brief introduction

stay PKI(public key infrastructure) Public key infrastructure , All operations are around certificates and keys , It provides the creation of 、 management 、 distribution 、 Use 、 A set of roles required to store and revoke digital certificates and manage public key encryption 、 Strategy 、 Hardware 、 Software and programs .

With the key , You can create a certificate based on the key . If you want certificates to be widely used , A common standard must be indispensable , stay PKI In the system , It's called this standard X.509.

X.509 The standard defines the most commonly used format for public key certificates .

An example of a certificate

The most important part of the certificate is the public key information , Extract the public key from the certificate , The public key can be used to decrypt the data encrypted by the sender with the private key . Public key information is the core of certificate .

In addition to the public key , The certificate contains a lot of other information , For example, it contains identity information ( Host name 、 Organizations or individuals, etc ).

Creating a certificate is very simple , Let's take a look at the use openssl Command to create a certificate .

Before creating a certificate , First, you need to create the public and private keys that the certificate depends on ,x.509 Certificates can support a variety of public and private key algorithms , such as RSA, DSA, ECDSA, ed25519 etc. .

Here we choose to use RSA Algorithm , The generated key pair is as follows :

openssl genrsa -des3 -out ca.key 1024

Generating RSA private key, 1024 bit long modulus

...............++++++

.............................................++++++

e is 65537 (0x10001)

Enter pass phrase for ca.key:

Verifying - Enter pass phrase for ca.key:

Input pass, We can get ca.key, This is a RSA PRIVATE KEY.

And then you can use this ca.key To create a certificate .

openssl req -new -x509 -days 20 -key ca.key -out ca.crt

Enter pass phrase for ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) []:SH

State or Province Name (full name) []:SH

Locality Name (eg, city) []:SH

Organization Name (eg, company) []:HW

Organizational Unit Name (eg, section) []:HW

Common Name (eg, fully qualified host name) []:caserver

Email Address []:[email protected]

You can see , Based on the key , Certificates also need to be provided, such as Country Name,Province Name,Organization Name Extra information .

Last , We can get one CA certificate ca.crt.

If you want to view the status of the certificate , You can use the following command :

openssl x509 -noout -text -in ca.crt

Certificate:

    Data:

        Version: 1 (0x0)

        Serial Number: 9511149647544559472 (0x83fe64365379a770)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=SH, ST=SH, L=SH, O=HW, OU=HW, CN=caserver/[email protected]

        Validity

            Not Before: Apr 27 06:33:16 2022 GMT

            Not After : May 17 06:33:16 2022 GMT

        Subject: C=SH, ST=SH, L=SH, O=HW, OU=HW, CN=caserver/[email protected]

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:9f:b4:ff:16:15:51:2a:de:2f:23:cd:7d:27:41:

                    3c:30:1f:f3:cb:bf:3f:7c:96:ba:c3:81:a8:eb:88:

                    be:11:31:03:6f:c3:1d:f1:dc:4c:ea:3d:da:15:24:

                    59:32:8b:7e:87:a0:0b:57:b9:79:e4:72:2f:4b:50:

                    9d:00:eb:ee:52:24:f3:e8:e9:92:1c:ec:47:d9:98:

                    8c:f9:0f:71:a6:91:b2:5b:c1:59:bf:1f:27:47:6b:

                    9c:ce:22:e7:9d:2c:4a:3a:83:72:43:47:5d:ee:9e:

                    64:78:cb:3c:48:af:27:08:c1:08:41:c0:e0:92:e9:

                    13:81:1c:c7:72:3c:2f:5f:f3

                Exponent: 65537 (0x10001)

    Signature Algorithm: sha256WithRSAEncryption

         68:09:be:cb:89:c0:0d:27:d2:bb:b2:f0:fb:6e:e2:0a:19:86:

         92:cf:e5:90:48:b7:99:02:f1:75:6a:6d:79:1e:18:c7:95:7c:

         89:92:ed:a1:bf:ad:91:76:c6:63:59:bb:6d:31:1e:11:5a:5e:

         32:86:12:89:00:69:d0:77:c6:d6:69:11:0a:f7:7b:61:6e:95:

         f8:d6:6b:89:c0:6c:49:eb:38:d9:f5:82:43:32:6e:14:fb:a0:

         fb:be:12:a5:dc:69:66:b8:1b:22:cb:0f:9f:56:52:40:6d:48:

         b6:78:29:dc:67:aa:79:c5:00:e3:68:9a:65:9a:94:99:be:ce:

         b0:d2

You can see CA The certificate contains the date , Serial number , Signature algorithm , publisher , Additional information such as effectiveness .

The certificate generated above is actually a root certificate , This root certificate can sign other certificate requests , So as to generate sub certificates , Thus, a cascade structure of certificates is generated .

If a client wants to send a message to CA server What should I do to request a new certificate ?

First, the client also needs to generate its own key pair . If the client is CA server own , So this request CA The process of signing a certificate is called self signing .

To request a certificate , First you have to generate a request csr, It can also be used openssl Order to proceed :

openssl req -new -key ca.key -out server.csr

Enter pass phrase for ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) []:CN

State or Province Name (full name) []:SH

Locality Name (eg, city) []:SH

Organization Name (eg, company) []:citi

Organizational Unit Name (eg, section) []:org

Common Name (eg, fully qualified host name) []:client

Email Address []:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

csr Because the request also needs to generate a CA certificate , So you need to enter similar information .

Finally, we generate a server.csr file .

Next use this csr File to request a certificate :

openssl x509 -req -days 20 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

Signature ok

subject=/C=CN/ST=SH/L=SH/O=citi/OU=org/CN=client/[email protected]

Getting CA Private Key

Enter pass phrase for ca.key:

The meaning of the above command is CA server Upper private key, Root certificate and just generated certificate request server.csr, Build use CA server Signed self signed certificate .

Finally, we get a self signature server.csr Certificate file .

Also use openssl Command to view the status of the certificate :

openssl x509 -noout -text -in server.crt

Certificate:

    Data:

        Version: 1 (0x0)

        Serial Number: 14663444799761243679 (0xcb7f055ae9515e1f)

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=SH, ST=SH, L=SH, O=HW, OU=HW, CN=caserver/[email protected]

        Validity

            Not Before: Apr 27 07:28:08 2022 GMT

            Not After : May 17 07:28:08 2022 GMT

        Subject: C=CN, ST=SH, L=SH, O=citi, OU=org, CN=client/[email protected]

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:9f:b4:ff:16:15:51:2a:de:2f:23:cd:7d:27:41:

                    3c:30:1f:f3:cb:bf:3f:7c:96:ba:c3:81:a8:eb:88:

                    be:11:31:03:6f:c3:1d:f1:dc:4c:ea:3d:da:15:24:

                    59:32:8b:7e:87:a0:0b:57:b9:79:e4:72:2f:4b:50:

                    9d:00:eb:ee:52:24:f3:e8:e9:92:1c:ec:47:d9:98:

                    8c:f9:0f:71:a6:91:b2:5b:c1:59:bf:1f:27:47:6b:

                    9c:ce:22:e7:9d:2c:4a:3a:83:72:43:47:5d:ee:9e:

                    64:78:cb:3c:48:af:27:08:c1:08:41:c0:e0:92:e9:

                    13:81:1c:c7:72:3c:2f:5f:f3

                Exponent: 65537 (0x10001)

    Signature Algorithm: sha1WithRSAEncryption

         31:2e:b6:d7:3e:2d:ae:f1:2e:44:b5:5e:73:42:91:39:80:9f:

         a8:ed:9c:60:78:35:21:df:4a:45:b0:b1:d1:80:c1:ee:cb:30:

         75:34:66:61:43:6c:0a:85:4f:a3:e5:09:9f:2b:07:62:6a:3a:

         60:22:78:f0:7d:32:ef:2f:46:95:34:60:22:03:47:78:6f:0c:

         7e:f1:85:ea:d6:4b:1e:45:b5:56:a1:d7:52:9c:19:ae:24:26:

         3d:a7:0b:f2:94:c1:d3:e3:04:25:f8:ce:b8:cb:84:6a:d1:b4:

         63:7c:df:87:f8:44:86:49:b5:96:dc:43:c7:7a:17:d3:82:c6:

         6a:af

You can see the structure and structure root ca The certificate is the same , there Subject Is to create server.csr Information entered in .

X.509 The suffix of the certificate

The certificate suffix we used above is crt, That is to say certificate Abbreviation .

in fact X.509 Certificates also support several other types of suffixes .

.pem

pem The full name is Privacy-enhanced Electronic Mail, You can tell by the name ,pem Originally prepared for encrypted mail .

It is a kind of DER+Base64 Certificate to encode .PEM Certificates are usually in text format , With "-----BEGIN CERTIFICATE-----" start , And "-----END CERTIFICATE-----" end .

.cer, .crt, .der

All three are based on DER Binary certificate for encoding , But sometimes you use Base64 Encoding , such as .pem.

.p7b, .p7c

Yes, it is PKCS#7 Signed data .

PKCS The full name is Public-Key Cryptography Standards , By RSA A series of standards developed by laboratories and other security system developers to promote the development of public key cryptography .

PKCS#7 The full name of is called Cryptographic Message Syntax Standard.

.p12

Yes, it is PKCS#12 Signed data , Can contain both certificate and private key .

.pfx

PKCS#12 The forerunner of , Usually contains PKCS#12 Formatted data .

Certificate hierarchy and cross certification

The hierarchy of certificates should be well understood , The hierarchy of certificates is also called certificate chain .

From the final certificate we received , It can be followed by one or more CA certificate , The last certificate is the root certificate .

For example, the chain structure of certificates is A->B->C.

To verify A Validity of certificate , Then we need to use B To verify , that B The effectiveness of the , Also needed C To verify , In this way, the level of verification is up to the root certificate .

What is cross certification ?

If there is now A->B and D->E These two certificate chains . But now the two chains are independent , If A Certificates also want to use E How should we handle the authentication ?

Let's think about it first A->B The meaning of ,A->B intend A Certificate use B Certificate to sign . More precisely, it is A Certificate is used B The public key in the certificate is used to sign .

If we use E Yes B Sign the public key in to get a certificate C, that B and C Have the same public key , So for A Come on ,A->B and A->C->E Are valid certificate chains .

If you use B Yes E The public key of , Get a certificate F, So for D->E and D->F->B There are also two valid certificate chains .

Such a structure is called cross authentication .

Cross certification is used in different root systems CA The scenario of chain mutual authentication , Very useful .

x.509 Scope of use of certificate

x.509 Certificates are widely used , such as web The most common way to visit TLS/SSL and HTTPS It's all about x.509 certificate .

in addition SMTP, POP, IMAP, LDAP, XMPP Provide for the right to x.509 Certificate support .

summary

That's all x.509 Introduction to the use of certificates and related principles .

Please refer to http://www.flydean.com/42-pki-x509/

The most popular interpretation , The deepest dry goods , The most concise tutorial , There are so many tricks you don't know about waiting for you to discover !

Welcome to my official account. :「 Program those things 」, Know technology , Know you better !

Cryptography series :PKI The certificate format of X.509 More articles about

  1. openssl Certificate format conversion

    Certificate conversion PKCS The full name is Public-Key Cryptography Standards , By RSA A series of standards developed by laboratories and other security system developers to promote the development of public key cryptography ,PKCS So far a total of ...

  2. [ Re posting ] Public key infrastructure (PKI)/CFSSL Use of certificate generation tool

    Public key infrastructure (PKI)/CFSSL Use of certificate generation tool weilovepan520 Focus on 1 People comment on 84344 Human reading 2018-05-26 12:22:20 https://blog.51cto.com/liu ...

  3. ( Memo )openssl Certificate format conversion

    PKCS The full name is Public-KeyCryptography Standards , By RSA A series of standards developed by laboratories and other security system developers to promote the development of public key cryptography ,PKCS So far a total of 15 A standard . ...

  4. Front end engineer skills photoshop Use the fourth part of the series —— Image format

    × Catalog [1] Image format [2] Save settings In front of the word For the front end , Image format is an important knowledge to master . This article is about photoshop Use the fourth part of the series —— Image format Image format At present, the commonly used image formats in front-end development are jpg. ...

  5. Build secure Xml Web Service Series of wse Certificate storage location

    original text : Build secure Xml Web Service Series of wse Certificate storage location We were right the other day xml web service Some suggestions are put forward for the safety of , You can visit through the following address : Build secure Xml Web Se ...

  6. elk series 3 It was passed json Format collection Nginx journal 【 turn 】

    from elk series 3 It was passed json Format collection Nginx journal - Gentle and easy to fade - Blog Garden http://www.cnblogs.com/liaojiafa/p/6158245.html preface Adopted by the company ...

  7. SSL Certificate format is popular ,PEM、CER、JKS、PKCS12

    Depending on the server and the version of the server , We need to use different certificate formats , For the mainstream servers on the market , It's probably in the following format : .DER .CER, The file is in binary format , Save only certificates , Don't save the private key . .PEM, It's usually text format , Insurable ...

  8. be based on OpenSSL Of PKI Of PKI Implementation of digital certificate system

    This article mainly introduces the system based on OpenSSL Of PKI Of PKI Implementation of digital certificate system , utilize OpenSSL Build a CA The detailed solution of the center and the specific steps to establish it . 1.PKI Digital certificate system design PKI The digital certificate system mainly includes the certification authority ...

  9. Cryptography series :memory-hard function

    Cryptography series :memory-hard function Catalog brief introduction Why MHF Memory hard The evaluation method of MHF The type of MHF The significance of cryptography memory-hard stay MHF Application in brief introduction Memory ...

  10. Cryptography series : Collision defense and collision attack collision attack

    Cryptography series : Collision defense and collision attack collision attack brief introduction hash It is a function often used in cryptography and peacetime programs , If hash The algorithm is not well designed , Will produce hash Collision , Even a collision attack . Today and big ...

Random recommendation

  1. mysql The problem summary

    1. You are using safe update mode and you tried to update a table without a WHERE clause that uses a ...

  2. udev

    1. As devfs Replacement , Conventional devfs Cannot dynamically allocate major and minor And limited ,udev Can be like DHCP Dynamic allocation IP To allocate major and minor 2.device naming Provides named persistence machines ...

  3. Ibatis Learning summary 3--SQL Map XML The mapping file

    In the previous example , Use only the  SQL Map  The simplest form .SQL Map  There are many more in the structure of   The option to . Here is a  mapped statement  A more complicated example , More features are used . <sqlMa ...

  4. C# Study : aggregate 、 iteration 、 Generic (1)

    One .System.Collections Several interfaces in the name space represent the function of the collection : 1.IEnumerable: Representing the iterative function public interface IEnumerable { IEnumera ...

  5. css The overall statement of case study *{} And body{} The difference between

    Code <html> <head> <title> Global declarations </title> <style type="text/css"> ...

  6. ACM The input and output of competition

    http://acm.njupt.edu.cn/acmhome/problemdetail.do?id=1083&method=showdetail Game Description String input and output processing . Input The first ...

  7. LeetCode String theme ( One )

    Catalog LeetCode String theme <c++> \([5]\) Longest Palindromic Substring \([28]\) Implement strStr() [\(4 ...

  8. Scrum Introduce —— To continue

    Four . Scrum The process Scrum The process is as shown in the figure 4-1 Shown chart 4-1 Scrum The process 4.1 establish Product Backlog Product Backlog yes Product Owner According to the business needs of customers ...

  9. AJAX Three books are necessary for learning

    <AJAX Basic course >AJAX One of the necessary books . The first book published in China AJAX The book , It's also the best AJAX Introductory book , If you are AJAX Novice , This book is the best introductory book . This book basically includes the implementation Ajax Most of what you need to know ...

  10. Visual Studio Templates

    Reprinted from MSDN, This article is for reference only . http://msdn.microsoft.com/zh-cn/library/6db0hwky(VS.80).aspx 1. How to import “ Project template (Project Te ...