CFSSL: 证书管理工具:5:理解CSR文件内容
发布日期:2021-06-30 20:15:41
浏览次数:2
分类:技术文章
本文共 5568 字,大约阅读时间需要 18 分钟。
这篇文章以Kubernetes集群创建时所使用的证书为例,对CRS文件内容结合具体内容进行解释。事前准备
[root@liumiaocn cert]# lsca-config.json ca.csr ca-csr.json ca-key.pem ca.pem server.csr server-csr.json server-key.pem server.pem[root@liumiaocn cert]#
详细证书生成方法可参看:https://liumiaocn.blog.csdn.net/article/details/103556278
CSR文件
CA机构不会凭空创建一个证书,他们需要一个公钥和一些元数据来填入证书之中,而这些信息就是存放在CSR文件之中,这个信息沟通的过程如下图所示:
CSR和证书的构成接近,它需要包含如下内容- 申请者的公钥信息
- 使用申请者私钥所生成的数字签名
- 申请者机构相关的信息
CA可以对提供上述内容的CSR进行证书的创建。首先它会通过对于数字签名进行检验来确认申请者的身份,然后通过确认域名或者IP是否有效等方式来确认是否能够进行证书的签发,CA会有一个数据库保存所有的证书信息,不能与既存的有效证书向冲突也是检验的内容之一,如果所有验证都通过,CA就会使用自己的私钥发行一个证书给予此CSR文件的申请者。
比如此处使用server端生成的csr文件,文件内容如下所示:
[root@liumiaocn cert]# cat server.csr -----BEGIN CERTIFICATE REQUEST-----MIIDbzCCAlcCAQAwcDELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZEYUxpYW4xEzARBgNVBAoTCmt1YmVybmV0ZXMxEzARBgNVBAsTCmt1YmVybmV0ZXMxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKeqktIT2LcX38w04MggMfm8oMZZOQYCiijLYWrSZyzCZ9fRjtZisHKvIs7Gu1G9Ut20gukfy430/EBQNtLe0TK8XdD3n4oQGEa8Z7KB9JhoyZzcfl6yPiRiZ0nTioSgQXadKDb4uSf6BtppQMfhgra6em1Ndhuq23Pww0ec1nwonhqz+Nm6ApvpZOODIhiAGPSCnZaM8cBjgMDbrSOA/elyQpTGvZ857+rh/exumhgJn5bnFV6Wd3T8b5psM3jcl7cqnUetxZJQhZDO7SSNZk+C1b4FxoxISZR+9fJ5i5F5B/Gh6hbAlsSq0W5xsm7cOn1Kl5itslcelM6V3dwHQdAgMBAAGggbkwgbYGCSqGSIb3DQEJDjGBqDCBpTCBogYDVR0RBIGaMIGXggsuMTAuMjU0LjAuMYIKa3ViZXJuZXRlc4ISa3ViZXJuZXRlcy5kZWZhdWx0ghZrdWJlcm5ldGVzLmRlZmF1bHQuc3Zjgh5rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXKCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcEfwAAAYcEwKijeTANBgkqhkiG9w0BAQsFAAOCAQEAOc+3ICZVuFXJC17CY0GuIAPyB4PK/Ue/edmY680Zd5xMdO+lUGIPgyPNf+GdwRTNYVYLdiagRxL17B9WceLImo7WOKRVLjkRu2XXck7OuLiA1V+ZevTQOQq4FPtWkCVLtKTxijG2AIsMdRt8y0ORv5jMKmBGKM6T+K6Zw7uBRGaQ+nAxgAJLBaeTZnpUt5omTRkIxdNk/su/Nk5jxJaWMHnLg0Ehcp/qtbiAqxro2m/iL8fbYWA9y0HfSnBB9vEtXpYOwPH5dZvBWQ+pOliJZEmNkYtDRdCK+skfc1OsGfasYgLs6Z0A4fchztYzu6oPSQ0VnEsGmvjFpsFOBLEIbA==-----END CERTIFICATE REQUEST-----[root@liumiaocn cert]#
使用-verify选项验证CSR内容:
[root@liumiaocn cert]# openssl req -verify -noout -in server.csr verify OK[root@liumiaocn cert]#
获取申请者的公钥和申请的信息(Subject)
[root@liumiaocn cert]# openssl req -noout -in server.csr -subjectsubject=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes[root@liumiaocn cert]# openssl req -noout -in server.csr -pubkey-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynqpLSE9i3F9/MNODIIDH5vKDGWTkGAoooy2Fq0mcswmfX0Y7WYrByryLOxrtRvVLdtILpH8uN9PxAUDbS3tEyvF3Q95+KEBhGvGeygfSYaMmc3H5esj4kYmdJ04qEoEF2nSg2+Lkn+gbaaUDH4YK2unptTXYbqttz8MNHnNZ8KJ4as/jZugKb6WTjgyIYgBj0gp2WjPHAY4DA260jgP3pckKUxr2fOe/q4f3sbpoYCZ+W5xVelnd0/G+abDN43Je3Kp1HrcWSUIWQzu0kjWZPgtW+BcaMSEmUfvXyeYuReQfxoeoWwJbEqtFucbJu3Dp9SpeYrbJXHpTOld3cB0HQIDAQAB-----END PUBLIC KEY-----
整个CSR的详细信息如下所示
[root@liumiaocn cert]# openssl req -in server.csr -noout -textCertificate Request: Data: Version: 1 (0x0) Subject: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ca:7a:a9:2d:21:3d:8b:71:7d:fc:c3:4e:0c:82: 03:1f:9b:ca:0c:65:93:90:60:28:a2:8c:b6:16:ad: 26:72:cc:26:7d:7d:18:ed:66:2b:07:2a:f2:2c:ec: 6b:b5:1b:d5:2d:db:48:2e:91:fc:b8:df:4f:c4:05: 03:6d:2d:ed:13:2b:c5:dd:0f:79:f8:a1:01:84:6b: c6:7b:28:1f:49:86:8c:99:cd:c7:e5:eb:23:e2:46: 26:74:9d:38:a8:4a:04:17:69:d2:83:6f:8b:92:7f: a0:6d:a6:94:0c:7e:18:2b:6b:a7:a6:d4:d7:61:ba: ad:b7:3f:0c:34:79:cd:67:c2:89:e1:ab:3f:8d:9b: a0:29:be:96:4e:38:32:21:88:01:8f:48:29:d9:68: cf:1c:06:38:0c:0d:ba:d2:38:0f:de:97:24:29:4c: 6b:d9:f3:9e:fe:ae:1f:de:c6:e9:a1:80:99:f9:6e: 71:55:e9:67:77:4f:c6:f9:a6:c3:37:8d:c9:7b:72: a9:d4:7a:dc:59:25:08:59:0c:ee:d2:48:d6:64:f8: 2d:5b:e0:5c:68:c4:84:99:47:ef:5f:27:98:b9:17: 90:7f:1a:1e:a1:6c:09:6c:4a:ad:16:e7:1b:26:ed: c3:a7:d4:a9:79:8a:db:25:71:e9:4c:e9:5d:dd:c0: 74:1d Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:.10.254.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.163.121 Signature Algorithm: sha256WithRSAEncryption 39:cf:b7:20:26:55:b8:55:c9:0b:5e:c2:63:41:ae:20:03:f2: 07:83:ca:fd:47:bf:79:d9:98:eb:cd:19:77:9c:4c:74:ef:a5: 50:62:0f:83:23:cd:7f:e1:9d:c1:14:cd:61:56:0b:76:26:a0: 47:12:f5:ec:1f:56:71:e2:c8:9a:8e:d6:38:a4:55:2e:39:11: bb:65:d7:72:4e:ce:b8:b8:80:d5:5f:99:7a:f4:d0:39:0a:b8: 14:fb:56:90:25:4b:b4:a4:f1:8a:31:b6:00:8b:0c:75:1b:7c: cb:43:91:bf:98:cc:2a:60:46:28:ce:93:f8:ae:99:c3:bb:81: 44:66:90:fa:70:31:80:02:4b:05:a7:93:66:7a:54:b7:9a:26: 4d:19:08:c5:d3:64:fe:cb:bf:36:4e:63:c4:96:96:30:79:cb: 83:41:21:72:9f:ea:b5:b8:80:ab:1a:e8:da:6f:e2:2f:c7:db: 61:60:3d:cb:41:df:4a:70:41:f6:f1:2d:5e:96:0e:c0:f1:f9: 75:9b:c1:59:0f:a9:3a:58:89:64:49:8d:91:8b:43:45:d0:8a: fa:c9:1f:73:53:ac:19:f6:ac:62:02:ec:e9:9d:00:e1:f7:21: ce:d6:33:bb:aa:0f:49:0d:15:9c:4b:06:9a:f8:c5:a6:c1:4e: 04:b1:08:6c[root@liumiaocn cert]#
转载地址:https://liumiaocn.blog.csdn.net/article/details/103556952 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
感谢大佬
[***.8.128.20]2024年04月08日 08时55分25秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
research gap
2019-04-30
pytorch训练cifar10数据集查看各个种类图片的准确率
2019-04-30
Python鼠标点击图片,获取点击点的像素坐标
2019-04-30
路径规划(一) —— 环境描述(Grid Map & Feature Map) & 全局路径规划(最优路径规划(Dijkstra&A*star) & 概率路径规划(PRM&RRT))
2019-04-30
RRT算法(快速拓展随机树)的Python实现
2019-04-30
D*算法
2019-04-30
强化学习(四) —— Actor-Critic演员评论家 & code
2019-04-30
RESTful API
2019-04-30
优化算法(四)——粒子群优化算法(PSO)
2019-04-30
数据在Oracle中的存储
2019-04-30
轨迹规划 trajectory planning
2019-04-30
AGV自动导引运输车
2019-04-30
Trie树(字典树)
2019-04-30