[雲端] 憑證

[雲端] 憑證 === ###### tags: `雲端`, `憑證` [TOC] ## 術語 | 英文術語 | 全名 | 中文術語 / 補充 | | ------ | ---- | ------------- | | Private Key | | 私密金鑰 | | CA | Certificate Authority | [認證機構](http://terms.naer.edu.tw/detail/1274192/) | | CFSSL | CloudFlare's SSL [CloudFlare's PKI toolkit](https://cfssl.org/) | [CloudFlare(雲端中的防火牆)](https://medium.com/starrocket/cloudflare-firewall-in-the-cloud-its-mission-is-to-help-build-a-better-internet-2ccf4ed1a199) Cloud 是雲，Flare 是閃耀的火光 | | CRT | Certificate | 憑證, .crt 憑證檔案 | | CSR | Certificate Signing Request | [憑證簽發請求](https://www.sslbuyer.com/index.php?option=com_content&view=article&id=56:what-is-csr&catid=19&Itemid=2595), [憑證簽署要求](https://haway.30cm.gg/ssl-key-csr-crt-pem/) | | PEM | Privacy-Enhanced Mail | [隱私增強郵件](http://terms.naer.edu.tw/detail/1284464/), .pem 中繼憑證檔案 | | PKI | Public key infrastructure | 公開金鑰基礎建設 | | SSL | Secure Socket Layer | 安全通訊協定 | | TLS | Transport Layer Security | 傳輸層安全性協定 | ## [購買 SSL 憑證](https://www.sslbuyer.com/index.php?option=com_content&view=article&id=56:what-is-csr&catid=19&Itemid=2595) ### 步驟 - 產生 CSR 檔案 - 提供給廠商 (到廠商提供的網頁介面，上傳 CSR 檔案) - 廠商：發證商 - 開始後續的申請流程 ## [製作 CSR 檔案](https://www.sslbuyer.com/index.php?option=com_content&view=article&id=56:what-is-csr&catid=19&Itemid=2595) ### 使用準則 - 多網域 - Common Name: www.sslbuyer.com,www.sslbuyer2.com - 萬用網域 - Common Name: *.domain.com - 金鑰長度 - 2048 位元以上才夠安全 - 加密演算法 - RSA為主 - 雜湊函數演篹法 - 2014年以前：SHA1 - 現在：SHA2 ### 使用 openssl 工具會輸出 - 私密金鑰(Private Key) (自行保存) - CSR 檔案 (給發證商) <hr> ## openssl 工具說明 ### openssl ```bahs openssl command [ command_opts ] [ command_args ] ``` ### [openssl req](https://www.sslbuyer.com/index.php?option=com_content&view=article&id=56:what-is-csr&catid=19&Itemid=2595) ![](https://i.imgur.com/ZUpFaPy.png) - #### 補充說明 - 如果有帶 ```-x509``` 參數，輸出檔案就是 .crt (certificate) - 反之，預設輸出檔案就是 .csr (Certificate Signing Request) - #### ```-new``` new request. - #### ```-newkey``` <-- new 或 newkey 至少要有一個，不然程式就卡在那裡 - #### ```-newkey rsa:bits``` generate a new RSA key of 'bits' in size - #### ```-newkey dsa:file``` generate a new DSA key, parameters taken from CA in 'file' - #### ```-newkey ec:file``` generate a new EC key, parameters taken from CA in 'file - #### ```-nodes``` <-- 有無此參數，看不出結果差異性 don't encrypt the output key - #### ```-out arg``` <-- 輸出CSR(Certificate Signing Request)檔案 output file - #### ```-keyout arg``` <-- 輸出私密金鑰 file to send the key to - #### ```-subj arg``` <-- 根據你的資料，產生「CSR」和「私密金鑰」 set or modify request subject - CN: Common Name :此欄位為你要保護的網域名稱 - Organization [O]:您組織的名稱,此名稱要與您合法登記的名稱一樣 - Organizational Unit:[OU]:公司部門,若沒填寫則跟Common Name相同 - Locality [L]:公司所在地的城市名稱 - State [ST]:公司所在地的州或郡 - Country [C]:公司所在地的國家 - Key Size:憑證演算法與金鑰長度 - #### 實際範例 ![](https://i.imgur.com/ZUpFaPy.png) **執行指令** ``` $ openssl req -new -newkey rsa:2048 -nodes \ -out tj_tsai.csr \ -keyout tj_tsai.key \ -subj "/C=TW/ST=NONE/L=TAINAN/O=ASUS/OU=OCIS/CN=10.78.154.134" ``` - 若將 ```/C=TW``` 輸入為 ```/C=台灣```，會出現底下錯誤訊息 (字串太長，最大長度=2) ``` problems making Certificate Request 139634691958424:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=2 ``` - 每次執行，都會得到不一樣的 tj_tsai.csr 和 tj_tsai.key **執行結果** ``` Generating a 2048 bit RSA private key ..........+++ ............................................................................................+++ writing new private key to 'tj_tsai.key' ----- ``` **查看 tj_tsai.csr 內容** (CSR, Certificate Signing Request) ```bash $ cat tj_tsai.csr -----BEGIN CERTIFICATE REQUEST----- MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVFcxDTALBgNVBAgMBE5PTkUxDzANBgNV ... ... ... TQAgU1TO1LqTplsEHHFOjN+lDmZplE5xlo4xAOqc6TXBonJtbwD3fMuPEi/xFw7i 02BJAUE0vaxxmFTr -----END CERTIFICATE REQUEST----- ``` **查看 tj_tsai.key 內容** ```bash $ cat tj_tsai.key -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDjzAOlJvHO2hH6 ... ... ... ZN47q7oPbI06DlwXKXuFZFw9vt6EBSbxo5KueuUGzXcQdYpC08g0iHiM0wO65g2z A5p5nQgwjVfJOU4e94LWSky3 -----END PRIVATE KEY----- ``` **使用「互動式方式」建立** ```bash $ openssl req -new -nodes # -keyout tj_tsai.key Generating a 2048 bit RSA private key ......+++ .....+++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:TW State or Province Name (full name) [Some-State]:NONE Locality Name (eg, city) []:TAINAN Organization Name (eg, company) [Internet Widgits Pty Ltd]:ASUS Organizational Unit Name (eg, section) []:OCIS Common Name (e.g. server FQDN or YOUR name) []:10.78.154.134 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: -----BEGIN CERTIFICATE REQUEST----- MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVFcxDTALBgNVBAgMBE5PTkUxDzANBgNV BAcMBlRBSU5BTjENMAsGA1UECgwEQVNVUzENMAsGA1UECwwET0NJUzEWMBQGA1UE ... ... ... 3skeMNljB76V+cm8OITuRP7uHR4o/StGgkzq9a53Or34MUPn35U0uqjJcTu5d5bn wCt2g1iz1BRUKeDRwNYEDFlCF4aVO275vIsqJ+1SAVRmKypPjmxMjIEc/uAB/KMC Ho2jEmOTbLPJhBaP -----END CERTIFICATE REQUEST----- ``` ### [openssl genrsa](https://scriptcrunch.com/create-ca-tls-ssl-certificates-keys/) - #### ```-out file``` output the key to 'file - #### 實際範例 **執行指令** ``` $ openssl genrsa -out ca.key 2048 ``` **查看 tj_tsai.key 內容** ```bash $ cat ca.key -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA2g5uNP7odup5Ysf3kpZp0xPq0hFnfoMFwfc1Mp1ZCYLIu3my be7YxUt2wcHTgZG1fxHSL6vElNX3NqmSQ6+e76hbNACvzdsltLVspvwn1O7fUJAu ... ... ... y0CpHtOCvBAvIJQkTv74HuZJhB0ptUbk6sYx31TfDTacIFtOX2TN857uhzMPhSF7 bBEjEXpoA3EmGO1irnWgch3Ugap2Y55yfmMO94ce67sTqoNgvIgJ+z8= -----END RSA PRIVATE KEY----- ``` ## 參考資料-cht - [CSR(CERTIFICATE SIGNING REQUEST)是甚麼?](https://www.sslbuyer.com/index.php?option=com_content&view=article&id=56:what-is-csr&catid=19&Itemid=2595) - [[SSL 基礎]私有金鑰、CSR 、CRT 與中繼憑證](https://haway.30cm.gg/ssl-key-csr-crt-pem/) - [openssl 指令 command line](https://ssorc.tw/42/openssl-%E6%8C%87%E4%BB%A4/) ![](https://i.imgur.com/oMwMSBK.png) ## 參考資料-en - [How to Configure SSL on Jenkins Server](https://devopscube.com/configure-ssl-jenkins/) - [How To Create CA and Generate SSL/TLS Certificates & Keys](https://scriptcrunch.com/create-ca-tls-ssl-certificates-keys/)