CFSSL: 证书管理工具:6:理解证书文件内容
发布日期:2021-06-30 20:15:44
浏览次数:3
分类:技术文章
本文共 10465 字,大约阅读时间需要 34 分钟。
这篇文章以Kubernetes集群创建时所使用的证书为例,对证书文件内容结合具体内容进行解释。事前准备
[root@liumiaocn cert]# lsca-config.json ca.csr ca-csr.json ca-key.pem ca.pem server.csr server-csr.json server-key.pem server.pem[root@liumiaocn cert]#
详细证书生成方法可参看:https://liumiaocn.blog.csdn.net/article/details/103556278
证书文件
CA对申请者的CSR文件进行确认,符合条件时则会给申请者颁发证书。而证书一般主要包含如下内容:
- 证书持有者的信息
- 公钥信息
- 证书有效的机器名称(hostname)
- 证书的有效期
- 证书发行者的信息
- 证书发行者所提供的数字签名
- 证书发行者所提供的权限
- 权限设定(客户端认证、服务器端认证)
比如此处使用server端生成的证书文件,文件内容如下所示:
[root@liumiaocn cert]# cat server.pem -----BEGIN CERTIFICATE-----MIIEljCCA36gAwIBAgIUOzO/PFQ1NhwjrD6adzmLs4XHYkMwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZEYUxpYW4xEzARBgNVBAoTCmt1YmVybmV0ZXMxEzARBgNVBAsTCmt1YmVybmV0ZXMxEzARBgNVBAMTCmt1YmVybmV0ZXMwHhcNMTkxMjE1MTMyNTAwWhcNMjAxMjE0MTMyNTAwWjBwMQswCQYDVQQGEwJDTjERMA8GA1UECBMITGlhb05pbmcxDzANBgNVBAcTBkRhTGlhbjETMBEGA1UEChMKa3ViZXJuZXRlczETMBEGA1UECxMKa3ViZXJuZXRlczETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp6qS0hPYtxffzDTgyCAx+bygxlk5BgKKKMthatJnLMJn19GO1mKwcq8izsa7Ub1S3bSC6R/LjfT8QFA20t7RMrxd0PefihAYRrxnsoH0mGjJnNx+XrI+JGJnSdOKhKBBdp0oNvi5J/oG2mlAx+GCtrp6bU12G6rbc/DDR5zWfCieGrP42boCm+lk44MiGIAY9IKdlozxwGOAwNutI4D96XJClMa9nznv6uH97G6aGAmflucVXpZ3dPxvmmwzeNyXtyqdR63FklCFkM7tJI1mT4LVvgXGjEhJlH718nmLkXkH8aHqFsCWxKrRbnGybtw6fUqXmK2yVx6UzpXd3AdB0CAwEAAaOCASYwggEiMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUAmyhghh/R1X1lO667xGnln9S24swHwYDVR0jBBgwFoAUOi4VkwVy0Jn/80/ShugU512yCOowgaIGA1UdEQSBmjCBl4ILLjEwLjI1NC4wLjGCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBMCoo3kwDQYJKoZIhvcNAQELBQADggEBAL2wyCWLMA9S2k/nAuxNEzCaMjN65kR/YfhGhFGLRBlzB+5w4ACJfddQT3VSbQM8ywYcgLzCw/xtRpM3PDMa3pKgCUcg0Xn1mhISTxWUaf6NfUimZlH1r+ukvl6F6ghcsRvyc3Cta56LYR6NT6Xa4vZ86jI5DSs6THgQ0/ZMhSvqm6a3QGFT+lmeg5Hh/YOdqsbzo9Z57jUEshH+1DVoChibKi80N9HGjPwRa3Rgj9NUq211Z0aNyWP3i5SluprugWq2/9hGibECHDUwyJWfNX9ZVyPVLMi3TM6pFU8RfVCY9Og+9d9XcIR0wGn7NunvLYqNRV163RIlOIQAI/oVz/U=-----END CERTIFICATE-----[root@liumiaocn cert]#
- 证书申请者信息
[root@liumiaocn cert]# openssl x509 -noout -in server.pem -subjectsubject=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes[root@liumiaocn cert]#
- 证书发行者信息
[root@liumiaocn cert]# openssl x509 -noout -in server.pem -issuerissuer=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes[root@liumiaocn cert]#
- 证书有效期
[root@liumiaocn cert]# openssl x509 -noout -in server.pem -datesnotBefore=Dec 15 13:25:00 2019 GMTnotAfter=Dec 14 13:25:00 2020 GMT[root@liumiaocn cert]#
- 证书公钥
[root@liumiaocn cert]# openssl x509 -noout -in server.pem -pubkey-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynqpLSE9i3F9/MNODIIDH5vKDGWTkGAoooy2Fq0mcswmfX0Y7WYrByryLOxrtRvVLdtILpH8uN9PxAUDbS3tEyvF3Q95+KEBhGvGeygfSYaMmc3H5esj4kYmdJ04qEoEF2nSg2+Lkn+gbaaUDH4YK2unptTXYbqttz8MNHnNZ8KJ4as/jZugKb6WTjgyIYgBj0gp2WjPHAY4DA260jgP3pckKUxr2fOe/q4f3sbpoYCZ+W5xVelnd0/G+abDN43Je3Kp1HrcWSUIWQzu0kjWZPgtW+BcaMSEmUfvXyeYuReQfxoeoWwJbEqtFucbJu3Dp9SpeYrbJXHpTOld3cB0HQIDAQAB-----END PUBLIC KEY-----[root@liumiaocn cert]#
注意此公钥为证书申请者所提供的,可以获取CSR文件的公钥内容来进行确认
[root@liumiaocn cert]# openssl req -noout -in server.csr -pubkey-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynqpLSE9i3F9/MNODIIDH5vKDGWTkGAoooy2Fq0mcswmfX0Y7WYrByryLOxrtRvVLdtILpH8uN9PxAUDbS3tEyvF3Q95+KEBhGvGeygfSYaMmc3H5esj4kYmdJ04qEoEF2nSg2+Lkn+gbaaUDH4YK2unptTXYbqttz8MNHnNZ8KJ4as/jZugKb6WTjgyIYgBj0gp2WjPHAY4DA260jgP3pckKUxr2fOe/q4f3sbpoYCZ+W5xVelnd0/G+abDN43Je3Kp1HrcWSUIWQzu0kjWZPgtW+BcaMSEmUfvXyeYuReQfxoeoWwJbEqtFucbJu3Dp9SpeYrbJXHpTOld3cB0HQIDAQAB-----END PUBLIC KEY-----[root@liumiaocn cert]#
- 获取证书相关的详细信息有两种方式,可以通过openssl命令,比如:
[root@liumiaocn cert]# openssl x509 -noout -in server.pem -textCertificate: Data: Version: 3 (0x2) Serial Number: 3b:33:bf:3c:54:35:36:1c:23:ac:3e:9a:77:39:8b:b3:85:c7:62:43 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes Validity Not Before: Dec 15 13:25:00 2019 GMT Not After : Dec 14 13:25:00 2020 GMT Subject: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ca:7a:a9:2d:21:3d:8b:71:7d:fc:c3:4e:0c:82: 03:1f:9b:ca:0c:65:93:90:60:28:a2:8c:b6:16:ad: 26:72:cc:26:7d:7d:18:ed:66:2b:07:2a:f2:2c:ec: 6b:b5:1b:d5:2d:db:48:2e:91:fc:b8:df:4f:c4:05: 03:6d:2d:ed:13:2b:c5:dd:0f:79:f8:a1:01:84:6b: c6:7b:28:1f:49:86:8c:99:cd:c7:e5:eb:23:e2:46: 26:74:9d:38:a8:4a:04:17:69:d2:83:6f:8b:92:7f: a0:6d:a6:94:0c:7e:18:2b:6b:a7:a6:d4:d7:61:ba: ad:b7:3f:0c:34:79:cd:67:c2:89:e1:ab:3f:8d:9b: a0:29:be:96:4e:38:32:21:88:01:8f:48:29:d9:68: cf:1c:06:38:0c:0d:ba:d2:38:0f:de:97:24:29:4c: 6b:d9:f3:9e:fe:ae:1f:de:c6:e9:a1:80:99:f9:6e: 71:55:e9:67:77:4f:c6:f9:a6:c3:37:8d:c9:7b:72: a9:d4:7a:dc:59:25:08:59:0c:ee:d2:48:d6:64:f8: 2d:5b:e0:5c:68:c4:84:99:47:ef:5f:27:98:b9:17: 90:7f:1a:1e:a1:6c:09:6c:4a:ad:16:e7:1b:26:ed: c3:a7:d4:a9:79:8a:db:25:71:e9:4c:e9:5d:dd:c0: 74:1d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 02:6C:A1:82:18:7F:47:55:F5:94:EE:BA:EF:11:A7:96:7F:52:DB:8B X509v3 Authority Key Identifier: keyid:3A:2E:15:93:05:72:D0:99:FF:F3:4F:D2:86:E8:14:E7:5D:B2:08:EA X509v3 Subject Alternative Name: DNS:.10.254.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.163.121 Signature Algorithm: sha256WithRSAEncryption bd:b0:c8:25:8b:30:0f:52:da:4f:e7:02:ec:4d:13:30:9a:32: 33:7a:e6:44:7f:61:f8:46:84:51:8b:44:19:73:07:ee:70:e0: 00:89:7d:d7:50:4f:75:52:6d:03:3c:cb:06:1c:80:bc:c2:c3: fc:6d:46:93:37:3c:33:1a:de:92:a0:09:47:20:d1:79:f5:9a: 12:12:4f:15:94:69:fe:8d:7d:48:a6:66:51:f5:af:eb:a4:be: 5e:85:ea:08:5c:b1:1b:f2:73:70:ad:6b:9e:8b:61:1e:8d:4f: a5:da:e2:f6:7c:ea:32:39:0d:2b:3a:4c:78:10:d3:f6:4c:85: 2b:ea:9b:a6:b7:40:61:53:fa:59:9e:83:91:e1:fd:83:9d:aa: c6:f3:a3:d6:79:ee:35:04:b2:11:fe:d4:35:68:0a:18:9b:2a: 2f:34:37:d1:c6:8c:fc:11:6b:74:60:8f:d3:54:ab:6d:75:67: 46:8d:c9:63:f7:8b:94:a5:ba:9a:ee:81:6a:b6:ff:d8:46:89: b1:02:1c:35:30:c8:95:9f:35:7f:59:57:23:d5:2c:c8:b7:4c: ce:a9:15:4f:11:7d:50:98:f4:e8:3e:f5:df:57:70:84:74:c0: 69:fb:36:e9:ef:2d:8a:8d:45:5d:7a:dd:12:25:38:84:00:23: fa:15:cf:f5[root@liumiaocn cert]#
也可以通过cfssl-certinfo命令来获取
[root@liumiaocn cert]# ../cfssl-certinfo -cert server.pem { "subject": { "common_name": "kubernetes", "country": "CN", "organization": "kubernetes", "organizational_unit": "kubernetes", "locality": "DaLian", "province": "LiaoNing", "names": [ "CN", "LiaoNing", "DaLian", "kubernetes", "kubernetes", "kubernetes" ] }, "issuer": { "common_name": "kubernetes", "country": "CN", "organization": "kubernetes", "organizational_unit": "kubernetes", "locality": "DaLian", "province": "LiaoNing", "names": [ "CN", "LiaoNing", "DaLian", "kubernetes", "kubernetes", "kubernetes" ] }, "serial_number": "337984452459218016032373756387935973667527680579", "sans": [ ".10.254.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "127.0.0.1", "192.168.163.121" ], "not_before": "2019-12-15T13:25:00Z", "not_after": "2020-12-14T13:25:00Z", "sigalg": "SHA256WithRSA", "authority_key_id": "3A:2E:15:93:5:72:D0:99:FF:F3:4F:D2:86:E8:14:E7:5D:B2:8:EA", "subject_key_id": "2:6C:A1:82:18:7F:47:55:F5:94:EE:BA:EF:11:A7:96:7F:52:DB:8B", "pem": "-----BEGIN CERTIFICATE-----\nMIIEljCCA36gAwIBAgIUOzO/PFQ1NhwjrD6adzmLs4XHYkMwDQYJKoZIhvcNAQEL\nBQAwcDELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE\nYUxpYW4xEzARBgNVBAoTCmt1YmVybmV0ZXMxEzARBgNVBAsTCmt1YmVybmV0ZXMx\nEzARBgNVBAMTCmt1YmVybmV0ZXMwHhcNMTkxMjE1MTMyNTAwWhcNMjAxMjE0MTMy\nNTAwWjBwMQswCQYDVQQGEwJDTjERMA8GA1UECBMITGlhb05pbmcxDzANBgNVBAcT\nBkRhTGlhbjETMBEGA1UEChMKa3ViZXJuZXRlczETMBEGA1UECxMKa3ViZXJuZXRl\nczETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAMp6qS0hPYtxffzDTgyCAx+bygxlk5BgKKKMthatJnLMJn19GO1mKwcq\n8izsa7Ub1S3bSC6R/LjfT8QFA20t7RMrxd0PefihAYRrxnsoH0mGjJnNx+XrI+JG\nJnSdOKhKBBdp0oNvi5J/oG2mlAx+GCtrp6bU12G6rbc/DDR5zWfCieGrP42boCm+\nlk44MiGIAY9IKdlozxwGOAwNutI4D96XJClMa9nznv6uH97G6aGAmflucVXpZ3dP\nxvmmwzeNyXtyqdR63FklCFkM7tJI1mT4LVvgXGjEhJlH718nmLkXkH8aHqFsCWxK\nrRbnGybtw6fUqXmK2yVx6UzpXd3AdB0CAwEAAaOCASYwggEiMA4GA1UdDwEB/wQE\nAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw\nADAdBgNVHQ4EFgQUAmyhghh/R1X1lO667xGnln9S24swHwYDVR0jBBgwFoAUOi4V\nkwVy0Jn/80/ShugU512yCOowgaIGA1UdEQSBmjCBl4ILLjEwLjI1NC4wLjGCCmt1\nYmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0\nLnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVz\nLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBMCoo3kwDQYJKoZIhvcN\nAQELBQADggEBAL2wyCWLMA9S2k/nAuxNEzCaMjN65kR/YfhGhFGLRBlzB+5w4ACJ\nfddQT3VSbQM8ywYcgLzCw/xtRpM3PDMa3pKgCUcg0Xn1mhISTxWUaf6NfUimZlH1\nr+ukvl6F6ghcsRvyc3Cta56LYR6NT6Xa4vZ86jI5DSs6THgQ0/ZMhSvqm6a3QGFT\n+lmeg5Hh/YOdqsbzo9Z57jUEshH+1DVoChibKi80N9HGjPwRa3Rgj9NUq211Z0aN\nyWP3i5SluprugWq2/9hGibECHDUwyJWfNX9ZVyPVLMi3TM6pFU8RfVCY9Og+9d9X\ncIR0wGn7NunvLYqNRV163RIlOIQAI/oVz/U=\n-----END CERTIFICATE-----\n"}[root@liumiaocn cert]#
转载地址:https://liumiaocn.blog.csdn.net/article/details/103558304 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
逛到本站,mark一下
[***.202.152.39]2024年04月25日 13时21分51秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
UVA 11426 GCD - Extreme (II)(欧拉函数)
2019-04-30
HDU-2838 Cow Sorting(树状数组)
2019-04-30
POJ-2299 Ultra-QuickSort(树状数组)(离散化)
2019-04-30
基于SSM的兼职论坛系统的设计与实现
2019-04-30
基于java的图书管理系统的设计与实现
2019-04-30
基于java的SSM框架理财管理系统的设计与实现
2019-04-30
基于java的ssm框架就业信息管理系统的设计
2019-04-30
基于java的ssm框架的旅游网站设计与实现
2019-04-30
基于java的SSM框架的流浪猫救助网站的设计与实现
2019-04-30
基于java的SSM框架的教务关系系统的设计与实现
2019-04-30
别再问我什么是A/B测试了!
2019-04-30
如何用同期群分析模型提升留存?(Tableau实战)
2019-04-30
爱了,吹爆这个高颜值的流程图工具!
2019-04-30
一个数据项目
2019-04-30
基于JAVA_JSP电子书下载系统
2019-04-30
基于java出租车计价器设计与实现
2019-04-30
基于java的B2C的网上拍卖系统
2019-04-30
十二时辰篇:这该死的 996
2019-04-30
2021最新 上海互联网公司排名
2019-04-30