Introduction
In the PKI (public key infrastructure) public key infrastructure system, all operations revolve around certificates and keys, which provide the creation, management, distribution, use, storage and revocation of digital certificates and management of public key encryption. set of roles, policies, hardware, software, and procedures required.
With the key, you can make a certificate based on the key. If the certificate can be widely used, a general standard must be indispensable. In the PKI system, the standard for this certificate is called X.509.
The X.509 standard defines the most common formats for public key certificates.
An example of a certificate
The most important thing in the certificate is the public key information. Only by extracting the public key from the certificate can the public key be used to decrypt the data encrypted by the sender with the private key. The public key information is the core of the certificate.
In addition to the public key, the certificate contains a lot of other information, such as identity information (hostname, organization or individual, etc.).
Creating a certificate is very simple, let's first look at an example of using the openssl command to create a certificate.
Before creating a certificate, you first need to create the public key and private key that the certificate depends on. The x.509 certificate can support a variety of public key and private key algorithms, such as RSA, DSA, ECDSA, ed25519, etc.
Here we choose to use the RSA algorithm to generate the key pair as follows:
openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
.............................................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
Enter pass, we can get ca.key, which is an RSA PRIVATE KEY.
Next, you can use this ca.key to create a certificate.
openssl req -new -x509 -days 20 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:SH
State or Province Name (full name) []:SH
Locality Name (eg, city) []:SH
Organization Name (eg, company) []:HW
Organizational Unit Name (eg, section) []:HW
Common Name (eg, fully qualified host name) []:caserver
Email Address []:flydean@163.com
It can be seen that on the basis of the key, the certificate also needs to provide additional information such as Country Name, Province Name, Organization Name and so on.
Finally, we can get a CA certificate ca.crt.
If you want to check the status of the certificate, you can use the following command:
openssl x509 -noout -text -in ca.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 9511149647544559472 (0x83fe64365379a770)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SH, ST=SH, L=SH, O=HW, OU=HW, CN=caserver/emailAddress=flydean@163.com
Validity
Not Before: Apr 27 06:33:16 2022 GMT
Not After : May 17 06:33:16 2022 GMT
Subject: C=SH, ST=SH, L=SH, O=HW, OU=HW, CN=caserver/emailAddress=flydean@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:9f:b4:ff:16:15:51:2a:de:2f:23:cd:7d:27:41:
3c:30:1f:f3:cb:bf:3f:7c:96:ba:c3:81:a8:eb:88:
be:11:31:03:6f:c3:1d:f1:dc:4c:ea:3d:da:15:24:
59:32:8b:7e:87:a0:0b:57:b9:79:e4:72:2f:4b:50:
9d:00:eb:ee:52:24:f3:e8:e9:92:1c:ec:47:d9:98:
8c:f9:0f:71:a6:91:b2:5b:c1:59:bf:1f:27:47:6b:
9c:ce:22:e7:9d:2c:4a:3a:83:72:43:47:5d:ee:9e:
64:78:cb:3c:48:af:27:08:c1:08:41:c0:e0:92:e9:
13:81:1c:c7:72:3c:2f:5f:f3
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
68:09:be:cb:89:c0:0d:27:d2:bb:b2:f0:fb:6e:e2:0a:19:86:
92:cf:e5:90:48:b7:99:02:f1:75:6a:6d:79:1e:18:c7:95:7c:
89:92:ed:a1:bf:ad:91:76:c6:63:59:bb:6d:31:1e:11:5a:5e:
32:86:12:89:00:69:d0:77:c6:d6:69:11:0a:f7:7b:61:6e:95:
f8:d6:6b:89:c0:6c:49:eb:38:d9:f5:82:43:32:6e:14:fb:a0:
fb:be:12:a5:dc:69:66:b8:1b:22:cb:0f:9f:56:52:40:6d:48:
b6:78:29:dc:67:aa:79:c5:00:e3:68:9a:65:9a:94:99:be:ce:
b0:d2
You can see that the CA certificate contains additional information such as date, serial number, signature algorithm, issuer, and validity.
The certificate generated above is actually a root certificate. This root certificate can sign other certificate requests to generate sub-certificates, thus resulting in a cascade structure of certificates.
What if a client wants to request a new certificate from the CA server?
First, the client also needs to generate its own key pair. If the client is the CA server itself, the process of requesting the CA certificate is called self-signing.
To request a certificate, you must first generate a request csr, which can also be done using the openssl command:
openssl req -new -key ca.key -out server.csr
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) []:SH
Organization Name (eg, company) []:citi
Organizational Unit Name (eg, section) []:org
Common Name (eg, fully qualified host name) []:client
Email Address []:flydean@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
Because the csr request also needs to generate a CA certificate, it also needs to enter similar information.
Finally we generated a server.csr file.
Next use this csr file to request the certificate:
openssl x509 -req -days 20 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
Signature ok
subject=/C=CN/ST=SH/L=SH/O=citi/OU=org/CN=client/emailAddress=flydean@163.com
Getting CA Private Key
Enter pass phrase for ca.key:
The meaning of the above command is the private key on the CA server, the root certificate and the just-generated certificate request server.csr to generate a self-signed certificate signed by the CA server.
Finally get a self-signed server.csr certificate file.
Also use the openssl command to view the certificate status:
openssl x509 -noout -text -in server.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 14663444799761243679 (0xcb7f055ae9515e1f)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=SH, ST=SH, L=SH, O=HW, OU=HW, CN=caserver/emailAddress=flydean@163.com
Validity
Not Before: Apr 27 07:28:08 2022 GMT
Not After : May 17 07:28:08 2022 GMT
Subject: C=CN, ST=SH, L=SH, O=citi, OU=org, CN=client/emailAddress=flydean@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:9f:b4:ff:16:15:51:2a:de:2f:23:cd:7d:27:41:
3c:30:1f:f3:cb:bf:3f:7c:96:ba:c3:81:a8:eb:88:
be:11:31:03:6f:c3:1d:f1:dc:4c:ea:3d:da:15:24:
59:32:8b:7e:87:a0:0b:57:b9:79:e4:72:2f:4b:50:
9d:00:eb:ee:52:24:f3:e8:e9:92:1c:ec:47:d9:98:
8c:f9:0f:71:a6:91:b2:5b:c1:59:bf:1f:27:47:6b:
9c:ce:22:e7:9d:2c:4a:3a:83:72:43:47:5d:ee:9e:
64:78:cb:3c:48:af:27:08:c1:08:41:c0:e0:92:e9:
13:81:1c:c7:72:3c:2f:5f:f3
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
31:2e:b6:d7:3e:2d:ae:f1:2e:44:b5:5e:73:42:91:39:80:9f:
a8:ed:9c:60:78:35:21:df:4a:45:b0:b1:d1:80:c1:ee:cb:30:
75:34:66:61:43:6c:0a:85:4f:a3:e5:09:9f:2b:07:62:6a:3a:
60:22:78:f0:7d:32:ef:2f:46:95:34:60:22:03:47:78:6f:0c:
7e:f1:85:ea:d6:4b:1e:45:b5:56:a1:d7:52:9c:19:ae:24:26:
3d:a7:0b:f2:94:c1:d3:e3:04:25:f8:ce:b8:cb:84:6a:d1:b4:
63:7c:df:87:f8:44:86:49:b5:96:dc:43:c7:7a:17:d3:82:c6:
6a:af
You can see that the structure is the same as the root ca certificate. The Subject here is the information entered in creating server.csr.
Suffix for X.509 certificates
The certificate suffix we used above is crt, which is the abbreviation of certificate.
In fact X.509 certificates also support several other types of suffixes.
.pem
The full name of pem is Privacy-enhanced Electronic Mail. As can be seen from the name, pem was originally prepared for encrypted mail.
It is a DER+Base64 encoded certificate. PEM certificates are usually in text format, starting with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----".
.cer, .crt, .der
All three are DER-encoded binary certificates, but sometimes Base64-encoded, such as .pem.
.p7b, .p7c
is data signed with PKCS#7.
The full name of PKCS is Public-Key Cryptography Standards, which is a series of standards formulated by RSA Labs and other security system developers to promote the development of public key cryptography.
The full name of PKCS#7 is called Cryptographic Message Syntax Standard.
.p12
is data signed with PKCS#12 and can contain both certificate and private key.
.pfx
The predecessor of PKCS#12, usually contains data in PKCS#12 format.
Certificate hierarchy and cross-certification
The hierarchical structure of certificates should be well understood. The hierarchical structure of certificates is also called certificate chain.
Starting with the final certificate we receive, it can be followed by one or more CA certificates, and the last certificate is the root certificate.
For example, the chain structure of the current certificate is A->B->C.
To verify the validity of the certificate of A, you need to use the public key of B to verify, then the validity of B also needs to be verified by the public key of C, so that the level of verification is up to the root certificate.
What is cross-certification?
Suppose there are two certificate chains A->B and D->E. But now these two chains are independent, what should I do if the A certificate also wants to use E for authentication?
Let's first consider the meaning of A->B. A->B means that the A certificate is signed by the B certificate. More precisely, the A certificate is signed with the public key in the B certificate.
If we use E to sign the public key in B to get a certificate C, then B and C have the same public key, so for A, both A->B and A->C->E are valid certificates chain.
If B is used to sign E's public key to obtain certificate F, then there are also two valid certificate chains for D->E and D->F->B.
Such a structure is called cross-certification.
Cross-certification is very useful in scenarios where different root CA chains authenticate each other.
Scope of use of x.509 certificate
The x.509 certificate is widely used. For example, the most common TLS/SSL and HTTPS in web access use the x.509 certificate.
In addition SMTP, POP, IMAP, LDAP, XMPP provide support for x.509 certificates.
Summarize
The above is the introduction of the use of x.509 certificates and related principles.
For more information, please refer to http://www.flydean.com/42-pki-x509/
The most popular interpretation, the most profound dry goods, the most concise tutorials, and many tricks you don't know are waiting for you to discover!
Welcome to pay attention to my official account: "Program those things", understand technology, understand you better!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。