4-1024个字符 Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:^C
但是,openssl req在自动创建私钥时,将总是加密该私钥文件,并提示输入加密的密码。可以使用"-nodes"选项禁止加密私钥文件。
[root@xuexi tmp]# openssl req -new -out req3.csr -nodes Generating a 2048 bit RSA private key .............+++.............................................................................+++writing new private key to 'privkey.pem'-----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:^C
指定自动创建私钥时,私钥文件的保存位置和文件名。使用"-keyout"选项。
[root@xuexi tmp]# openssl req -new -out req3.csr -nodes -keyout myprivkey.pem Generating a 2048 bit RSA private key ......................+++............................................................+++writing new private key to 'myprivkey.pem'-----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:^C
(7).使用"-newkey"选项。
"-newkey"选项和"-new"选项类似,只不过"-newkey"选项可以直接指定私钥的算法和长度,所以它主要用在openssl req自动创建私钥时。
它的使用格式为"-newkey arg",其中arg的格式为"rsa:numbits",rsa表示创建rsa私钥,numbits表示私钥的长度,如果不给定长度(即"-newkey rsa")则默认从配置文件中读取长度值。其实不止支持rsa私钥,只不过现在基本都是用rsa私钥,所以默认就使用rsa。
[root@xuexi tmp]# openssl req -newkey rsa:2048 -out req3.csr -nodes -keyout myprivkey.pem Generating a 2048 bit RSA private key ....+++.......................................................+++writing new private key to 'myprivkey.pem'-----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:^C
通过上面一系类的举例说明后,想必openssl req的各基本选项的用法都通了。从上面的示例中也发现了,openssl req经常会依赖于配置文件(默认为/etc/pki/tls/openssl.cnf)中的值。所以,先将openssl req的命令用法总结下,再简单说明下配置文件中和req有关的内容。
openssl req [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-reqopt] ---newkey args:类似于选项,创建一个新的证书请求,并创建私钥。args的格式是------[dgst] :指定对创建请求时提供的申请者信息进行数字签名时的单向加密算法,如-md5/-sha1/----days n :指定自签名证书的有效期限,默认30天,需要和----subj args :替换或自定义证书请求时需要输入的信息,并输出修改后的请求信息。args的格式为,则表示该项留空。其中可识别type(-------config filename :指定req的配置文件,指定后将忽略所有的其他配置文件。如果不指定则默认使用/etc/pki/tls/-batch :非交互模式,直接从配置文件(默认/etc/pki/tls/openssl.cnf)中读取证书请求所需字段信息。但若不指定-verbose :显示操作执行的详细信息
以下则是配置文件中(默认/etc/pki/tls/openssl.cnf)关于req段落的配置格式。
input_password :密码输入文件,和命令行的"-passin"选项对应,密码格式以及意义见"openssl密码格式"output_password:密码的输出文件,与命令行的"-passout"选项对应,密码格式以及意义见"openssl密码格式"default_bits :openssl req自动生成RSA私钥时的长度,不写时默认是512,命令行的"-new"和"-newkey"可能会用到它 default_keyfile:默认的私钥输出文件,与命令行的"-keyout"选项对应 encrypt_key :当设置为no时,自动创建私钥时不会加密该私钥。设置为no时与命令行的"-nodes"等价。还有等价的兼容性写法:encry_rsa_key default_md :指定创建证书请求时对申请者信息进行数字签名的单向加密算法,与命令行的"-[dgst]"对应 prompt :当指定为no时,则不提示输入证书请求的字段信息,而是直接从openssl.cnf中读取 :请小心设置该选项,很可能请求文件创建失败就是因为该选项设置为no distinguished_name:(DN)是一个扩展属性段落,用于指定证书请求时可被识别的字段名称。
以下是默认的配置文件格式及值。关于配置文件的详细分析见"配置文件"部分。
[ req ] default_bits = 2048default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = XX countryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) localityName_default = Default City0.organizationName = Organization Name (eg, company)0.organizationName_default = Default Company Ltd organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname)commonName_max = 64emailAddress = Email Address emailAddress_max = 64
위 내용은 의사 명령 req 기능에 대한 자세한 소개의 상세 내용입니다. 자세한 내용은 PHP 중국어 웹사이트의 기타 관련 기사를 참조하세요!