一个木匠

zqqf16 的个人博客

SSL证书研究之CSR

以前用SSL证书的时候对一些概念了解比较模糊,对x.509、pem、csr等一大堆概念没有一个整体的认识。于是下决心仔细研究一番,接下来会写一系列文章,这是第一篇,先介绍一下CSR。

基本概念

CSR全称Certificate Signing Request(证书请求文件),是证书申请者向证书颁发机构(CA)申请证书时需要提供的文件。里面包含了一些申请者的基本信息,比如Common Name、 Organization等。同时也包含了申请者的公钥。

生成CSR的时候一般也会同时生成一个私钥,和csr是配对生效的,如果私钥丢失,那么这个CSR将不会再起作用。

CA收到申请者的CSR之后会进行一系列操作,比如确认申请者信息之类的。然后用自己的私钥给CSR签名,生成证书文件,颁发给申请者。

CSR需要满足pkcs#10语法标准,详情可以参考RFC2986

生成方法

首先需要安装openssl,然后:

openssl req -new -keyout z.key -out z.csr

这条命令将会生成一个私钥文件z.key,然后生成对应的CSR,需要填写基本信息,比如:

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Zzzz
Organizational Unit Name (eg, section) []:dev
Common Name (e.g. server FQDN or YOUR name) []:zqqf16.info
Email Address []:your@email.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

打开z.key文件,可以看到私钥,类似这样的:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIj6V2J4snMfMCAggA
MBQGCCqGSIb3DQMHBAgCsEw8GV7nDASCBMhm0VvIGGreMAjQne7gx56nv85HLl/T
e0TWboN4PGlq4lmaWJSE9iYolz.....
.....
-----END ENCRYPTED PRIVATE KEY-----

这是用PEM(Privacy Enhanced Mail)格式存储的,内容用Base64编码过。同样的,z.csr文件也是类似的格式:

-----BEGIN CERTIFICATE REQUEST-----
MIIC4jCCAcoCAQAwgYUxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlKaW5nMRAw
DgYDVQQHDAdCZWlKaW5nMQ0wCwYDVQQKDARaenp6MQwwCgYDVQQLDANkZXYxFDAS
BgNVBAMMC3pxcWYxNi5p.....
....
-----END CERTIFICATE REQUEST-----

如果想看CSR的内容可以用

openssl req -in z.csr -noout -text

将会输出详细信息

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=Zzzz, OU=dev, CN=zqqf16.info/emailAddress=your@email.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:f8:ce:49:05:00:ff:53:5f:50:1a:00:c9:a1:
                    b8:4a:1d:19:c6:50:c3:22:11:30:cb:6f:ea:5e:5e:
                    3b:d9:e1:fa:5f:4b:5a:8a:51:88:1f:82:4f:b9:23:
                    52:de:80:2e:f4:b7:6a:b8:27:62:e7:3c:c1:7f:ef:
                    bb:5e:18:87:17:81:a3:11:f5:8b:25:c2:a3:fb:b2:
                    d9:4b:07:64:5d:93:1e:13:c1:b7:ce:ac:86:42:c2:
                    be:82:8c:76:d9:57:7e:c3:1d:0d:7c:3c:92:ce:0c:
                    ed:18:1f:45:83:28:d9:98:00:c1:b2:85:a7:52:4b:
                    f9:6e:45:f2:76:5f:c1:7d:1e:0d:65:3e:2b:ef:8e:
                    5f:89:83:7c:33:35:37:5b:40:11:48:4a:ec:b7:11:
                    4a:67:75:04:7e:d8:e9:68:ee:81:eb:38:70:a2:0d:
                    4e:d7:42:1c:fe:7e:fc:da:2e:15:69:8e:8f:ed:f6:
                    48:08:73:d1:65:2c:5b:90:52:ba:3c:62:b7:f5:80:
                    74:4b:03:34:5e:16:08:9c:3c:9b:85:47:94:3f:85:
                    ab:4d:d0:cf:7a:4c:ea:fb:50:59:69:2d:f2:93:b6:
                    44:48:a1:06:2c:6f:8b:f5:89:a3:9c:33:37:17:83:
                    40:27:3a:c5:e9:5a:57:5f:4a:e7:71:ba:57:7b:97:
                    e2:09
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :unable to print attribute
    Signature Algorithm: sha1WithRSAEncryption
         01:62:8d:cf:95:9a:99:29:d5:ca:e6:27:19:9f:e6:8f:33:4d:
         16:5e:99:d9:1f:e8:bc:bb:0a:c6:8d:0a:35:68:13:b1:33:91:
         16:22:be:57:a1:59:13:e2:21:fa:1a:c2:ce:dd:c7:44:f6:53:
         ab:ee:bc:4f:78:80:af:37:8d:59:55:5a:cb:9b:3e:8b:dd:9a:
         bd:50:22:b5:23:27:98:31:2d:98:05:c4:1c:bf:fa:49:4a:c2:
         a7:c6:f7:96:ed:4d:11:e7:75:64:54:e3:e7:a3:c3:3e:81:88:
         bb:89:7d:78:e6:06:0b:c4:b7:eb:f1:9f:e8:ff:23:3d:b3:35:
         f9:8f:c1:11:a4:72:55:95:3e:e6:38:d0:93:45:21:9e:77:2e:
         44:b6:43:58:68:5d:91:3a:5d:d3:50:c8:df:57:ba:2b:03:f2:
         43:29:da:9f:2b:c3:f1:10:21:26:b1:5f:bb:b7:9c:0c:1e:da:
         ae:62:09:ef:b1:a3:d6:18:6d:aa:3d:52:a2:af:10:50:69:78:
         94:26:1c:79:7c:ca:4f:a6:a1:37:82:b7:dd:68:8e:f6:ee:e1:
         ec:57:12:44:f5:34:2e:8e:aa:61:91:1f:6a:77:a6:88:fe:9b:
         a2:f5:e9:9a:11:ad:2a:31:d6:72:59:7e:e0:78:9f:b4:3f:af:
         c7:94:34:7f