Last active
August 29, 2015 14:16
-
-
Save robertu7/0111e40b65662ecc96cb to your computer and use it in GitHub Desktop.
「OpenSSL Cookbook」筆記
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
算法:RSA / DSA / ECDSA | |
- 通常使用 RSA | |
- ECDSA 尚未被 CA 廣泛支持 | |
- SSH 通常使用 RSA 和 DSA | |
- 2048-bits RSA and DSA, at least 512-bits ECDSA | |
- Passphrase | |
- 確保 Key 可以安全地 存放、傳輸、備份 | |
- 每次重啓服務器或操作 Key 時候,都要輸入密碼 | |
文件類型 | |
- .key:私鑰 / 公鑰 | |
- .csr:Certificate Signing Requests 證書簽名請求(用完即棄) | |
- .cst:已簽名的證書 | |
生成 | |
- RSA | |
* private key: openssl genrsa -aes128 -out fd.key 2048 | |
* public key: openssl rsa -in fd.key -pubout -out fd-public.key | |
* 查看結構:openssl rsa -text -in fd.key | |
- DSA | |
- openssl dsaparam -genkey 2048 | openssl dsa -out dsa.key -aes128 | |
- ECDSA | |
* openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128 | |
- CSR:向 CA 請求簽名的證書 | |
* openssl req -new -key fd.key -out fd.csr | |
* 查看結構:openssl req -text -in fd.csr -noout | |
* 通過已存在的證書生成:openssl x509 -x509toreq -in fd.crt -out fd.csr -signkey fd.key | |
* 通過配置文件生成:openssl req -new -config fd.cnf -key fd.key -out fd.csr | |
- CRT | |
* 繞過 CA 自己簽名證書:openssl x509 -req -days 365 -in fd.csr -signkey fd.key -out fd.crt | |
* 直接通過 key 簽名證書: openssl req -new -x509 -days 365 -key fd.key -out fd.crt | |
* 查看結構:openssl x509 -text -in fd.crt -noout | |
- 生成泛域名證書 | |
* 將包含域名的信息存放於一個新文件:echo 'subjectAltName = DNS:*.feistyduck.com, DNS:feistyduck.com' > fd.ext | |
* 生成:openssl x509 -req -days 365 -in fd.csr -signkey fd.key -out fd.crt -extfile fd.ext | |
轉換 | |
- 私鑰和證書可以以不同格式存放 | |
- 格式 | |
* Binary (DER) certificate:包含 X.509 證書,使用 DER ASN.1 編碼 | |
* ASCII (PEM) certificate(s):包含 base64 編碼的 DER 證書 | |
* Binary (DER) key:包含 私鑰,使用 DER ASN.1 編碼 | |
* ASCII (PEM) key:包含 base64 編碼的 DER 證書 | |
* PKCS#7 certificate(s) | |
* PKCS#12 (PFX) key and certificate(s) | |
- PEM 和 DER 之間轉換 | |
* PEM -> DER: openssl x509 -inform PEM -in fd.pem -outform DER -out fd.der | |
* DER -> PEM: openssl x509 -inform DER -in fd.der -outform PEM -out fd.pem | |
安全 | |
- 在自己電腦生成 私鑰 和 證書 | |
- 每年使用新的 私鑰 更新 證書 | |
# https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority | |
# https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04 | |
# https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment